Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
16-11-2024 17:05
General
-
Target
VanillaRat.exe
-
Size
1003KB
-
MD5
63e695a3ac69b33207847c37501dc89c
-
SHA1
bff6478ffc46201baff8b4e3f8151538a3099ef8
-
SHA256
7910204165b5361c5f022e7c8ce510d2947d850f651d4e85f8731d963409e789
-
SHA512
eab4d8e5e0631d1d5dd1a1f2c5f48372fae6143e4a51af3a3ee29fb5b70895a06018589c78c2f2606c6603a777dee5e7b5f29cb4a06f0289f01c287e7a27ab1f
-
SSDEEP
24576:og59nzOn6RU0rAxGLytABzMjhiZwxbRFXV9VLGIMD:og59ynbvxGLytA2bbFLV
Score
10/10
Malware Config
Signatures
-
Detect Xworm Payload 2 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 64 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 64 IoCs
-
Checks BIOS information in registry 2 TTPs 64 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 64 IoCs
-
Executes dropped EXE 64 IoCs
-
Loads dropped DLL 64 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 64 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"2⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"3⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"4⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"5⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"6⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"7⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"8⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"9⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"10⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"11⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"12⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"13⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"14⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"15⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"16⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"17⤵
- Checks computer location settings
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"18⤵
- Checks computer location settings
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"19⤵
- Checks computer location settings
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"20⤵
- Checks computer location settings
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"21⤵
- Checks computer location settings
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"22⤵
- Checks computer location settings
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"23⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"24⤵
- Checks computer location settings
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"25⤵
- Checks computer location settings
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"26⤵
- Checks computer location settings
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"27⤵
- Checks computer location settings
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"28⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"29⤵
- Checks computer location settings
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"30⤵
- Checks computer location settings
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"31⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"32⤵
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"33⤵
- Checks computer location settings
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"34⤵
- Checks computer location settings
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"35⤵
- Checks computer location settings
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"36⤵
- Checks computer location settings
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"37⤵
- Checks computer location settings
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"38⤵
- Checks computer location settings
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"39⤵
- Checks computer location settings
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"40⤵
- Checks computer location settings
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"41⤵
- Checks computer location settings
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"42⤵
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"43⤵
- Checks computer location settings
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"44⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"45⤵
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"46⤵
- Checks computer location settings
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"47⤵
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"48⤵
- Checks computer location settings
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"49⤵
- Checks computer location settings
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"50⤵
- Checks computer location settings
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"51⤵
- Checks computer location settings
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"52⤵
- Checks computer location settings
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"53⤵
- Checks computer location settings
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"54⤵
- Checks computer location settings
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"55⤵
- Checks computer location settings
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"56⤵
- Checks computer location settings
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"57⤵
- Checks computer location settings
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"58⤵
- Checks computer location settings
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"59⤵
- Checks computer location settings
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"60⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"61⤵
- Checks computer location settings
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"62⤵
- Checks computer location settings
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"63⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"64⤵
- Checks computer location settings
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"65⤵
- Checks computer location settings
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"66⤵
- Checks computer location settings
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"67⤵
- Checks computer location settings
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"68⤵
- Checks computer location settings
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"C:\Users\Admin\AppData\Local\Temp\VanillaRat.exe"69⤵
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"69⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"68⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"67⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"66⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"65⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"64⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"63⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"62⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"61⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"60⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"59⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"58⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"57⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"56⤵
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"55⤵
- Looks for VMWare Tools registry key
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"54⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"53⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"52⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"51⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"50⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"49⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"48⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"47⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"46⤵
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"45⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"44⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"43⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"42⤵
- Looks for VMWare Tools registry key
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"41⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"40⤵
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"39⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"38⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"37⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"36⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"35⤵
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"34⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"33⤵
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"32⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"31⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"30⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"29⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"28⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"27⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"26⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"25⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"24⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"23⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"22⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"21⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"20⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"19⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"18⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"17⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"16⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"15⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"14⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"13⤵
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"12⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"11⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"10⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"9⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"8⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"7⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"6⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"5⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"4⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Roaming\svchostC:\Users\Admin\AppData\Roaming\svchost1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\svchostC:\Users\Admin\AppData\Roaming\svchost1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\svchostC:\Users\Admin\AppData\Roaming\svchost1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
871B
MD5386677f585908a33791517dfc2317f88
SHA12e6853b4560a9ac8a74cdd5c3124a777bc0d874e
SHA2567caf8779608c167ab6fa570df00c973aff6dee850bb63439770889a68c7cdae0
SHA512876d2269e25a4b2754bdf2c7e3c410050f885d7e6bd8abce41c5fc74ae1f8c549b2266dd1588c750f614063f36c8a8e5008cea610505897d04e4ef5c3adc52d9
-
Filesize
112KB
MD5a239b7cac8be034a23e7e231d3bcc6df
SHA1ae3c239a17c2b4b4d2fba1ec862cf9644bf1346d
SHA256063099408fd5fb10a7ea408a50b7fb5da1c36accc03b9b31c933df54385d32b8
SHA512c79a2b08f7e95d49a588b1f41368f0dd8d4cd431ad3403301e4d30826d3df0907d01b28ef83116ad6f035218f06dbdf63a0f4f2f9130bba1b0b7e58f9fc67524
-
Filesize
39KB
MD5d80d1b6d9a6d5986fa47f6f8487030e1
SHA18f5773bf9eca43b079c1766b2e9f44cc90bd9215
SHA256446128f1712da8064d0197376184315cb529ed26ed9122f7b171bb208e22c0c3
SHA5129fcf0105c2c9ee81c526d41633d93579bb8e2837989d77fb4a6523440415ec2d7fa46ac9ae4e55ecebd99126837817ac308cc079475de02667b21727a43d74cc
-
Filesize
516KB
MD5592785ae48dc299e4969e8d242b37645
SHA15d5072cf0ef4cdabeccf4e16d3de4d59eb81158a
SHA256b3475f030659698f3dfdc7441093ebbaf430486a2c703bf7e81af2c650217a2d
SHA512aa7e613bd708aaf78657684f7eb69d46e21c74cfed5de008b7bcb57b21c2299b01ccd586d92064f27ffdc8f5724f7f656db4fedb27d274b8c7018926d8dad277
-
Filesize
256KB
-
Filesize
544KB
-
Filesize
24KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
1.0MB