Analysis
-
max time kernel
237s -
max time network
267s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31-12-2023 13:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
38bb548b5e687f78d749a5698592d106.exe
Resource
win7-20231215-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
38bb548b5e687f78d749a5698592d106.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
38bb548b5e687f78d749a5698592d106.exe
-
Size
29KB
-
MD5
38bb548b5e687f78d749a5698592d106
-
SHA1
d72c960387576aac1ea5c8484d00ea8b43eaf0a8
-
SHA256
07e46de1bc7b9efe4b37efda1053d2f0955ef427d2a6d2a4e844c9c7ee1c5bce
-
SHA512
303b3bd73ad6ab4852fdb4248afeb6075b78d7f5bc9cc10d3e99e688ddb4a39d4b730a4d16953c0fe3f5474215226c0bfea0debce3de0a5a6cd2894faf98ef14
-
SSDEEP
768:kraYE/omnoZ0d6QFYCuMsWu4EmlayA10wR7Atoqzdf0uESw:krajWS6PUDnA10wNA3dzESw
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 1144 svhcost.exe 2880 svhcost.exe 2996 svhcost.exe 2516 svhcost.exe 2152 svhcost.exe 1940 svhcost.exe 1956 svhcost.exe 1964 svhcost.exe 2488 svhcost.exe 2468 svhcost.exe 1652 svhcost.exe 1012 svhcost.exe 1572 svhcost.exe 2320 svhcost.exe 868 svhcost.exe 2944 svhcost.exe 2124 svhcost.exe 2396 svhcost.exe 2440 svhcost.exe 2392 svhcost.exe 1784 svhcost.exe 1168 svhcost.exe 2536 svhcost.exe 1532 svhcost.exe 1352 svhcost.exe 760 svhcost.exe 1588 svhcost.exe 1320 svhcost.exe 772 svhcost.exe 2952 svhcost.exe 1328 svhcost.exe 2292 svhcost.exe 916 svhcost.exe 1636 svhcost.exe 2912 svhcost.exe 2280 svhcost.exe 628 svhcost.exe 1148 svhcost.exe 1732 svhcost.exe 1008 svhcost.exe 1460 svhcost.exe 2284 svhcost.exe 2196 svhcost.exe 2020 svhcost.exe 880 svhcost.exe 2056 svhcost.exe 884 svhcost.exe 1068 svhcost.exe 2796 svhcost.exe 2860 svhcost.exe 2672 svhcost.exe 2808 svhcost.exe 2112 svhcost.exe 2084 svhcost.exe 796 svhcost.exe 2692 svhcost.exe 1824 svhcost.exe 2584 svhcost.exe 2728 svhcost.exe 2916 svhcost.exe 3036 svhcost.exe 2608 svhcost.exe 2560 svhcost.exe 2576 svhcost.exe -
Loads dropped DLL 64 IoCs
pid Process 528 38bb548b5e687f78d749a5698592d106.exe 528 38bb548b5e687f78d749a5698592d106.exe 1144 svhcost.exe 1144 svhcost.exe 2880 svhcost.exe 2880 svhcost.exe 2996 svhcost.exe 2996 svhcost.exe 2516 svhcost.exe 2516 svhcost.exe 2152 svhcost.exe 2152 svhcost.exe 1940 svhcost.exe 1940 svhcost.exe 1956 svhcost.exe 1956 svhcost.exe 1964 svhcost.exe 1964 svhcost.exe 2488 svhcost.exe 2488 svhcost.exe 2468 svhcost.exe 2468 svhcost.exe 1652 svhcost.exe 1652 svhcost.exe 1012 svhcost.exe 1012 svhcost.exe 1572 svhcost.exe 1572 svhcost.exe 2320 svhcost.exe 2320 svhcost.exe 868 svhcost.exe 868 svhcost.exe 2944 svhcost.exe 2944 svhcost.exe 2124 svhcost.exe 2124 svhcost.exe 2396 svhcost.exe 2396 svhcost.exe 2440 svhcost.exe 2440 svhcost.exe 2392 svhcost.exe 2392 svhcost.exe 1784 svhcost.exe 1784 svhcost.exe 1168 svhcost.exe 1168 svhcost.exe 2536 svhcost.exe 2536 svhcost.exe 1532 svhcost.exe 1532 svhcost.exe 1352 svhcost.exe 1352 svhcost.exe 760 svhcost.exe 760 svhcost.exe 1588 svhcost.exe 1588 svhcost.exe 1320 svhcost.exe 1320 svhcost.exe 772 svhcost.exe 772 svhcost.exe 2952 svhcost.exe 2952 svhcost.exe 1328 svhcost.exe 1328 svhcost.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhcost = "C:\\Windows\\system32\\svhcost.exe" svhcost.exe -
Modifies WinLogon 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\Logon = "WLELogon" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\Shutdown = "WLEShutdown" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\DllName = "svhcost.dll" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\Lock = "WLELock" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\Logoff = "WLELogoff" svhcost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\Impersonate = "0" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\StartScreenSaver = "WLEStartScreenSaver" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\Startup = "WLEStartup" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\StartScreenSaver = "WLEStartScreenSaver" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\Lock = "WLELock" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\Lock = "WLELock" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\Startup = "WLEStartup" svhcost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\Asynchronous = "0" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\Logon = "WLELogon" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\Logoff = "WLELogoff" svhcost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\Asynchronous = "0" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\Lock = "WLELock" svhcost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\Unlock = "WLEUnlock" svhcost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\Shutdown = "WLEShutdown" svhcost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\Impersonate = "0" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\Startup = "WLEStartup" svhcost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\Impersonate = "0" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\Shutdown = "WLEShutdown" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\Lock = "WLELock" svhcost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\Unlock = "WLEUnlock" svhcost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost svhcost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\Impersonate = "0" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\StartScreenSaver = "WLEStartScreenSaver" svhcost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\Impersonate = "0" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\StopScreenSaver = "WLEStopScreenSaver" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\DllName = "svhcost.dll" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\StopScreenSaver = "WLEStopScreenSaver" svhcost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\Logon = "WLELogon" svhcost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\Impersonate = "0" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\DllName = "svhcost.dll" svhcost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\Asynchronous = "0" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\Unlock = "WLEUnlock" svhcost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\Asynchronous = "0" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\Startup = "WLEStartup" svhcost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost svhcost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\Asynchronous = "0" svhcost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\StopScreenSaver = "WLEStopScreenSaver" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\Lock = "WLELock" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\Logoff = "WLELogoff" svhcost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\Impersonate = "0" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\Lock = "WLELock" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\StopScreenSaver = "WLEStopScreenSaver" svhcost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\Impersonate = "0" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\Lock = "WLELock" svhcost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\DllName = "svhcost.dll" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\Unlock = "WLEUnlock" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\StopScreenSaver = "WLEStopScreenSaver" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\Logoff = "WLELogoff" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\Logoff = "WLELogoff" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\Startup = "WLEStartup" svhcost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\Asynchronous = "0" svhcost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svhcost\Shutdown = "WLEShutdown" svhcost.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe File created C:\Windows\SysWOW64\svhcost.exe svhcost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 528 wrote to memory of 1144 528 38bb548b5e687f78d749a5698592d106.exe 26 PID 528 wrote to memory of 1144 528 38bb548b5e687f78d749a5698592d106.exe 26 PID 528 wrote to memory of 1144 528 38bb548b5e687f78d749a5698592d106.exe 26 PID 528 wrote to memory of 1144 528 38bb548b5e687f78d749a5698592d106.exe 26 PID 1144 wrote to memory of 2880 1144 svhcost.exe 27 PID 1144 wrote to memory of 2880 1144 svhcost.exe 27 PID 1144 wrote to memory of 2880 1144 svhcost.exe 27 PID 1144 wrote to memory of 2880 1144 svhcost.exe 27 PID 2880 wrote to memory of 2996 2880 svhcost.exe 28 PID 2880 wrote to memory of 2996 2880 svhcost.exe 28 PID 2880 wrote to memory of 2996 2880 svhcost.exe 28 PID 2880 wrote to memory of 2996 2880 svhcost.exe 28 PID 2996 wrote to memory of 2516 2996 svhcost.exe 29 PID 2996 wrote to memory of 2516 2996 svhcost.exe 29 PID 2996 wrote to memory of 2516 2996 svhcost.exe 29 PID 2996 wrote to memory of 2516 2996 svhcost.exe 29 PID 2516 wrote to memory of 2152 2516 svhcost.exe 30 PID 2516 wrote to memory of 2152 2516 svhcost.exe 30 PID 2516 wrote to memory of 2152 2516 svhcost.exe 30 PID 2516 wrote to memory of 2152 2516 svhcost.exe 30 PID 2152 wrote to memory of 1940 2152 svhcost.exe 31 PID 2152 wrote to memory of 1940 2152 svhcost.exe 31 PID 2152 wrote to memory of 1940 2152 svhcost.exe 31 PID 2152 wrote to memory of 1940 2152 svhcost.exe 31 PID 1940 wrote to memory of 1956 1940 svhcost.exe 32 PID 1940 wrote to memory of 1956 1940 svhcost.exe 32 PID 1940 wrote to memory of 1956 1940 svhcost.exe 32 PID 1940 wrote to memory of 1956 1940 svhcost.exe 32 PID 1956 wrote to memory of 1964 1956 svhcost.exe 33 PID 1956 wrote to memory of 1964 1956 svhcost.exe 33 PID 1956 wrote to memory of 1964 1956 svhcost.exe 33 PID 1956 wrote to memory of 1964 1956 svhcost.exe 33 PID 1964 wrote to memory of 2488 1964 svhcost.exe 34 PID 1964 wrote to memory of 2488 1964 svhcost.exe 34 PID 1964 wrote to memory of 2488 1964 svhcost.exe 34 PID 1964 wrote to memory of 2488 1964 svhcost.exe 34 PID 2488 wrote to memory of 2468 2488 svhcost.exe 35 PID 2488 wrote to memory of 2468 2488 svhcost.exe 35 PID 2488 wrote to memory of 2468 2488 svhcost.exe 35 PID 2488 wrote to memory of 2468 2488 svhcost.exe 35 PID 2468 wrote to memory of 1652 2468 svhcost.exe 36 PID 2468 wrote to memory of 1652 2468 svhcost.exe 36 PID 2468 wrote to memory of 1652 2468 svhcost.exe 36 PID 2468 wrote to memory of 1652 2468 svhcost.exe 36 PID 1652 wrote to memory of 1012 1652 svhcost.exe 37 PID 1652 wrote to memory of 1012 1652 svhcost.exe 37 PID 1652 wrote to memory of 1012 1652 svhcost.exe 37 PID 1652 wrote to memory of 1012 1652 svhcost.exe 37 PID 1012 wrote to memory of 1572 1012 svhcost.exe 38 PID 1012 wrote to memory of 1572 1012 svhcost.exe 38 PID 1012 wrote to memory of 1572 1012 svhcost.exe 38 PID 1012 wrote to memory of 1572 1012 svhcost.exe 38 PID 1572 wrote to memory of 2320 1572 svhcost.exe 39 PID 1572 wrote to memory of 2320 1572 svhcost.exe 39 PID 1572 wrote to memory of 2320 1572 svhcost.exe 39 PID 1572 wrote to memory of 2320 1572 svhcost.exe 39 PID 2320 wrote to memory of 868 2320 svhcost.exe 40 PID 2320 wrote to memory of 868 2320 svhcost.exe 40 PID 2320 wrote to memory of 868 2320 svhcost.exe 40 PID 2320 wrote to memory of 868 2320 svhcost.exe 40 PID 868 wrote to memory of 2944 868 svhcost.exe 41 PID 868 wrote to memory of 2944 868 svhcost.exe 41 PID 868 wrote to memory of 2944 868 svhcost.exe 41 PID 868 wrote to memory of 2944 868 svhcost.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\38bb548b5e687f78d749a5698592d106.exe"C:\Users\Admin\AppData\Local\Temp\38bb548b5e687f78d749a5698592d106.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2944 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2124 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2396 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1784 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1168 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2536 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1532 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1352 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:760 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1588 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
PID:1320 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:772 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2952 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1328 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe33⤵
- Executes dropped EXE
- Modifies WinLogon
PID:2292 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe34⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe35⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2912 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe37⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe38⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe39⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1732 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe41⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1008 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe42⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1460 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe43⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe44⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe45⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe46⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe47⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2056 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe48⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe49⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe50⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe51⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe52⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe53⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe54⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe55⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:796 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe57⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe58⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe59⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe61⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe63⤵
- Executes dropped EXE
- Modifies WinLogon
PID:2608 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe64⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe65⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe66⤵PID:3064
-
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe67⤵PID:2680
-
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe68⤵PID:320
-
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe69⤵PID:928
-
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe70⤵PID:2640
-
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe71⤵PID:276
-
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe72⤵PID:2612
-
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe73⤵
- Adds Run key to start application
PID:2368 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe74⤵PID:3048
-
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe75⤵PID:1648
-
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe76⤵
- Drops file in System32 directory
PID:2360 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe77⤵PID:684
-
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe78⤵PID:1628
-
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe79⤵PID:476
-
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe80⤵PID:1596
-
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe81⤵
- Adds Run key to start application
PID:1932 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe82⤵PID:912
-
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe83⤵
- Drops file in System32 directory
PID:2092 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe84⤵PID:2792
-
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe85⤵
- Modifies WinLogon
PID:948 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe86⤵PID:2624
-
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe87⤵PID:2840
-
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe88⤵
- Modifies WinLogon
PID:2740 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe89⤵PID:1496
-
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe90⤵PID:1348
-
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe91⤵PID:2200
-
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe92⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe93⤵PID:1216
-
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe94⤵
- Modifies WinLogon
PID:1240 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe95⤵PID:764
-
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe96⤵
- Drops file in System32 directory
PID:1668 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe97⤵
- Modifies WinLogon
PID:2348 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe98⤵PID:2928
-
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe99⤵PID:2100
-
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe100⤵PID:1640
-
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe101⤵PID:2600
-
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe102⤵PID:2312
-
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe103⤵PID:1196
-
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe104⤵PID:1744
-
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe105⤵PID:3076
-
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe106⤵
- Drops file in System32 directory
PID:3096 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe107⤵PID:3112
-
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe108⤵
- Adds Run key to start application
PID:3128 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe109⤵
- Adds Run key to start application
PID:3148 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe110⤵PID:3184
-
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe111⤵
- Modifies WinLogon
PID:3200 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe112⤵PID:3212
-
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe113⤵PID:3224
-
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe114⤵PID:3236
-
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe115⤵PID:3252
-
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe116⤵
- Adds Run key to start application
PID:3268 -
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe117⤵PID:3288
-
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe118⤵PID:3304
-
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe119⤵PID:3320
-
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe120⤵PID:3340
-
C:\Windows\SysWOW64\svhcost.exeC:\Windows\system32\svhcost.exe121⤵
- Adds Run key to start application
PID:3356
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-