cab61ef5a0eab517b148b76d18ca22da59de49b7e48e85d4f4022f2645457fc6

Analysis

max time kernel
156s
max time network
33s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 04:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e126fe12f819972684ab3486bcd1018.exe
Size

24KB
MD5

0e126fe12f819972684ab3486bcd1018
SHA1

9fc90e757b3d811be4e47e7e24db9396ced2a72e
SHA256

cab61ef5a0eab517b148b76d18ca22da59de49b7e48e85d4f4022f2645457fc6
SHA512

56b27091e0495644c8facd5001b90cf262f47b431cbd6a05adcdc1dfa3294904cdfe8b336a7655ae53eeda3d832be423c6a0a7cb524141595af22fc331bf9116
SSDEEP

384:ebhOmmnnw7/ru/rUQZebPufrWfyy1q9HuJ9TG5n3bIxgq/NWkiNIre2G:mOmmwyxyP4ygdQ45nBq/NWkUIrg

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
836	svshost.exe
2712	svshost.exe
2784	svshost.exe
2316	svshost.exe
2100	svshost.exe
2108	svshost.exe
2728	svshost.exe
2848	svshost.exe
2580	svshost.exe
2680	svshost.exe
2112	svshost.exe
1740	svshost.exe
1300	svshost.exe
2920	svshost.exe
2964	svshost.exe
2960	svshost.exe
2968	svshost.exe
2984	svshost.exe
2816	svshost.exe
1144	svshost.exe
740	svshost.exe
1908	svshost.exe
328	svshost.exe
1972	svshost.exe
2456	svshost.exe
900	svshost.exe
1868	svshost.exe
2780	svshost.exe
1048	svshost.exe
968	svshost.exe
572	svshost.exe
560	svshost.exe
1644	svshost.exe
2896	svshost.exe
2880	svshost.exe
2888	svshost.exe
556	svshost.exe
320	svshost.exe
736	svshost.exe
1688	svshost.exe
1008	svshost.exe
1636	svshost.exe
1652	svshost.exe
2460	svshost.exe
2532	svshost.exe
2092	svshost.exe
2364	svshost.exe
1248	svshost.exe
3036	svshost.exe
2748	svshost.exe
2500	svshost.exe
2656	svshost.exe
2272	svshost.exe
1616	svshost.exe
1364	svshost.exe
2080	svshost.exe
828	svshost.exe
3016	svshost.exe
2352	svshost.exe
2436	svshost.exe
1776	svshost.exe
1100	svshost.exe
2264	svshost.exe
1220	svshost.exe

Loads dropped DLL 64 IoCs

pid	Process
2180	0e126fe12f819972684ab3486bcd1018.exe
2180	0e126fe12f819972684ab3486bcd1018.exe
836	svshost.exe
836	svshost.exe
2712	svshost.exe
2712	svshost.exe
2784	svshost.exe
2784	svshost.exe
2316	svshost.exe
2316	svshost.exe
2100	svshost.exe
2100	svshost.exe
2108	svshost.exe
2108	svshost.exe
2728	svshost.exe
2728	svshost.exe
2848	svshost.exe
2848	svshost.exe
2580	svshost.exe
2580	svshost.exe
2680	svshost.exe
2680	svshost.exe
2112	svshost.exe
2112	svshost.exe
1740	svshost.exe
1740	svshost.exe
1300	svshost.exe
1300	svshost.exe
2920	svshost.exe
2920	svshost.exe
2964	svshost.exe
2964	svshost.exe
2960	svshost.exe
2960	svshost.exe
2968	svshost.exe
2968	svshost.exe
2984	svshost.exe
2984	svshost.exe
2816	svshost.exe
2816	svshost.exe
1144	svshost.exe
1144	svshost.exe
740	svshost.exe
740	svshost.exe
1908	svshost.exe
1908	svshost.exe
328	svshost.exe
328	svshost.exe
1972	svshost.exe
1972	svshost.exe
2456	svshost.exe
2456	svshost.exe
900	svshost.exe
900	svshost.exe
1868	svshost.exe
1868	svshost.exe
2780	svshost.exe
2780	svshost.exe
1048	svshost.exe
1048	svshost.exe
968	svshost.exe
968	svshost.exe
572	svshost.exe
572	svshost.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "svshost.exe"	svshost.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe
File created	C:\Windows\SysWOW64\svshost.exe	svshost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 836	2180	0e126fe12f819972684ab3486bcd1018.exe	28
PID 2180 wrote to memory of 836	2180	0e126fe12f819972684ab3486bcd1018.exe	28
PID 2180 wrote to memory of 836	2180	0e126fe12f819972684ab3486bcd1018.exe	28
PID 2180 wrote to memory of 836	2180	0e126fe12f819972684ab3486bcd1018.exe	28
PID 836 wrote to memory of 2712	836	svshost.exe	31
PID 836 wrote to memory of 2712	836	svshost.exe	31
PID 836 wrote to memory of 2712	836	svshost.exe	31
PID 836 wrote to memory of 2712	836	svshost.exe	31
PID 2712 wrote to memory of 2784	2712	svshost.exe	32
PID 2712 wrote to memory of 2784	2712	svshost.exe	32
PID 2712 wrote to memory of 2784	2712	svshost.exe	32
PID 2712 wrote to memory of 2784	2712	svshost.exe	32
PID 2784 wrote to memory of 2316	2784	svshost.exe	33
PID 2784 wrote to memory of 2316	2784	svshost.exe	33
PID 2784 wrote to memory of 2316	2784	svshost.exe	33
PID 2784 wrote to memory of 2316	2784	svshost.exe	33
PID 2316 wrote to memory of 2100	2316	svshost.exe	34
PID 2316 wrote to memory of 2100	2316	svshost.exe	34
PID 2316 wrote to memory of 2100	2316	svshost.exe	34
PID 2316 wrote to memory of 2100	2316	svshost.exe	34
PID 2100 wrote to memory of 2108	2100	svshost.exe	35
PID 2100 wrote to memory of 2108	2100	svshost.exe	35
PID 2100 wrote to memory of 2108	2100	svshost.exe	35
PID 2100 wrote to memory of 2108	2100	svshost.exe	35
PID 2108 wrote to memory of 2728	2108	svshost.exe	36
PID 2108 wrote to memory of 2728	2108	svshost.exe	36
PID 2108 wrote to memory of 2728	2108	svshost.exe	36
PID 2108 wrote to memory of 2728	2108	svshost.exe	36
PID 2728 wrote to memory of 2848	2728	svshost.exe	37
PID 2728 wrote to memory of 2848	2728	svshost.exe	37
PID 2728 wrote to memory of 2848	2728	svshost.exe	37
PID 2728 wrote to memory of 2848	2728	svshost.exe	37
PID 2848 wrote to memory of 2580	2848	svshost.exe	38
PID 2848 wrote to memory of 2580	2848	svshost.exe	38
PID 2848 wrote to memory of 2580	2848	svshost.exe	38
PID 2848 wrote to memory of 2580	2848	svshost.exe	38
PID 2580 wrote to memory of 2680	2580	svshost.exe	39
PID 2580 wrote to memory of 2680	2580	svshost.exe	39
PID 2580 wrote to memory of 2680	2580	svshost.exe	39
PID 2580 wrote to memory of 2680	2580	svshost.exe	39
PID 2680 wrote to memory of 2112	2680	svshost.exe	40
PID 2680 wrote to memory of 2112	2680	svshost.exe	40
PID 2680 wrote to memory of 2112	2680	svshost.exe	40
PID 2680 wrote to memory of 2112	2680	svshost.exe	40
PID 2112 wrote to memory of 1740	2112	svshost.exe	41
PID 2112 wrote to memory of 1740	2112	svshost.exe	41
PID 2112 wrote to memory of 1740	2112	svshost.exe	41
PID 2112 wrote to memory of 1740	2112	svshost.exe	41
PID 1740 wrote to memory of 1300	1740	svshost.exe	42
PID 1740 wrote to memory of 1300	1740	svshost.exe	42
PID 1740 wrote to memory of 1300	1740	svshost.exe	42
PID 1740 wrote to memory of 1300	1740	svshost.exe	42
PID 1300 wrote to memory of 2920	1300	svshost.exe	43
PID 1300 wrote to memory of 2920	1300	svshost.exe	43
PID 1300 wrote to memory of 2920	1300	svshost.exe	43
PID 1300 wrote to memory of 2920	1300	svshost.exe	43
PID 2920 wrote to memory of 2964	2920	svshost.exe	44
PID 2920 wrote to memory of 2964	2920	svshost.exe	44
PID 2920 wrote to memory of 2964	2920	svshost.exe	44
PID 2920 wrote to memory of 2964	2920	svshost.exe	44
PID 2964 wrote to memory of 2960	2964	svshost.exe	45
PID 2964 wrote to memory of 2960	2964	svshost.exe	45
PID 2964 wrote to memory of 2960	2964	svshost.exe	45
PID 2964 wrote to memory of 2960	2964	svshost.exe	45

C:\Users\Admin\AppData\Local\Temp\0e126fe12f819972684ab3486bcd1018.exe
"C:\Users\Admin\AppData\Local\Temp\0e126fe12f819972684ab3486bcd1018.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\SysWOW64\svshost.exe
  C:\Windows\system32\svshost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:836
- - C:\Windows\SysWOW64\svshost.exe
    C:\Windows\system32\svshost.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\svshost.exe
      C:\Windows\system32\svshost.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2316
      - C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2960
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2968
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2984
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2816
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1144
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:740
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1908
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:328
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1972
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2456
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:900
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1868
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2780
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1048
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:968
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:572
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        33⤵
        Executes dropped EXE
        
        PID:560
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        34⤵
        Executes dropped EXE
        
        PID:1644
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        35⤵
        Executes dropped EXE
        
        PID:2896
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        36⤵
        Executes dropped EXE
        
        PID:2880
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2888
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        38⤵
        Executes dropped EXE
        
        PID:556
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        39⤵
        Executes dropped EXE
        
        PID:320
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        40⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:736
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        41⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1688
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        42⤵
        Executes dropped EXE
        
        PID:1008
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1636
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        44⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1652
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        45⤵
        Executes dropped EXE
        
        PID:2460
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        46⤵
        Executes dropped EXE
        
        PID:2532
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        47⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2092
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        48⤵
        Executes dropped EXE
        
        PID:2364
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1248
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3036
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        51⤵
        Executes dropped EXE
        
        PID:2748
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        52⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2500
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        53⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2656
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        54⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2272
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1616
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1364
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        57⤵
        Executes dropped EXE
        
        PID:2080
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        58⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:828
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        59⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3016
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        60⤵
        Executes dropped EXE
        
        PID:2352
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        61⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2436
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        62⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1776
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        63⤵
        Executes dropped EXE
        
        PID:1100
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2264
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        65⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1220
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        66⤵
        Adds Run key to start application
        
        PID:1092
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        67⤵
        
        PID:384
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        68⤵
        Adds Run key to start application
        
        PID:1916
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        69⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2976
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        70⤵
        Drops file in System32 directory
        
        PID:1672
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        71⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        72⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        73⤵
        Adds Run key to start application
        
        PID:1336
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        74⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1864
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        75⤵
        Drops file in System32 directory
        
        PID:1952
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        76⤵
        Drops file in System32 directory
        
        PID:2220
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        77⤵
        Adds Run key to start application
        
        PID:1796
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        78⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        79⤵
        Adds Run key to start application
        
        PID:888
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        80⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        81⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:688
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        82⤵
        Drops file in System32 directory
        
        PID:884
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        83⤵
        Adds Run key to start application
        
        PID:1524
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        84⤵
        Adds Run key to start application
        
        PID:2464
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        85⤵
        Adds Run key to start application
        
        PID:1372
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        86⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        87⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        88⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2276
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        89⤵
        Drops file in System32 directory
        
        PID:3052
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        90⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        91⤵
        Adds Run key to start application
        
        PID:1512
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        92⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        93⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        94⤵
        Drops file in System32 directory
        
        PID:276
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        95⤵
        Adds Run key to start application
        
        PID:872
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        96⤵
        Drops file in System32 directory
        
        PID:3000
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        97⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2016
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        98⤵
        Adds Run key to start application
        
        PID:2344
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        99⤵
        Drops file in System32 directory
        
        PID:2104
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        100⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        101⤵
        Drops file in System32 directory
        
        PID:1612
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        102⤵
        Drops file in System32 directory
        
        PID:1712
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        103⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        104⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2212
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        105⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        106⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2752
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        107⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        108⤵
        Drops file in System32 directory
        
        PID:836
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        109⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2684
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        110⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2712
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        111⤵
        Drops file in System32 directory
        
        PID:2744
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        112⤵
        Drops file in System32 directory
        
        PID:2496
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        113⤵
        Adds Run key to start application
        
        PID:2484
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        114⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2244
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        115⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1948
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        116⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        117⤵
        Drops file in System32 directory
        
        PID:2568
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        118⤵
        Adds Run key to start application
        
        PID:2932
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        119⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2596
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        120⤵
        Drops file in System32 directory
        
        PID:2756
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        121⤵
        Drops file in System32 directory
        
        PID:2724
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        122⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        123⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2672
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        124⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        125⤵
        Drops file in System32 directory
        
        PID:2556
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        126⤵
        Drops file in System32 directory
        
        PID:2848
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        127⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        128⤵
        Adds Run key to start application
        
        PID:2580
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        129⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2072
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        130⤵
        Drops file in System32 directory
        
        PID:2680
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        131⤵
        Drops file in System32 directory
        
        PID:2400
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        132⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2112
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        133⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        134⤵
        Adds Run key to start application
        
        PID:1740
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        135⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        136⤵
        Adds Run key to start application
        
        PID:2988
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        137⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        138⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2912
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        139⤵
        Adds Run key to start application
        
        PID:2908
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        140⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\svshost.exe
        
        C:\Windows\system32\svshost.exe
        141⤵
        
        PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\svshost.exe

Filesize
24KB

MD5
0e126fe12f819972684ab3486bcd1018

SHA1
9fc90e757b3d811be4e47e7e24db9396ced2a72e

SHA256
cab61ef5a0eab517b148b76d18ca22da59de49b7e48e85d4f4022f2645457fc6

SHA512
56b27091e0495644c8facd5001b90cf262f47b431cbd6a05adcdc1dfa3294904cdfe8b336a7655ae53eeda3d832be423c6a0a7cb524141595af22fc331bf9116

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads