description	ioc	Process
File opened for modification	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe

pid	Process
424	powershell.exe
424	powershell.exe
424	powershell.exe
2360	powershell.exe
2360	powershell.exe
2360	powershell.exe
4208	svchost_dump_SCY - Copy.exe
4208	svchost_dump_SCY - Copy.exe
4212	powershell.exe
4212	powershell.exe
4212	powershell.exe
1284	powershell.exe
1284	powershell.exe
1284	powershell.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3640	WMIC.exe
Token: SeSecurityPrivilege	3640	WMIC.exe
Token: SeTakeOwnershipPrivilege	3640	WMIC.exe
Token: SeLoadDriverPrivilege	3640	WMIC.exe
Token: SeSystemProfilePrivilege	3640	WMIC.exe
Token: SeSystemtimePrivilege	3640	WMIC.exe
Token: SeProfSingleProcessPrivilege	3640	WMIC.exe
Token: SeIncBasePriorityPrivilege	3640	WMIC.exe
Token: SeCreatePagefilePrivilege	3640	WMIC.exe
Token: SeBackupPrivilege	3640	WMIC.exe
Token: SeRestorePrivilege	3640	WMIC.exe
Token: SeShutdownPrivilege	3640	WMIC.exe
Token: SeDebugPrivilege	3640	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3640	WMIC.exe
Token: SeRemoteShutdownPrivilege	3640	WMIC.exe
Token: SeUndockPrivilege	3640	WMIC.exe
Token: SeManageVolumePrivilege	3640	WMIC.exe
Token: 33	3640	WMIC.exe
Token: 34	3640	WMIC.exe
Token: 35	3640	WMIC.exe
Token: 36	3640	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3640	WMIC.exe
Token: SeSecurityPrivilege	3640	WMIC.exe
Token: SeTakeOwnershipPrivilege	3640	WMIC.exe
Token: SeLoadDriverPrivilege	3640	WMIC.exe
Token: SeSystemProfilePrivilege	3640	WMIC.exe
Token: SeSystemtimePrivilege	3640	WMIC.exe
Token: SeProfSingleProcessPrivilege	3640	WMIC.exe
Token: SeIncBasePriorityPrivilege	3640	WMIC.exe
Token: SeCreatePagefilePrivilege	3640	WMIC.exe
Token: SeBackupPrivilege	3640	WMIC.exe
Token: SeRestorePrivilege	3640	WMIC.exe
Token: SeShutdownPrivilege	3640	WMIC.exe
Token: SeDebugPrivilege	3640	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3640	WMIC.exe
Token: SeRemoteShutdownPrivilege	3640	WMIC.exe
Token: SeUndockPrivilege	3640	WMIC.exe
Token: SeManageVolumePrivilege	3640	WMIC.exe
Token: 33	3640	WMIC.exe
Token: 34	3640	WMIC.exe
Token: 35	3640	WMIC.exe
Token: 36	3640	WMIC.exe
Token: SeDebugPrivilege	424	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeIncreaseQuotaPrivilege	424	powershell.exe
Token: SeSecurityPrivilege	424	powershell.exe
Token: SeTakeOwnershipPrivilege	424	powershell.exe
Token: SeLoadDriverPrivilege	424	powershell.exe
Token: SeSystemProfilePrivilege	424	powershell.exe
Token: SeSystemtimePrivilege	424	powershell.exe
Token: SeProfSingleProcessPrivilege	424	powershell.exe
Token: SeIncBasePriorityPrivilege	424	powershell.exe
Token: SeCreatePagefilePrivilege	424	powershell.exe
Token: SeBackupPrivilege	424	powershell.exe
Token: SeRestorePrivilege	424	powershell.exe
Token: SeShutdownPrivilege	424	powershell.exe
Token: SeDebugPrivilege	424	powershell.exe
Token: SeSystemEnvironmentPrivilege	424	powershell.exe
Token: SeRemoteShutdownPrivilege	424	powershell.exe
Token: SeUndockPrivilege	424	powershell.exe
Token: SeManageVolumePrivilege	424	powershell.exe
Token: 33	424	powershell.exe
Token: 34	424	powershell.exe
Token: 35	424	powershell.exe

description	pid	Process	procid_target
PID 4208 wrote to memory of 3640	4208	svchost_dump_SCY - Copy.exe	73
PID 4208 wrote to memory of 3640	4208	svchost_dump_SCY - Copy.exe	73
PID 4208 wrote to memory of 872	4208	svchost_dump_SCY - Copy.exe	75
PID 4208 wrote to memory of 872	4208	svchost_dump_SCY - Copy.exe	75
PID 4208 wrote to memory of 4848	4208	svchost_dump_SCY - Copy.exe	76
PID 4208 wrote to memory of 4848	4208	svchost_dump_SCY - Copy.exe	76
PID 4208 wrote to memory of 424	4208	svchost_dump_SCY - Copy.exe	79
PID 4208 wrote to memory of 424	4208	svchost_dump_SCY - Copy.exe	79
PID 4208 wrote to memory of 2360	4208	svchost_dump_SCY - Copy.exe	81
PID 4208 wrote to memory of 2360	4208	svchost_dump_SCY - Copy.exe	81
PID 4208 wrote to memory of 4652	4208	svchost_dump_SCY - Copy.exe	84
PID 4208 wrote to memory of 4652	4208	svchost_dump_SCY - Copy.exe	84
PID 4208 wrote to memory of 3228	4208	svchost_dump_SCY - Copy.exe	86
PID 4208 wrote to memory of 3228	4208	svchost_dump_SCY - Copy.exe	86
PID 4208 wrote to memory of 4344	4208	svchost_dump_SCY - Copy.exe	88
PID 4208 wrote to memory of 4344	4208	svchost_dump_SCY - Copy.exe	88
PID 4344 wrote to memory of 1696	4344	svchost.exe	90
PID 4344 wrote to memory of 1696	4344	svchost.exe	90
PID 4344 wrote to memory of 4192	4344	svchost.exe	92
PID 4344 wrote to memory of 4192	4344	svchost.exe	92
PID 4344 wrote to memory of 4872	4344	svchost.exe	94
PID 4344 wrote to memory of 4872	4344	svchost.exe	94
PID 4344 wrote to memory of 4212	4344	svchost.exe	95
PID 4344 wrote to memory of 4212	4344	svchost.exe	95
PID 4344 wrote to memory of 1284	4344	svchost.exe	98
PID 4344 wrote to memory of 1284	4344	svchost.exe	98

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads