pid	Process
4976	netsh.exe
4432	netsh.exe
1172	netsh.exe
3068	netsh.exe
2840	netsh.exe
4788	netsh.exe
1736	netsh.exe
4556	netsh.exe
644	netsh.exe
3456	netsh.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	svchost_dump_SCY - Copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	~tl9607.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	~tl90F2.tmp

pid	Process
2660	svchost.exe
4172	~tl9607.tmp
5000	svchost.exe
3576	~tl90F2.tmp

description	ioc	Process
File created	C:\Windows\System\xxx1.bak	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File opened for modification	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	~tl9607.tmp
File opened for modification	C:\Windows\System\svchost.exe	~tl9607.tmp
File created	C:\Windows\System\xxx1.bak	svchost.exe

pid	Process
5044	powershell.exe
4352	powershell.exe
4352	powershell.exe
5044	powershell.exe
2020	svchost_dump_SCY - Copy.exe
2020	svchost_dump_SCY - Copy.exe
3652	powershell.exe
3424	powershell.exe
3652	powershell.exe
3424	powershell.exe
4172	~tl9607.tmp
4172	~tl9607.tmp
1620	powershell.exe
1620	powershell.exe
1700	powershell.exe
1700	powershell.exe
4172	~tl9607.tmp
4172	~tl9607.tmp
5000	svchost.exe
5000	svchost.exe
544	powershell.exe
3580	powershell.exe
544	powershell.exe
3580	powershell.exe
3576	~tl90F2.tmp
3576	~tl90F2.tmp
1536	powershell.exe
3628	powershell.exe
1536	powershell.exe
3628	powershell.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2188	WMIC.exe
Token: SeSecurityPrivilege	2188	WMIC.exe
Token: SeTakeOwnershipPrivilege	2188	WMIC.exe
Token: SeLoadDriverPrivilege	2188	WMIC.exe
Token: SeSystemProfilePrivilege	2188	WMIC.exe
Token: SeSystemtimePrivilege	2188	WMIC.exe
Token: SeProfSingleProcessPrivilege	2188	WMIC.exe
Token: SeIncBasePriorityPrivilege	2188	WMIC.exe
Token: SeCreatePagefilePrivilege	2188	WMIC.exe
Token: SeBackupPrivilege	2188	WMIC.exe
Token: SeRestorePrivilege	2188	WMIC.exe
Token: SeShutdownPrivilege	2188	WMIC.exe
Token: SeDebugPrivilege	2188	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2188	WMIC.exe
Token: SeRemoteShutdownPrivilege	2188	WMIC.exe
Token: SeUndockPrivilege	2188	WMIC.exe
Token: SeManageVolumePrivilege	2188	WMIC.exe
Token: 33	2188	WMIC.exe
Token: 34	2188	WMIC.exe
Token: 35	2188	WMIC.exe
Token: 36	2188	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2188	WMIC.exe
Token: SeSecurityPrivilege	2188	WMIC.exe
Token: SeTakeOwnershipPrivilege	2188	WMIC.exe
Token: SeLoadDriverPrivilege	2188	WMIC.exe
Token: SeSystemProfilePrivilege	2188	WMIC.exe
Token: SeSystemtimePrivilege	2188	WMIC.exe
Token: SeProfSingleProcessPrivilege	2188	WMIC.exe
Token: SeIncBasePriorityPrivilege	2188	WMIC.exe
Token: SeCreatePagefilePrivilege	2188	WMIC.exe
Token: SeBackupPrivilege	2188	WMIC.exe
Token: SeRestorePrivilege	2188	WMIC.exe
Token: SeShutdownPrivilege	2188	WMIC.exe
Token: SeDebugPrivilege	2188	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2188	WMIC.exe
Token: SeRemoteShutdownPrivilege	2188	WMIC.exe
Token: SeUndockPrivilege	2188	WMIC.exe
Token: SeManageVolumePrivilege	2188	WMIC.exe
Token: 33	2188	WMIC.exe
Token: 34	2188	WMIC.exe
Token: 35	2188	WMIC.exe
Token: 36	2188	WMIC.exe
Token: SeDebugPrivilege	5044	powershell.exe
Token: SeDebugPrivilege	4352	powershell.exe
Token: SeIncreaseQuotaPrivilege	4412	WMIC.exe
Token: SeSecurityPrivilege	4412	WMIC.exe
Token: SeTakeOwnershipPrivilege	4412	WMIC.exe
Token: SeLoadDriverPrivilege	4412	WMIC.exe
Token: SeSystemProfilePrivilege	4412	WMIC.exe
Token: SeSystemtimePrivilege	4412	WMIC.exe
Token: SeProfSingleProcessPrivilege	4412	WMIC.exe
Token: SeIncBasePriorityPrivilege	4412	WMIC.exe
Token: SeCreatePagefilePrivilege	4412	WMIC.exe
Token: SeBackupPrivilege	4412	WMIC.exe
Token: SeRestorePrivilege	4412	WMIC.exe
Token: SeShutdownPrivilege	4412	WMIC.exe
Token: SeDebugPrivilege	4412	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4412	WMIC.exe
Token: SeRemoteShutdownPrivilege	4412	WMIC.exe
Token: SeUndockPrivilege	4412	WMIC.exe
Token: SeManageVolumePrivilege	4412	WMIC.exe
Token: 33	4412	WMIC.exe
Token: 34	4412	WMIC.exe
Token: 35	4412	WMIC.exe

description	pid	Process	procid_target
PID 2020 wrote to memory of 2188	2020	svchost_dump_SCY - Copy.exe	84
PID 2020 wrote to memory of 2188	2020	svchost_dump_SCY - Copy.exe	84
PID 2020 wrote to memory of 4976	2020	svchost_dump_SCY - Copy.exe	93
PID 2020 wrote to memory of 4976	2020	svchost_dump_SCY - Copy.exe	93
PID 2020 wrote to memory of 1736	2020	svchost_dump_SCY - Copy.exe	94
PID 2020 wrote to memory of 1736	2020	svchost_dump_SCY - Copy.exe	94
PID 2020 wrote to memory of 5044	2020	svchost_dump_SCY - Copy.exe	96
PID 2020 wrote to memory of 5044	2020	svchost_dump_SCY - Copy.exe	96
PID 2020 wrote to memory of 4352	2020	svchost_dump_SCY - Copy.exe	99
PID 2020 wrote to memory of 4352	2020	svchost_dump_SCY - Copy.exe	99
PID 2020 wrote to memory of 2688	2020	svchost_dump_SCY - Copy.exe	101
PID 2020 wrote to memory of 2688	2020	svchost_dump_SCY - Copy.exe	101
PID 2020 wrote to memory of 4332	2020	svchost_dump_SCY - Copy.exe	104
PID 2020 wrote to memory of 4332	2020	svchost_dump_SCY - Copy.exe	104
PID 2020 wrote to memory of 2660	2020	svchost_dump_SCY - Copy.exe	106
PID 2020 wrote to memory of 2660	2020	svchost_dump_SCY - Copy.exe	106
PID 2660 wrote to memory of 4412	2660	svchost.exe	108
PID 2660 wrote to memory of 4412	2660	svchost.exe	108
PID 2660 wrote to memory of 4556	2660	svchost.exe	110
PID 2660 wrote to memory of 4556	2660	svchost.exe	110
PID 2660 wrote to memory of 644	2660	svchost.exe	112
PID 2660 wrote to memory of 644	2660	svchost.exe	112
PID 2660 wrote to memory of 3652	2660	svchost.exe	114
PID 2660 wrote to memory of 3652	2660	svchost.exe	114
PID 2660 wrote to memory of 3424	2660	svchost.exe	116
PID 2660 wrote to memory of 3424	2660	svchost.exe	116
PID 2660 wrote to memory of 4172	2660	svchost.exe	118
PID 2660 wrote to memory of 4172	2660	svchost.exe	118
PID 4172 wrote to memory of 1640	4172	~tl9607.tmp	119
PID 4172 wrote to memory of 1640	4172	~tl9607.tmp	119
PID 4172 wrote to memory of 3456	4172	~tl9607.tmp	121
PID 4172 wrote to memory of 3456	4172	~tl9607.tmp	121
PID 4172 wrote to memory of 1172	4172	~tl9607.tmp	123
PID 4172 wrote to memory of 1172	4172	~tl9607.tmp	123
PID 4172 wrote to memory of 1620	4172	~tl9607.tmp	125
PID 4172 wrote to memory of 1620	4172	~tl9607.tmp	125
PID 4172 wrote to memory of 1700	4172	~tl9607.tmp	127
PID 4172 wrote to memory of 1700	4172	~tl9607.tmp	127
PID 4172 wrote to memory of 2148	4172	~tl9607.tmp	129
PID 4172 wrote to memory of 2148	4172	~tl9607.tmp	129
PID 4172 wrote to memory of 4108	4172	~tl9607.tmp	131
PID 4172 wrote to memory of 4108	4172	~tl9607.tmp	131
PID 4172 wrote to memory of 5000	4172	~tl9607.tmp	133
PID 4172 wrote to memory of 5000	4172	~tl9607.tmp	133
PID 5000 wrote to memory of 4500	5000	svchost.exe	134
PID 5000 wrote to memory of 4500	5000	svchost.exe	134
PID 5000 wrote to memory of 4432	5000	svchost.exe	136
PID 5000 wrote to memory of 4432	5000	svchost.exe	136
PID 5000 wrote to memory of 3068	5000	svchost.exe	138
PID 5000 wrote to memory of 3068	5000	svchost.exe	138
PID 5000 wrote to memory of 544	5000	svchost.exe	140
PID 5000 wrote to memory of 544	5000	svchost.exe	140
PID 5000 wrote to memory of 3580	5000	svchost.exe	142
PID 5000 wrote to memory of 3580	5000	svchost.exe	142
PID 5000 wrote to memory of 3576	5000	svchost.exe	144
PID 5000 wrote to memory of 3576	5000	svchost.exe	144
PID 3576 wrote to memory of 3652	3576	~tl90F2.tmp	145
PID 3576 wrote to memory of 3652	3576	~tl90F2.tmp	145
PID 3576 wrote to memory of 2840	3576	~tl90F2.tmp	147
PID 3576 wrote to memory of 2840	3576	~tl90F2.tmp	147
PID 3576 wrote to memory of 4788	3576	~tl90F2.tmp	149
PID 3576 wrote to memory of 4788	3576	~tl90F2.tmp	149
PID 3576 wrote to memory of 1536	3576	~tl90F2.tmp	151
PID 3576 wrote to memory of 1536	3576	~tl90F2.tmp	151

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads