description	ioc	Process
File created	C:\Windows\System\xxx1.bak	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File opened for modification	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe

pid	Process
3984	powershell.exe
3984	powershell.exe
2828	powershell.exe
2828	powershell.exe
2492	svchost_dump_SCY - Copy.exe
2492	svchost_dump_SCY - Copy.exe
948	powershell.exe
948	powershell.exe
4024	powershell.exe
4024	powershell.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3920	WMIC.exe
Token: SeSecurityPrivilege	3920	WMIC.exe
Token: SeTakeOwnershipPrivilege	3920	WMIC.exe
Token: SeLoadDriverPrivilege	3920	WMIC.exe
Token: SeSystemProfilePrivilege	3920	WMIC.exe
Token: SeSystemtimePrivilege	3920	WMIC.exe
Token: SeProfSingleProcessPrivilege	3920	WMIC.exe
Token: SeIncBasePriorityPrivilege	3920	WMIC.exe
Token: SeCreatePagefilePrivilege	3920	WMIC.exe
Token: SeBackupPrivilege	3920	WMIC.exe
Token: SeRestorePrivilege	3920	WMIC.exe
Token: SeShutdownPrivilege	3920	WMIC.exe
Token: SeDebugPrivilege	3920	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3920	WMIC.exe
Token: SeRemoteShutdownPrivilege	3920	WMIC.exe
Token: SeUndockPrivilege	3920	WMIC.exe
Token: SeManageVolumePrivilege	3920	WMIC.exe
Token: 33	3920	WMIC.exe
Token: 34	3920	WMIC.exe
Token: 35	3920	WMIC.exe
Token: 36	3920	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3920	WMIC.exe
Token: SeSecurityPrivilege	3920	WMIC.exe
Token: SeTakeOwnershipPrivilege	3920	WMIC.exe
Token: SeLoadDriverPrivilege	3920	WMIC.exe
Token: SeSystemProfilePrivilege	3920	WMIC.exe
Token: SeSystemtimePrivilege	3920	WMIC.exe
Token: SeProfSingleProcessPrivilege	3920	WMIC.exe
Token: SeIncBasePriorityPrivilege	3920	WMIC.exe
Token: SeCreatePagefilePrivilege	3920	WMIC.exe
Token: SeBackupPrivilege	3920	WMIC.exe
Token: SeRestorePrivilege	3920	WMIC.exe
Token: SeShutdownPrivilege	3920	WMIC.exe
Token: SeDebugPrivilege	3920	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3920	WMIC.exe
Token: SeRemoteShutdownPrivilege	3920	WMIC.exe
Token: SeUndockPrivilege	3920	WMIC.exe
Token: SeManageVolumePrivilege	3920	WMIC.exe
Token: 33	3920	WMIC.exe
Token: 34	3920	WMIC.exe
Token: 35	3920	WMIC.exe
Token: 36	3920	WMIC.exe
Token: SeDebugPrivilege	3984	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeIncreaseQuotaPrivilege	2728	WMIC.exe
Token: SeSecurityPrivilege	2728	WMIC.exe
Token: SeTakeOwnershipPrivilege	2728	WMIC.exe
Token: SeLoadDriverPrivilege	2728	WMIC.exe
Token: SeSystemProfilePrivilege	2728	WMIC.exe
Token: SeSystemtimePrivilege	2728	WMIC.exe
Token: SeProfSingleProcessPrivilege	2728	WMIC.exe
Token: SeIncBasePriorityPrivilege	2728	WMIC.exe
Token: SeCreatePagefilePrivilege	2728	WMIC.exe
Token: SeBackupPrivilege	2728	WMIC.exe
Token: SeRestorePrivilege	2728	WMIC.exe
Token: SeShutdownPrivilege	2728	WMIC.exe
Token: SeDebugPrivilege	2728	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2728	WMIC.exe
Token: SeRemoteShutdownPrivilege	2728	WMIC.exe
Token: SeUndockPrivilege	2728	WMIC.exe
Token: SeManageVolumePrivilege	2728	WMIC.exe
Token: 33	2728	WMIC.exe
Token: 34	2728	WMIC.exe
Token: 35	2728	WMIC.exe

description	pid	Process	procid_target
PID 2492 wrote to memory of 3920	2492	svchost_dump_SCY - Copy.exe	77
PID 2492 wrote to memory of 3920	2492	svchost_dump_SCY - Copy.exe	77
PID 2492 wrote to memory of 2912	2492	svchost_dump_SCY - Copy.exe	79
PID 2492 wrote to memory of 2912	2492	svchost_dump_SCY - Copy.exe	79
PID 2492 wrote to memory of 4432	2492	svchost_dump_SCY - Copy.exe	80
PID 2492 wrote to memory of 4432	2492	svchost_dump_SCY - Copy.exe	80
PID 2492 wrote to memory of 3984	2492	svchost_dump_SCY - Copy.exe	83
PID 2492 wrote to memory of 3984	2492	svchost_dump_SCY - Copy.exe	83
PID 2492 wrote to memory of 2828	2492	svchost_dump_SCY - Copy.exe	85
PID 2492 wrote to memory of 2828	2492	svchost_dump_SCY - Copy.exe	85
PID 2492 wrote to memory of 2720	2492	svchost_dump_SCY - Copy.exe	87
PID 2492 wrote to memory of 2720	2492	svchost_dump_SCY - Copy.exe	87
PID 2492 wrote to memory of 644	2492	svchost_dump_SCY - Copy.exe	89
PID 2492 wrote to memory of 644	2492	svchost_dump_SCY - Copy.exe	89
PID 2492 wrote to memory of 2148	2492	svchost_dump_SCY - Copy.exe	91
PID 2492 wrote to memory of 2148	2492	svchost_dump_SCY - Copy.exe	91
PID 2148 wrote to memory of 2728	2148	svchost.exe	94
PID 2148 wrote to memory of 2728	2148	svchost.exe	94
PID 2148 wrote to memory of 3704	2148	svchost.exe	96
PID 2148 wrote to memory of 3704	2148	svchost.exe	96
PID 2148 wrote to memory of 692	2148	svchost.exe	98
PID 2148 wrote to memory of 692	2148	svchost.exe	98
PID 2148 wrote to memory of 948	2148	svchost.exe	100
PID 2148 wrote to memory of 948	2148	svchost.exe	100
PID 2148 wrote to memory of 4024	2148	svchost.exe	102
PID 2148 wrote to memory of 4024	2148	svchost.exe	102

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads