pid	Process
3220	netsh.exe
2904	netsh.exe
5024	netsh.exe
3028	netsh.exe
1936	netsh.exe
5016	netsh.exe
3904	netsh.exe
3976	netsh.exe

pid	Process
5056	svchost.exe
1756	~tl9210.tmp
4924	svchost.exe
520	~tl4088.tmp
4836	svchost.exe

description	ioc	Process
File created	C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\state.tmp	svchost.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdescs.new	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tl4088.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File created	C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\unverified-microdesc-consensus.tmp	svchost.exe
File created	C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs.tmp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	~tl4088.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\lock	svchost.exe
File created	C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus.tmp	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

description	ioc	Process
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	~tl4088.tmp
File opened for modification	C:\Windows\System\svchost.exe	~tl4088.tmp
File created	C:\Windows\System\xxx1.bak	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File opened for modification	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	~tl4088.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe

pid	Process
4832	powershell.exe
3020	powershell.exe
3020	powershell.exe
4832	powershell.exe
3020	powershell.exe
4832	powershell.exe
2016	svchost_dump_SCY - Copy.exe
2016	svchost_dump_SCY - Copy.exe
2904	powershell.exe
3336	powershell.exe
3336	powershell.exe
2904	powershell.exe
2904	powershell.exe
3336	powershell.exe
4644	powershell.exe
1000	powershell.exe
4644	powershell.exe
1000	powershell.exe
4644	powershell.exe
1000	powershell.exe
520	~tl4088.tmp
520	~tl4088.tmp
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
5088	powershell.exe
5088	powershell.exe
5088	powershell.exe
520	~tl4088.tmp
520	~tl4088.tmp

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3820	WMIC.exe
Token: SeSecurityPrivilege	3820	WMIC.exe
Token: SeTakeOwnershipPrivilege	3820	WMIC.exe
Token: SeLoadDriverPrivilege	3820	WMIC.exe
Token: SeSystemProfilePrivilege	3820	WMIC.exe
Token: SeSystemtimePrivilege	3820	WMIC.exe
Token: SeProfSingleProcessPrivilege	3820	WMIC.exe
Token: SeIncBasePriorityPrivilege	3820	WMIC.exe
Token: SeCreatePagefilePrivilege	3820	WMIC.exe
Token: SeBackupPrivilege	3820	WMIC.exe
Token: SeRestorePrivilege	3820	WMIC.exe
Token: SeShutdownPrivilege	3820	WMIC.exe
Token: SeDebugPrivilege	3820	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3820	WMIC.exe
Token: SeRemoteShutdownPrivilege	3820	WMIC.exe
Token: SeUndockPrivilege	3820	WMIC.exe
Token: SeManageVolumePrivilege	3820	WMIC.exe
Token: 33	3820	WMIC.exe
Token: 34	3820	WMIC.exe
Token: 35	3820	WMIC.exe
Token: 36	3820	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3820	WMIC.exe
Token: SeSecurityPrivilege	3820	WMIC.exe
Token: SeTakeOwnershipPrivilege	3820	WMIC.exe
Token: SeLoadDriverPrivilege	3820	WMIC.exe
Token: SeSystemProfilePrivilege	3820	WMIC.exe
Token: SeSystemtimePrivilege	3820	WMIC.exe
Token: SeProfSingleProcessPrivilege	3820	WMIC.exe
Token: SeIncBasePriorityPrivilege	3820	WMIC.exe
Token: SeCreatePagefilePrivilege	3820	WMIC.exe
Token: SeBackupPrivilege	3820	WMIC.exe
Token: SeRestorePrivilege	3820	WMIC.exe
Token: SeShutdownPrivilege	3820	WMIC.exe
Token: SeDebugPrivilege	3820	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3820	WMIC.exe
Token: SeRemoteShutdownPrivilege	3820	WMIC.exe
Token: SeUndockPrivilege	3820	WMIC.exe
Token: SeManageVolumePrivilege	3820	WMIC.exe
Token: 33	3820	WMIC.exe
Token: 34	3820	WMIC.exe
Token: 35	3820	WMIC.exe
Token: 36	3820	WMIC.exe
Token: SeDebugPrivilege	4832	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeIncreaseQuotaPrivilege	4832	powershell.exe
Token: SeSecurityPrivilege	4832	powershell.exe
Token: SeTakeOwnershipPrivilege	4832	powershell.exe
Token: SeLoadDriverPrivilege	4832	powershell.exe
Token: SeSystemProfilePrivilege	4832	powershell.exe
Token: SeSystemtimePrivilege	4832	powershell.exe
Token: SeProfSingleProcessPrivilege	4832	powershell.exe
Token: SeIncBasePriorityPrivilege	4832	powershell.exe
Token: SeCreatePagefilePrivilege	4832	powershell.exe
Token: SeBackupPrivilege	4832	powershell.exe
Token: SeRestorePrivilege	4832	powershell.exe
Token: SeShutdownPrivilege	4832	powershell.exe
Token: SeDebugPrivilege	4832	powershell.exe
Token: SeSystemEnvironmentPrivilege	4832	powershell.exe
Token: SeRemoteShutdownPrivilege	4832	powershell.exe
Token: SeUndockPrivilege	4832	powershell.exe
Token: SeManageVolumePrivilege	4832	powershell.exe
Token: 33	4832	powershell.exe
Token: 34	4832	powershell.exe
Token: 35	4832	powershell.exe

