pid	Process
2056	netsh.exe
2916	netsh.exe
2000	netsh.exe
2548	netsh.exe
2580	netsh.exe
2824	netsh.exe

pid	Process
2608	svchost.exe
2228	~tlCD7C.tmp
1632	svchost.exe
2180	~tlAAB1.tmp

pid	Process
2956	tmp.exe
2956	tmp.exe
2608	svchost.exe
2608	svchost.exe
2228	~tlCD7C.tmp
2228	~tlCD7C.tmp
1632	svchost.exe
1632	svchost.exe

description	ioc	Process
File created	C:\Windows\System\xxx1.bak	~tlCD7C.tmp
File opened for modification	C:\Windows\System\svchost.exe	~tlCD7C.tmp
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	tmp.exe
File created	C:\Windows\System\svchost.exe	tmp.exe
File opened for modification	C:\Windows\System\svchost.exe	tmp.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe

pid	Process
2732	powershell.exe
2684	powershell.exe
2956	tmp.exe
2880	powershell.exe
2920	powershell.exe
2228	~tlCD7C.tmp
2592	powershell.exe
2536	powershell.exe
2228	~tlCD7C.tmp
1632	svchost.exe
2360	powershell.exe
2256	powershell.exe
2180	~tlAAB1.tmp
1676	powershell.exe
2588	powershell.exe

description	pid	Process
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe

description	pid	Process	procid_target
PID 2956 wrote to memory of 2684	2956	tmp.exe	30
PID 2956 wrote to memory of 2684	2956	tmp.exe	30
PID 2956 wrote to memory of 2684	2956	tmp.exe	30
PID 2956 wrote to memory of 2732	2956	tmp.exe	32
PID 2956 wrote to memory of 2732	2956	tmp.exe	32
PID 2956 wrote to memory of 2732	2956	tmp.exe	32
PID 2956 wrote to memory of 2488	2956	tmp.exe	34
PID 2956 wrote to memory of 2488	2956	tmp.exe	34
PID 2956 wrote to memory of 2488	2956	tmp.exe	34
PID 2956 wrote to memory of 2608	2956	tmp.exe	36
PID 2956 wrote to memory of 2608	2956	tmp.exe	36
PID 2956 wrote to memory of 2608	2956	tmp.exe	36
PID 2608 wrote to memory of 2920	2608	svchost.exe	40
PID 2608 wrote to memory of 2920	2608	svchost.exe	40
PID 2608 wrote to memory of 2920	2608	svchost.exe	40
PID 2608 wrote to memory of 2880	2608	svchost.exe	42
PID 2608 wrote to memory of 2880	2608	svchost.exe	42
PID 2608 wrote to memory of 2880	2608	svchost.exe	42
PID 2608 wrote to memory of 2228	2608	svchost.exe	44
PID 2608 wrote to memory of 2228	2608	svchost.exe	44
PID 2608 wrote to memory of 2228	2608	svchost.exe	44
PID 2228 wrote to memory of 1784	2228	~tlCD7C.tmp	46
PID 2228 wrote to memory of 1784	2228	~tlCD7C.tmp	46
PID 2228 wrote to memory of 1784	2228	~tlCD7C.tmp	46
PID 2228 wrote to memory of 2548	2228	~tlCD7C.tmp	48
PID 2228 wrote to memory of 2548	2228	~tlCD7C.tmp	48
PID 2228 wrote to memory of 2548	2228	~tlCD7C.tmp	48
PID 2228 wrote to memory of 2580	2228	~tlCD7C.tmp	50
PID 2228 wrote to memory of 2580	2228	~tlCD7C.tmp	50
PID 2228 wrote to memory of 2580	2228	~tlCD7C.tmp	50
PID 2228 wrote to memory of 2592	2228	~tlCD7C.tmp	51
PID 2228 wrote to memory of 2592	2228	~tlCD7C.tmp	51
PID 2228 wrote to memory of 2592	2228	~tlCD7C.tmp	51
PID 2228 wrote to memory of 2536	2228	~tlCD7C.tmp	54
PID 2228 wrote to memory of 2536	2228	~tlCD7C.tmp	54
PID 2228 wrote to memory of 2536	2228	~tlCD7C.tmp	54
PID 2228 wrote to memory of 2308	2228	~tlCD7C.tmp	56
PID 2228 wrote to memory of 2308	2228	~tlCD7C.tmp	56
PID 2228 wrote to memory of 2308	2228	~tlCD7C.tmp	56
PID 2228 wrote to memory of 2624	2228	~tlCD7C.tmp	58
PID 2228 wrote to memory of 2624	2228	~tlCD7C.tmp	58
PID 2228 wrote to memory of 2624	2228	~tlCD7C.tmp	58
PID 2228 wrote to memory of 1632	2228	~tlCD7C.tmp	60
PID 2228 wrote to memory of 1632	2228	~tlCD7C.tmp	60
PID 2228 wrote to memory of 1632	2228	~tlCD7C.tmp	60
PID 1632 wrote to memory of 2904	1632	svchost.exe	62
PID 1632 wrote to memory of 2904	1632	svchost.exe	62
PID 1632 wrote to memory of 2904	1632	svchost.exe	62
PID 1632 wrote to memory of 2824	1632	svchost.exe	64
PID 1632 wrote to memory of 2824	1632	svchost.exe	64
PID 1632 wrote to memory of 2824	1632	svchost.exe	64
PID 1632 wrote to memory of 2056	1632	svchost.exe	65
PID 1632 wrote to memory of 2056	1632	svchost.exe	65
PID 1632 wrote to memory of 2056	1632	svchost.exe	65
PID 1632 wrote to memory of 2360	1632	svchost.exe	68
PID 1632 wrote to memory of 2360	1632	svchost.exe	68
PID 1632 wrote to memory of 2360	1632	svchost.exe	68
PID 1632 wrote to memory of 2256	1632	svchost.exe	70
PID 1632 wrote to memory of 2256	1632	svchost.exe	70
PID 1632 wrote to memory of 2256	1632	svchost.exe	70
PID 1632 wrote to memory of 2180	1632	svchost.exe	72
PID 1632 wrote to memory of 2180	1632	svchost.exe	72
PID 1632 wrote to memory of 2180	1632	svchost.exe	72
PID 2180 wrote to memory of 1496	2180	~tlAAB1.tmp	74

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads