Analysis
-
max time kernel
171s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 08:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
131bd20028d25e5bb2816836c67371d3.exe
Resource
win7-20231215-en
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
131bd20028d25e5bb2816836c67371d3.exe
Resource
win10v2004-20231215-en
0 signatures
150 seconds
General
-
Target
131bd20028d25e5bb2816836c67371d3.exe
-
Size
31KB
-
MD5
131bd20028d25e5bb2816836c67371d3
-
SHA1
8a5215cd57aff57e60495a9dec0335747f6b99a2
-
SHA256
d08db1f6757777cde545672a778215179dacf940a74d56125f7d7a0f90f9f3ad
-
SHA512
cc0157cdf2a3098f29ca5084d75df7ef027ae421490374fdf01e5a33c184d85026336853560f968c3e15a98b73cbc31c806cdbb38ba10c4428b326a0a1b57d14
-
SSDEEP
768:3EIrDYMkAMBzO0SKi+P5u8/VIfP673+D61q1pbKYgQjKoe:hDYmYypKi+P5u8/mfPsuD61cEQO
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2776 SVOHOST.exe 3068 SVOHOST.exe 2588 SVOHOST.exe 2436 SVOHOST.exe 600 SVOHOST.exe 952 SVOHOST.exe 2920 SVOHOST.exe 2472 SVOHOST.exe 1784 SVOHOST.exe 2032 SVOHOST.exe 1280 SVOHOST.exe 112 SVOHOST.exe 1944 SVOHOST.exe 2428 SVOHOST.exe 1744 SVOHOST.exe 400 SVOHOST.exe 1348 SVOHOST.exe 1672 SVOHOST.exe 2268 SVOHOST.exe 2184 SVOHOST.exe 2172 SVOHOST.exe 2208 SVOHOST.exe 2292 SVOHOST.exe 1928 SVOHOST.exe 2284 SVOHOST.exe 2724 SVOHOST.exe 2508 SVOHOST.exe 2952 SVOHOST.exe 2808 SVOHOST.exe 2768 SVOHOST.exe 2628 SVOHOST.exe 2644 SVOHOST.exe 2588 SVOHOST.exe 596 SVOHOST.exe 1564 SVOHOST.exe 2876 SVOHOST.exe 2324 SVOHOST.exe 1444 SVOHOST.exe 1576 SVOHOST.exe 2476 SVOHOST.exe 1248 SVOHOST.exe 308 SVOHOST.exe 1572 SVOHOST.exe 2752 SVOHOST.exe 1932 SVOHOST.exe 2968 SVOHOST.exe 1776 SVOHOST.exe 2004 SVOHOST.exe 1300 SVOHOST.exe 956 SVOHOST.exe 2112 SVOHOST.exe 908 SVOHOST.exe 2452 SVOHOST.exe 2492 SVOHOST.exe 2296 SVOHOST.exe 2096 SVOHOST.exe 1860 SVOHOST.exe 2780 SVOHOST.exe 1160 SVOHOST.exe 1600 SVOHOST.exe 1400 SVOHOST.exe 2620 SVOHOST.exe 3068 SVOHOST.exe 548 SVOHOST.exe -
Loads dropped DLL 64 IoCs
pid Process 2836 131bd20028d25e5bb2816836c67371d3.exe 2836 131bd20028d25e5bb2816836c67371d3.exe 2776 SVOHOST.exe 2776 SVOHOST.exe 3068 SVOHOST.exe 3068 SVOHOST.exe 2588 SVOHOST.exe 2588 SVOHOST.exe 2436 SVOHOST.exe 2436 SVOHOST.exe 600 SVOHOST.exe 600 SVOHOST.exe 952 SVOHOST.exe 952 SVOHOST.exe 2920 SVOHOST.exe 2920 SVOHOST.exe 2472 SVOHOST.exe 2472 SVOHOST.exe 1784 SVOHOST.exe 1784 SVOHOST.exe 2032 SVOHOST.exe 2032 SVOHOST.exe 1280 SVOHOST.exe 1280 SVOHOST.exe 112 SVOHOST.exe 112 SVOHOST.exe 1944 SVOHOST.exe 1944 SVOHOST.exe 2428 SVOHOST.exe 2428 SVOHOST.exe 1744 SVOHOST.exe 1744 SVOHOST.exe 400 SVOHOST.exe 400 SVOHOST.exe 1348 SVOHOST.exe 1348 SVOHOST.exe 1672 SVOHOST.exe 1672 SVOHOST.exe 2268 SVOHOST.exe 2268 SVOHOST.exe 2184 SVOHOST.exe 2184 SVOHOST.exe 2172 SVOHOST.exe 2172 SVOHOST.exe 2208 SVOHOST.exe 2208 SVOHOST.exe 2292 SVOHOST.exe 2292 SVOHOST.exe 1928 SVOHOST.exe 1928 SVOHOST.exe 2284 SVOHOST.exe 2284 SVOHOST.exe 2724 SVOHOST.exe 2724 SVOHOST.exe 2508 SVOHOST.exe 2508 SVOHOST.exe 2952 SVOHOST.exe 2952 SVOHOST.exe 2808 SVOHOST.exe 2808 SVOHOST.exe 2768 SVOHOST.exe 2768 SVOHOST.exe 2628 SVOHOST.exe 2628 SVOHOST.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File opened for modification C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File created C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File created C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File opened for modification C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File created C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File created C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File opened for modification C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File created C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File opened for modification C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File opened for modification C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File created C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File created C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File created C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File created C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File opened for modification C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File created C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File created C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File created C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File created C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File created C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File opened for modification C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File opened for modification C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File created C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File created C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File created C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 544 1984 WerFault.exe 370 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2836 131bd20028d25e5bb2816836c67371d3.exe 2836 131bd20028d25e5bb2816836c67371d3.exe 2776 SVOHOST.exe 2776 SVOHOST.exe 3068 SVOHOST.exe 3068 SVOHOST.exe 2588 SVOHOST.exe 2588 SVOHOST.exe 2436 SVOHOST.exe 2436 SVOHOST.exe 600 SVOHOST.exe 600 SVOHOST.exe 952 SVOHOST.exe 952 SVOHOST.exe 2920 SVOHOST.exe 2920 SVOHOST.exe 2472 SVOHOST.exe 2472 SVOHOST.exe 1784 SVOHOST.exe 1784 SVOHOST.exe 2032 SVOHOST.exe 2032 SVOHOST.exe 1280 SVOHOST.exe 1280 SVOHOST.exe 112 SVOHOST.exe 112 SVOHOST.exe 1944 SVOHOST.exe 1944 SVOHOST.exe 2428 SVOHOST.exe 2428 SVOHOST.exe 1744 SVOHOST.exe 1744 SVOHOST.exe 400 SVOHOST.exe 400 SVOHOST.exe 1348 SVOHOST.exe 1348 SVOHOST.exe 1672 SVOHOST.exe 1672 SVOHOST.exe 2268 SVOHOST.exe 2268 SVOHOST.exe 2184 SVOHOST.exe 2184 SVOHOST.exe 2172 SVOHOST.exe 2172 SVOHOST.exe 2208 SVOHOST.exe 2208 SVOHOST.exe 2292 SVOHOST.exe 2292 SVOHOST.exe 1928 SVOHOST.exe 1928 SVOHOST.exe 2284 SVOHOST.exe 2284 SVOHOST.exe 2724 SVOHOST.exe 2724 SVOHOST.exe 2508 SVOHOST.exe 2508 SVOHOST.exe 2952 SVOHOST.exe 2952 SVOHOST.exe 2808 SVOHOST.exe 2808 SVOHOST.exe 2768 SVOHOST.exe 2768 SVOHOST.exe 2628 SVOHOST.exe 2628 SVOHOST.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2836 wrote to memory of 2776 2836 131bd20028d25e5bb2816836c67371d3.exe 27 PID 2836 wrote to memory of 2776 2836 131bd20028d25e5bb2816836c67371d3.exe 27 PID 2836 wrote to memory of 2776 2836 131bd20028d25e5bb2816836c67371d3.exe 27 PID 2836 wrote to memory of 2776 2836 131bd20028d25e5bb2816836c67371d3.exe 27 PID 2776 wrote to memory of 3068 2776 SVOHOST.exe 28 PID 2776 wrote to memory of 3068 2776 SVOHOST.exe 28 PID 2776 wrote to memory of 3068 2776 SVOHOST.exe 28 PID 2776 wrote to memory of 3068 2776 SVOHOST.exe 28 PID 3068 wrote to memory of 2588 3068 SVOHOST.exe 29 PID 3068 wrote to memory of 2588 3068 SVOHOST.exe 29 PID 3068 wrote to memory of 2588 3068 SVOHOST.exe 29 PID 3068 wrote to memory of 2588 3068 SVOHOST.exe 29 PID 2588 wrote to memory of 2436 2588 SVOHOST.exe 30 PID 2588 wrote to memory of 2436 2588 SVOHOST.exe 30 PID 2588 wrote to memory of 2436 2588 SVOHOST.exe 30 PID 2588 wrote to memory of 2436 2588 SVOHOST.exe 30 PID 2436 wrote to memory of 600 2436 SVOHOST.exe 31 PID 2436 wrote to memory of 600 2436 SVOHOST.exe 31 PID 2436 wrote to memory of 600 2436 SVOHOST.exe 31 PID 2436 wrote to memory of 600 2436 SVOHOST.exe 31 PID 600 wrote to memory of 952 600 SVOHOST.exe 32 PID 600 wrote to memory of 952 600 SVOHOST.exe 32 PID 600 wrote to memory of 952 600 SVOHOST.exe 32 PID 600 wrote to memory of 952 600 SVOHOST.exe 32 PID 952 wrote to memory of 2920 952 SVOHOST.exe 33 PID 952 wrote to memory of 2920 952 SVOHOST.exe 33 PID 952 wrote to memory of 2920 952 SVOHOST.exe 33 PID 952 wrote to memory of 2920 952 SVOHOST.exe 33 PID 2920 wrote to memory of 2472 2920 SVOHOST.exe 34 PID 2920 wrote to memory of 2472 2920 SVOHOST.exe 34 PID 2920 wrote to memory of 2472 2920 SVOHOST.exe 34 PID 2920 wrote to memory of 2472 2920 SVOHOST.exe 34 PID 2472 wrote to memory of 1784 2472 SVOHOST.exe 35 PID 2472 wrote to memory of 1784 2472 SVOHOST.exe 35 PID 2472 wrote to memory of 1784 2472 SVOHOST.exe 35 PID 2472 wrote to memory of 1784 2472 SVOHOST.exe 35 PID 1784 wrote to memory of 2032 1784 SVOHOST.exe 36 PID 1784 wrote to memory of 2032 1784 SVOHOST.exe 36 PID 1784 wrote to memory of 2032 1784 SVOHOST.exe 36 PID 1784 wrote to memory of 2032 1784 SVOHOST.exe 36 PID 2032 wrote to memory of 1280 2032 SVOHOST.exe 134 PID 2032 wrote to memory of 1280 2032 SVOHOST.exe 134 PID 2032 wrote to memory of 1280 2032 SVOHOST.exe 134 PID 2032 wrote to memory of 1280 2032 SVOHOST.exe 134 PID 1280 wrote to memory of 112 1280 SVOHOST.exe 38 PID 1280 wrote to memory of 112 1280 SVOHOST.exe 38 PID 1280 wrote to memory of 112 1280 SVOHOST.exe 38 PID 1280 wrote to memory of 112 1280 SVOHOST.exe 38 PID 112 wrote to memory of 1944 112 SVOHOST.exe 39 PID 112 wrote to memory of 1944 112 SVOHOST.exe 39 PID 112 wrote to memory of 1944 112 SVOHOST.exe 39 PID 112 wrote to memory of 1944 112 SVOHOST.exe 39 PID 1944 wrote to memory of 2428 1944 SVOHOST.exe 40 PID 1944 wrote to memory of 2428 1944 SVOHOST.exe 40 PID 1944 wrote to memory of 2428 1944 SVOHOST.exe 40 PID 1944 wrote to memory of 2428 1944 SVOHOST.exe 40 PID 2428 wrote to memory of 1744 2428 SVOHOST.exe 141 PID 2428 wrote to memory of 1744 2428 SVOHOST.exe 141 PID 2428 wrote to memory of 1744 2428 SVOHOST.exe 141 PID 2428 wrote to memory of 1744 2428 SVOHOST.exe 141 PID 1744 wrote to memory of 400 1744 SVOHOST.exe 42 PID 1744 wrote to memory of 400 1744 SVOHOST.exe 42 PID 1744 wrote to memory of 400 1744 SVOHOST.exe 42 PID 1744 wrote to memory of 400 1744 SVOHOST.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\131bd20028d25e5bb2816836c67371d3.exe"C:\Users\Admin\AppData\Local\Temp\131bd20028d25e5bb2816836c67371d3.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"12⤵PID:1280
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"16⤵PID:1744
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:400 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"18⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1348 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1672 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"20⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:2268 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"21⤵PID:2184
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"22⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2172 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2208 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"24⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2292 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1928 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"26⤵PID:2284
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"27⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:2724 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"28⤵PID:2508
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2952 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"2⤵PID:2808
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2768 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2628 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"6⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"7⤵PID:596
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"8⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1564 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"9⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"10⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2324
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1444 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1576 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"3⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"4⤵PID:1248
-
-
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"1⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"2⤵PID:2752
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"1⤵PID:1932
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2968 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"3⤵PID:1776
-
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"1⤵PID:908
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"2⤵PID:2452
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"3⤵PID:2492
-
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"1⤵PID:2112
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"1⤵PID:2296
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"2⤵PID:2096
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"1⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"2⤵PID:1160
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"1⤵
- Executes dropped EXE
PID:1860
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"1⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2620
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"1⤵PID:3068
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:548 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"3⤵
- Adds Run key to start application
PID:644
-
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"1⤵PID:1600
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"1⤵PID:696
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"2⤵
- Executes dropped EXE
PID:596 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"3⤵PID:2896
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"4⤵PID:2340
-
-
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"1⤵PID:3008
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"2⤵PID:1664
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"3⤵PID:2216
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"4⤵PID:1852
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"5⤵PID:1284
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"6⤵PID:1248
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"7⤵PID:2312
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"8⤵PID:2352
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"9⤵PID:1204
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"10⤵PID:2088
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"11⤵PID:1084
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"12⤵PID:2288
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"13⤵PID:2484
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"14⤵PID:1644
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"15⤵PID:1988
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"16⤵
- Adds Run key to start application
PID:564 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"17⤵PID:1884
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"18⤵PID:1268
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"19⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:996 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"20⤵PID:2364
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"21⤵PID:2704
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"22⤵PID:1656
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"23⤵
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"24⤵
- Drops file in System32 directory
PID:2844 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"25⤵PID:2284
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"26⤵PID:2748
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"27⤵PID:2148
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"28⤵PID:2076
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"29⤵PID:1696
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"30⤵PID:2016
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"31⤵PID:2436
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"32⤵PID:2272
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"33⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:1936 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"34⤵PID:3008
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"35⤵
- Adds Run key to start application
PID:1052 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"36⤵PID:1304
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"37⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"38⤵PID:2972
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"39⤵PID:2344
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"40⤵PID:2964
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"41⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2752 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"42⤵PID:1104
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"43⤵PID:2260
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"44⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"45⤵PID:1640
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"46⤵PID:2760
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:956 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"48⤵PID:1968
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"49⤵
- Adds Run key to start application
PID:1732 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"50⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:2184 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"51⤵
- Adds Run key to start application
PID:1712 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"52⤵PID:1272
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"53⤵PID:2400
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"54⤵PID:2364
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"55⤵PID:2704
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"56⤵PID:1656
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"57⤵PID:2712
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"58⤵PID:2596
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"59⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2284 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"60⤵PID:2740
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"61⤵PID:2960
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"62⤵PID:3036
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"63⤵
- Adds Run key to start application
PID:1696 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"64⤵PID:1556
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"65⤵PID:2924
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"66⤵PID:1940
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"67⤵PID:1828
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"68⤵PID:1800
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"69⤵PID:1792
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"70⤵PID:2440
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"71⤵PID:1284
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"72⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2120 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"73⤵PID:1008
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"74⤵PID:1856
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"75⤵
- Drops file in System32 directory
PID:1152 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"76⤵PID:1520
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"77⤵
- Adds Run key to start application
PID:1584 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"78⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"79⤵PID:2128
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"80⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2112 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"81⤵PID:588
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"82⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"83⤵PID:1624
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"84⤵PID:2160
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"85⤵PID:2492
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"86⤵PID:2956
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"87⤵
- Drops file in System32 directory
PID:2024 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"88⤵PID:2948
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"89⤵PID:3016
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"90⤵
- Adds Run key to start application
PID:636 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"91⤵
- Drops file in System32 directory
PID:2596 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"92⤵
- Drops file in System32 directory
PID:2688 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"93⤵PID:2740
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"94⤵PID:2960
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"95⤵PID:2328
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"96⤵PID:2108
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"97⤵PID:1556
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"98⤵PID:2304
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"99⤵PID:1664
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"100⤵PID:1144
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"101⤵
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"102⤵PID:2396
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"103⤵
- Adds Run key to start application
PID:2420 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"104⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2032 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"105⤵PID:3044
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"106⤵PID:1932
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"107⤵PID:2248
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"108⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"109⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:2508 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"110⤵PID:1772
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"111⤵PID:2100
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"112⤵PID:1972
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"113⤵PID:1488
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"114⤵
- Drops file in System32 directory
PID:2196 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"115⤵
- Drops file in System32 directory
PID:2540 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"116⤵PID:1768
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"117⤵
- Drops file in System32 directory
PID:1440 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"118⤵PID:1252
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"119⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"120⤵PID:2956
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"121⤵
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"122⤵PID:2776
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-