description	pid	Process	procid_target
PID 2016 wrote to memory of 3820	2016	svchost_dump_SCY - Copy.exe	73
PID 2016 wrote to memory of 3820	2016	svchost_dump_SCY - Copy.exe	73
PID 2016 wrote to memory of 5024	2016	svchost_dump_SCY - Copy.exe	75
PID 2016 wrote to memory of 5024	2016	svchost_dump_SCY - Copy.exe	75
PID 2016 wrote to memory of 3028	2016	svchost_dump_SCY - Copy.exe	77
PID 2016 wrote to memory of 3028	2016	svchost_dump_SCY - Copy.exe	77
PID 2016 wrote to memory of 4832	2016	svchost_dump_SCY - Copy.exe	79
PID 2016 wrote to memory of 4832	2016	svchost_dump_SCY - Copy.exe	79
PID 2016 wrote to memory of 3020	2016	svchost_dump_SCY - Copy.exe	81
PID 2016 wrote to memory of 3020	2016	svchost_dump_SCY - Copy.exe	81
PID 2016 wrote to memory of 208	2016	svchost_dump_SCY - Copy.exe	84
PID 2016 wrote to memory of 208	2016	svchost_dump_SCY - Copy.exe	84
PID 2016 wrote to memory of 4664	2016	svchost_dump_SCY - Copy.exe	86
PID 2016 wrote to memory of 4664	2016	svchost_dump_SCY - Copy.exe	86
PID 2016 wrote to memory of 5056	2016	svchost_dump_SCY - Copy.exe	88
PID 2016 wrote to memory of 5056	2016	svchost_dump_SCY - Copy.exe	88
PID 5056 wrote to memory of 912	5056	svchost.exe	90
PID 5056 wrote to memory of 912	5056	svchost.exe	90
PID 5056 wrote to memory of 1936	5056	svchost.exe	92
PID 5056 wrote to memory of 1936	5056	svchost.exe	92
PID 5056 wrote to memory of 5016	5056	svchost.exe	94
PID 5056 wrote to memory of 5016	5056	svchost.exe	94
PID 5056 wrote to memory of 2904	5056	svchost.exe	96
PID 5056 wrote to memory of 2904	5056	svchost.exe	96
PID 5056 wrote to memory of 3336	5056	svchost.exe	98
PID 5056 wrote to memory of 3336	5056	svchost.exe	98
PID 5056 wrote to memory of 1756	5056	svchost.exe	100
PID 5056 wrote to memory of 1756	5056	svchost.exe	100
PID 4924 wrote to memory of 4456	4924	svchost.exe	104
PID 4924 wrote to memory of 4456	4924	svchost.exe	104
PID 4924 wrote to memory of 3904	4924	svchost.exe	106
PID 4924 wrote to memory of 3904	4924	svchost.exe	106
PID 4924 wrote to memory of 3976	4924	svchost.exe	108
PID 4924 wrote to memory of 3976	4924	svchost.exe	108
PID 4924 wrote to memory of 4644	4924	svchost.exe	110
PID 4924 wrote to memory of 4644	4924	svchost.exe	110
PID 4924 wrote to memory of 1000	4924	svchost.exe	112
PID 4924 wrote to memory of 1000	4924	svchost.exe	112
PID 4924 wrote to memory of 520	4924	svchost.exe	115
PID 4924 wrote to memory of 520	4924	svchost.exe	115
PID 520 wrote to memory of 3804	520	~tl4088.tmp	116
PID 520 wrote to memory of 3804	520	~tl4088.tmp	116
PID 520 wrote to memory of 3220	520	~tl4088.tmp	118
PID 520 wrote to memory of 3220	520	~tl4088.tmp	118
PID 520 wrote to memory of 2904	520	~tl4088.tmp	120
PID 520 wrote to memory of 2904	520	~tl4088.tmp	120
PID 520 wrote to memory of 3456	520	~tl4088.tmp	122
PID 520 wrote to memory of 3456	520	~tl4088.tmp	122
PID 520 wrote to memory of 5088	520	~tl4088.tmp	124
PID 520 wrote to memory of 5088	520	~tl4088.tmp	124
PID 520 wrote to memory of 1352	520	~tl4088.tmp	127
PID 520 wrote to memory of 1352	520	~tl4088.tmp	127
PID 520 wrote to memory of 4012	520	~tl4088.tmp	129
PID 520 wrote to memory of 4012	520	~tl4088.tmp	129
PID 520 wrote to memory of 4836	520	~tl4088.tmp	131
PID 520 wrote to memory of 4836	520	~tl4088.tmp	131

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads