pid	Process
1332	netsh.exe
1824	netsh.exe
1804	netsh.exe
588	netsh.exe
476	netsh.exe
2448	netsh.exe
1284	netsh.exe
1868	netsh.exe
2588	netsh.exe
872	netsh.exe
1680	netsh.exe
2560	netsh.exe
1160	netsh.exe
1248	netsh.exe
1680	netsh.exe
2224	netsh.exe
2880	netsh.exe
2380	netsh.exe
816	netsh.exe
2200	netsh.exe
2584	netsh.exe
2188	netsh.exe
1108	netsh.exe
2896	netsh.exe
1104	netsh.exe
2600	netsh.exe

pid	Process
2280	svchost.exe
3036	~tlC1C9.tmp
1076	svchost.exe
2360	~tl9BA3.tmp
2464	svchost.exe
2584	~tlBE60.tmp
872	svchost.exe
2280	~tlFE4C.tmp
908	svchost.exe
576	~tl7253.tmp
2152	svchost.exe
2776	~tlD22E.tmp

pid	Process
2236	svchost_dump_SCY - Copy.exe
2236	svchost_dump_SCY - Copy.exe
2280	svchost.exe
2280	svchost.exe
3036	~tlC1C9.tmp
3036	~tlC1C9.tmp
1076	svchost.exe
1076	svchost.exe
2416	taskeng.exe
2464	svchost.exe
2464	svchost.exe
2300	taskeng.exe
872	svchost.exe
872	svchost.exe
2536	taskeng.exe
908	svchost.exe
908	svchost.exe
2000	taskeng.exe
2152	svchost.exe
2152	svchost.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	~tlBE60.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\22GPQPYU.htm	~tlFE4C.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[2].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	~tlBE60.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	~tlFE4C.tmp
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[2].htm	~tl7253.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	~tlD22E.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[2].htm	~tlD22E.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	~tlFE4C.tmp
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	~tl7253.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	~tlD22E.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	~tl7253.tmp
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

description	ioc	Process
File created	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\xxx1.bak	~tlC1C9.tmp
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost_dump_SCY - Copy.exe
File opened for modification	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File opened for modification	C:\Windows\System\svchost.exe	~tlC1C9.tmp
File created	C:\Windows\System\xxx1.bak	svchost.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8829A0F-3A71-4B6E-8834-94893B633852}\WpadNetworkName = "Network 2"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8829A0F-3A71-4B6E-8834-94893B633852}\WpadDecision = "0"	~tl7253.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8829A0F-3A71-4B6E-8834-94893B633852}\WpadNetworkName = "Network 2"	~tlD22E.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-38-e2-66-6c-a1\WpadDetectedUrl	~tlBE60.tmp
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	~tlFE4C.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-38-e2-66-6c-a1\WpadDetectedUrl	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8829A0F-3A71-4B6E-8834-94893B633852}\WpadDecision = "0"	~tlBE60.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000009000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	~tlD22E.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	~tlFE4C.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8829A0F-3A71-4B6E-8834-94893B633852}\WpadDecision = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-38-e2-66-6c-a1\WpadDecisionTime = 9056160ae08cda01	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8829A0F-3A71-4B6E-8834-94893B633852}\5a-38-e2-66-6c-a1	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	~tl7253.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	~tlBE60.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-38-e2-66-6c-a1\WpadDecisionReason = "1"	~tl7253.tmp
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000005000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000005000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	~tlFE4C.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	~tlD22E.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	~tlD22E.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	~tlD22E.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 30afb31adf8cda01	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-38-e2-66-6c-a1	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8829A0F-3A71-4B6E-8834-94893B633852}	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8829A0F-3A71-4B6E-8834-94893B633852}\5a-38-e2-66-6c-a1	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8829A0F-3A71-4B6E-8834-94893B633852}\5a-38-e2-66-6c-a1	~tlFE4C.tmp
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	~tlBE60.tmp
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	~tlD22E.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-38-e2-66-6c-a1\WpadDecisionTime = f0fe3210e28cda01	~tlD22E.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	~tl7253.tmp
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-38-e2-66-6c-a1\WpadDecisionTime = b0e52b17e18cda01	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-38-e2-66-6c-a1\WpadDecision = "0"	~tlFE4C.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	~tl9BA3.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	~tl9BA3.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	~tl9BA3.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	~tl9BA3.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	~tl9BA3.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	~tl9BA3.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	~tl9BA3.tmp

pid	Process
2712	powershell.exe
2540	powershell.exe
2236	svchost_dump_SCY - Copy.exe
2708	powershell.exe
568	powershell.exe
3036	~tlC1C9.tmp
1684	powershell.exe
2740	powershell.exe
3036	~tlC1C9.tmp
1076	svchost.exe
1608	powershell.exe
2812	powershell.exe
2360	~tl9BA3.tmp
1156	powershell.exe
804	powershell.exe
2464	svchost.exe
2512	powershell.exe
2696	powershell.exe
2584	~tlBE60.tmp
1104	powershell.exe
2940	powershell.exe
872	svchost.exe
2580	powershell.exe
1712	powershell.exe
2280	~tlFE4C.tmp
1304	powershell.exe
1320	powershell.exe
908	svchost.exe
2152	powershell.exe
1932	powershell.exe
576	~tl7253.tmp
1908	powershell.exe
2636	powershell.exe
2152	svchost.exe
1320	powershell.exe
2412	powershell.exe
2776	~tlD22E.tmp
2116	powershell.exe
2992	powershell.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1388	WMIC.exe
Token: SeSecurityPrivilege	1388	WMIC.exe
Token: SeTakeOwnershipPrivilege	1388	WMIC.exe
Token: SeLoadDriverPrivilege	1388	WMIC.exe
Token: SeSystemProfilePrivilege	1388	WMIC.exe
Token: SeSystemtimePrivilege	1388	WMIC.exe
Token: SeProfSingleProcessPrivilege	1388	WMIC.exe
Token: SeIncBasePriorityPrivilege	1388	WMIC.exe
Token: SeCreatePagefilePrivilege	1388	WMIC.exe
Token: SeBackupPrivilege	1388	WMIC.exe
Token: SeRestorePrivilege	1388	WMIC.exe
Token: SeShutdownPrivilege	1388	WMIC.exe
Token: SeDebugPrivilege	1388	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1388	WMIC.exe
Token: SeRemoteShutdownPrivilege	1388	WMIC.exe
Token: SeUndockPrivilege	1388	WMIC.exe
Token: SeManageVolumePrivilege	1388	WMIC.exe
Token: 33	1388	WMIC.exe
Token: 34	1388	WMIC.exe
Token: 35	1388	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1388	WMIC.exe
Token: SeSecurityPrivilege	1388	WMIC.exe
Token: SeTakeOwnershipPrivilege	1388	WMIC.exe
Token: SeLoadDriverPrivilege	1388	WMIC.exe
Token: SeSystemProfilePrivilege	1388	WMIC.exe
Token: SeSystemtimePrivilege	1388	WMIC.exe
Token: SeProfSingleProcessPrivilege	1388	WMIC.exe
Token: SeIncBasePriorityPrivilege	1388	WMIC.exe
Token: SeCreatePagefilePrivilege	1388	WMIC.exe
Token: SeBackupPrivilege	1388	WMIC.exe
Token: SeRestorePrivilege	1388	WMIC.exe
Token: SeShutdownPrivilege	1388	WMIC.exe
Token: SeDebugPrivilege	1388	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1388	WMIC.exe
Token: SeRemoteShutdownPrivilege	1388	WMIC.exe
Token: SeUndockPrivilege	1388	WMIC.exe
Token: SeManageVolumePrivilege	1388	WMIC.exe
Token: 33	1388	WMIC.exe
Token: 34	1388	WMIC.exe
Token: 35	1388	WMIC.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeIncreaseQuotaPrivilege	924	WMIC.exe
Token: SeSecurityPrivilege	924	WMIC.exe
Token: SeTakeOwnershipPrivilege	924	WMIC.exe
Token: SeLoadDriverPrivilege	924	WMIC.exe
Token: SeSystemProfilePrivilege	924	WMIC.exe
Token: SeSystemtimePrivilege	924	WMIC.exe
Token: SeProfSingleProcessPrivilege	924	WMIC.exe
Token: SeIncBasePriorityPrivilege	924	WMIC.exe
Token: SeCreatePagefilePrivilege	924	WMIC.exe
Token: SeBackupPrivilege	924	WMIC.exe
Token: SeRestorePrivilege	924	WMIC.exe
Token: SeShutdownPrivilege	924	WMIC.exe
Token: SeDebugPrivilege	924	WMIC.exe
Token: SeSystemEnvironmentPrivilege	924	WMIC.exe
Token: SeRemoteShutdownPrivilege	924	WMIC.exe
Token: SeUndockPrivilege	924	WMIC.exe
Token: SeManageVolumePrivilege	924	WMIC.exe
Token: 33	924	WMIC.exe
Token: 34	924	WMIC.exe
Token: 35	924	WMIC.exe
Token: SeIncreaseQuotaPrivilege	924	WMIC.exe
Token: SeSecurityPrivilege	924	WMIC.exe

description	pid	Process	procid_target
PID 2236 wrote to memory of 1388	2236	svchost_dump_SCY - Copy.exe	29
PID 2236 wrote to memory of 1388	2236	svchost_dump_SCY - Copy.exe	29
PID 2236 wrote to memory of 1388	2236	svchost_dump_SCY - Copy.exe	29
PID 2236 wrote to memory of 2588	2236	svchost_dump_SCY - Copy.exe	33
PID 2236 wrote to memory of 2588	2236	svchost_dump_SCY - Copy.exe	33
PID 2236 wrote to memory of 2588	2236	svchost_dump_SCY - Copy.exe	33
PID 2236 wrote to memory of 2600	2236	svchost_dump_SCY - Copy.exe	34
PID 2236 wrote to memory of 2600	2236	svchost_dump_SCY - Copy.exe	34
PID 2236 wrote to memory of 2600	2236	svchost_dump_SCY - Copy.exe	34
PID 2236 wrote to memory of 2540	2236	svchost_dump_SCY - Copy.exe	37
PID 2236 wrote to memory of 2540	2236	svchost_dump_SCY - Copy.exe	37
PID 2236 wrote to memory of 2540	2236	svchost_dump_SCY - Copy.exe	37
PID 2236 wrote to memory of 2712	2236	svchost_dump_SCY - Copy.exe	39
PID 2236 wrote to memory of 2712	2236	svchost_dump_SCY - Copy.exe	39
PID 2236 wrote to memory of 2712	2236	svchost_dump_SCY - Copy.exe	39
PID 2236 wrote to memory of 1284	2236	svchost_dump_SCY - Copy.exe	41
PID 2236 wrote to memory of 1284	2236	svchost_dump_SCY - Copy.exe	41
PID 2236 wrote to memory of 1284	2236	svchost_dump_SCY - Copy.exe	41
PID 2236 wrote to memory of 1280	2236	svchost_dump_SCY - Copy.exe	43
PID 2236 wrote to memory of 1280	2236	svchost_dump_SCY - Copy.exe	43
PID 2236 wrote to memory of 1280	2236	svchost_dump_SCY - Copy.exe	43
PID 2236 wrote to memory of 2280	2236	svchost_dump_SCY - Copy.exe	45
PID 2236 wrote to memory of 2280	2236	svchost_dump_SCY - Copy.exe	45
PID 2236 wrote to memory of 2280	2236	svchost_dump_SCY - Copy.exe	45
PID 2280 wrote to memory of 924	2280	svchost.exe	47
PID 2280 wrote to memory of 924	2280	svchost.exe	47
PID 2280 wrote to memory of 924	2280	svchost.exe	47
PID 2280 wrote to memory of 2560	2280	svchost.exe	49
PID 2280 wrote to memory of 2560	2280	svchost.exe	49
PID 2280 wrote to memory of 2560	2280	svchost.exe	49
PID 2280 wrote to memory of 1824	2280	svchost.exe	51
PID 2280 wrote to memory of 1824	2280	svchost.exe	51
PID 2280 wrote to memory of 1824	2280	svchost.exe	51
PID 2280 wrote to memory of 2708	2280	svchost.exe	53
PID 2280 wrote to memory of 2708	2280	svchost.exe	53
PID 2280 wrote to memory of 2708	2280	svchost.exe	53
PID 2280 wrote to memory of 568	2280	svchost.exe	55
PID 2280 wrote to memory of 568	2280	svchost.exe	55
PID 2280 wrote to memory of 568	2280	svchost.exe	55
PID 2280 wrote to memory of 3036	2280	svchost.exe	57
PID 2280 wrote to memory of 3036	2280	svchost.exe	57
PID 2280 wrote to memory of 3036	2280	svchost.exe	57
PID 3036 wrote to memory of 2888	3036	~tlC1C9.tmp	59
PID 3036 wrote to memory of 2888	3036	~tlC1C9.tmp	59
PID 3036 wrote to memory of 2888	3036	~tlC1C9.tmp	59
PID 3036 wrote to memory of 476	3036	~tlC1C9.tmp	61
PID 3036 wrote to memory of 476	3036	~tlC1C9.tmp	61
PID 3036 wrote to memory of 476	3036	~tlC1C9.tmp	61
PID 3036 wrote to memory of 1332	3036	~tlC1C9.tmp	63
PID 3036 wrote to memory of 1332	3036	~tlC1C9.tmp	63
PID 3036 wrote to memory of 1332	3036	~tlC1C9.tmp	63
PID 3036 wrote to memory of 1684	3036	~tlC1C9.tmp	65
PID 3036 wrote to memory of 1684	3036	~tlC1C9.tmp	65
PID 3036 wrote to memory of 1684	3036	~tlC1C9.tmp	65
PID 3036 wrote to memory of 2740	3036	~tlC1C9.tmp	67
PID 3036 wrote to memory of 2740	3036	~tlC1C9.tmp	67
PID 3036 wrote to memory of 2740	3036	~tlC1C9.tmp	67
PID 3036 wrote to memory of 240	3036	~tlC1C9.tmp	69
PID 3036 wrote to memory of 240	3036	~tlC1C9.tmp	69
PID 3036 wrote to memory of 240	3036	~tlC1C9.tmp	69
PID 3036 wrote to memory of 2064	3036	~tlC1C9.tmp	71
PID 3036 wrote to memory of 2064	3036	~tlC1C9.tmp	71
PID 3036 wrote to memory of 2064	3036	~tlC1C9.tmp	71
PID 3036 wrote to memory of 1076	3036	~tlC1C9.tmp	73

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads