pid	Process
2472	netsh.exe
2712	netsh.exe
696	netsh.exe
2480	netsh.exe
1704	netsh.exe
2104	netsh.exe
2440	netsh.exe
1056	netsh.exe
2308	netsh.exe
2668	netsh.exe
1160	netsh.exe
2776	netsh.exe
408	netsh.exe
1160	netsh.exe
2020	netsh.exe
1716	netsh.exe
2784	netsh.exe
1476	netsh.exe

pid	Process
2316	svchost.exe
2956	~tlA7A5.tmp
2308	svchost.exe
2464	~tlD5C6.tmp
2664	svchost.exe
2268	~tl4AC6.tmp
1728	svchost.exe
2420	~tl981B.tmp

pid	Process
2184	svchost_dump_SCY - Copy.exe
2184	svchost_dump_SCY - Copy.exe
2316	svchost.exe
2316	svchost.exe
2956	~tlA7A5.tmp
2956	~tlA7A5.tmp
2308	svchost.exe
2308	svchost.exe
2500	taskeng.exe
2664	svchost.exe
2664	svchost.exe
2156	taskeng.exe
1728	svchost.exe
1728	svchost.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	~tl981B.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	~tl981B.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	~tl4AC6.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8MJ0U9PK.htm	~tl981B.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3JLJMOT4.htm	~tl981B.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	~tl4AC6.tmp
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	svchost.exe

description	ioc	Process
File opened for modification	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\xxx1.bak	~tlA7A5.tmp
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File opened for modification	C:\Windows\System\svchost.exe	~tlA7A5.tmp

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000005000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00f7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000006000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00f7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	~tl981B.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 2031001bdf8cda01	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-e2-a6-17-91-f9\WpadDecisionReason = "1"	~tl4AC6.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	~tl4AC6.tmp
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-e2-a6-17-91-f9\WpadDecision = "0"	~tl981B.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{58DC4C42-1ADB-42B9-84A8-81B672692428}\WpadDecision = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-e2-a6-17-91-f9\WpadDecisionTime = 00da0325df8cda01	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{58DC4C42-1ADB-42B9-84A8-81B672692428}\56-e2-a6-17-91-f9	~tl981B.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{58DC4C42-1ADB-42B9-84A8-81B672692428}\WpadDecisionReason = "1"	~tl4AC6.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{58DC4C42-1ADB-42B9-84A8-81B672692428}\WpadDecision = "0"	~tl4AC6.tmp
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-e2-a6-17-91-f9	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	~tl4AC6.tmp
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{58DC4C42-1ADB-42B9-84A8-81B672692428}\WpadNetworkName = "Network 3"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	~tl4AC6.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-e2-a6-17-91-f9\WpadDecisionTime = 00da0325df8cda01	~tl4AC6.tmp
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{58DC4C42-1ADB-42B9-84A8-81B672692428}	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{58DC4C42-1ADB-42B9-84A8-81B672692428}\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{58DC4C42-1ADB-42B9-84A8-81B672692428}\WpadDecisionTime = 00da0325df8cda01	~tl4AC6.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-e2-a6-17-91-f9\WpadDecisionReason = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	~tl981B.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-e2-a6-17-91-f9\WpadDetectedUrl	~tl981B.tmp
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	~tl4AC6.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	~tl981B.tmp
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	~tl981B.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	~tl4AC6.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-e2-a6-17-91-f9\WpadDetectedUrl	~tl4AC6.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	~tl4AC6.tmp
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	~tl981B.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00f7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	~tl4AC6.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	~tl4AC6.tmp

pid	Process
2776	powershell.exe
2460	powershell.exe
2184	svchost_dump_SCY - Copy.exe
568	powershell.exe
1136	powershell.exe
2956	~tlA7A5.tmp
2748	powershell.exe
616	powershell.exe
2956	~tlA7A5.tmp
2308	svchost.exe
1504	powershell.exe
2696	powershell.exe
2464	~tlD5C6.tmp
1976	powershell.exe
600	powershell.exe
2664	svchost.exe
1264	powershell.exe
484	powershell.exe
2268	~tl4AC6.tmp
2788	powershell.exe
1012	powershell.exe
1728	svchost.exe
2012	powershell.exe
2316	powershell.exe
2420	~tl981B.tmp
1700	powershell.exe
1612	powershell.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2548	WMIC.exe
Token: SeSecurityPrivilege	2548	WMIC.exe
Token: SeTakeOwnershipPrivilege	2548	WMIC.exe
Token: SeLoadDriverPrivilege	2548	WMIC.exe
Token: SeSystemProfilePrivilege	2548	WMIC.exe
Token: SeSystemtimePrivilege	2548	WMIC.exe
Token: SeProfSingleProcessPrivilege	2548	WMIC.exe
Token: SeIncBasePriorityPrivilege	2548	WMIC.exe
Token: SeCreatePagefilePrivilege	2548	WMIC.exe
Token: SeBackupPrivilege	2548	WMIC.exe
Token: SeRestorePrivilege	2548	WMIC.exe
Token: SeShutdownPrivilege	2548	WMIC.exe
Token: SeDebugPrivilege	2548	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2548	WMIC.exe
Token: SeRemoteShutdownPrivilege	2548	WMIC.exe
Token: SeUndockPrivilege	2548	WMIC.exe
Token: SeManageVolumePrivilege	2548	WMIC.exe
Token: 33	2548	WMIC.exe
Token: 34	2548	WMIC.exe
Token: 35	2548	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2548	WMIC.exe
Token: SeSecurityPrivilege	2548	WMIC.exe
Token: SeTakeOwnershipPrivilege	2548	WMIC.exe
Token: SeLoadDriverPrivilege	2548	WMIC.exe
Token: SeSystemProfilePrivilege	2548	WMIC.exe
Token: SeSystemtimePrivilege	2548	WMIC.exe
Token: SeProfSingleProcessPrivilege	2548	WMIC.exe
Token: SeIncBasePriorityPrivilege	2548	WMIC.exe
Token: SeCreatePagefilePrivilege	2548	WMIC.exe
Token: SeBackupPrivilege	2548	WMIC.exe
Token: SeRestorePrivilege	2548	WMIC.exe
Token: SeShutdownPrivilege	2548	WMIC.exe
Token: SeDebugPrivilege	2548	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2548	WMIC.exe
Token: SeRemoteShutdownPrivilege	2548	WMIC.exe
Token: SeUndockPrivilege	2548	WMIC.exe
Token: SeManageVolumePrivilege	2548	WMIC.exe
Token: 33	2548	WMIC.exe
Token: 34	2548	WMIC.exe
Token: 35	2548	WMIC.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeIncreaseQuotaPrivilege	1496	WMIC.exe
Token: SeSecurityPrivilege	1496	WMIC.exe
Token: SeTakeOwnershipPrivilege	1496	WMIC.exe
Token: SeLoadDriverPrivilege	1496	WMIC.exe
Token: SeSystemProfilePrivilege	1496	WMIC.exe
Token: SeSystemtimePrivilege	1496	WMIC.exe
Token: SeProfSingleProcessPrivilege	1496	WMIC.exe
Token: SeIncBasePriorityPrivilege	1496	WMIC.exe
Token: SeCreatePagefilePrivilege	1496	WMIC.exe
Token: SeBackupPrivilege	1496	WMIC.exe
Token: SeRestorePrivilege	1496	WMIC.exe
Token: SeShutdownPrivilege	1496	WMIC.exe
Token: SeDebugPrivilege	1496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1496	WMIC.exe
Token: SeRemoteShutdownPrivilege	1496	WMIC.exe
Token: SeUndockPrivilege	1496	WMIC.exe
Token: SeManageVolumePrivilege	1496	WMIC.exe
Token: 33	1496	WMIC.exe
Token: 34	1496	WMIC.exe
Token: 35	1496	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1496	WMIC.exe
Token: SeSecurityPrivilege	1496	WMIC.exe

description	pid	Process	procid_target
PID 2184 wrote to memory of 2548	2184	svchost_dump_SCY - Copy.exe	29
PID 2184 wrote to memory of 2548	2184	svchost_dump_SCY - Copy.exe	29
PID 2184 wrote to memory of 2548	2184	svchost_dump_SCY - Copy.exe	29
PID 2184 wrote to memory of 2668	2184	svchost_dump_SCY - Copy.exe	31
PID 2184 wrote to memory of 2668	2184	svchost_dump_SCY - Copy.exe	31
PID 2184 wrote to memory of 2668	2184	svchost_dump_SCY - Copy.exe	31
PID 2184 wrote to memory of 2712	2184	svchost_dump_SCY - Copy.exe	33
PID 2184 wrote to memory of 2712	2184	svchost_dump_SCY - Copy.exe	33
PID 2184 wrote to memory of 2712	2184	svchost_dump_SCY - Copy.exe	33
PID 2184 wrote to memory of 2776	2184	svchost_dump_SCY - Copy.exe	35
PID 2184 wrote to memory of 2776	2184	svchost_dump_SCY - Copy.exe	35
PID 2184 wrote to memory of 2776	2184	svchost_dump_SCY - Copy.exe	35
PID 2184 wrote to memory of 2460	2184	svchost_dump_SCY - Copy.exe	37
PID 2184 wrote to memory of 2460	2184	svchost_dump_SCY - Copy.exe	37
PID 2184 wrote to memory of 2460	2184	svchost_dump_SCY - Copy.exe	37
PID 2184 wrote to memory of 764	2184	svchost_dump_SCY - Copy.exe	39
PID 2184 wrote to memory of 764	2184	svchost_dump_SCY - Copy.exe	39
PID 2184 wrote to memory of 764	2184	svchost_dump_SCY - Copy.exe	39
PID 2184 wrote to memory of 332	2184	svchost_dump_SCY - Copy.exe	41
PID 2184 wrote to memory of 332	2184	svchost_dump_SCY - Copy.exe	41
PID 2184 wrote to memory of 332	2184	svchost_dump_SCY - Copy.exe	41
PID 2184 wrote to memory of 2316	2184	svchost_dump_SCY - Copy.exe	43
PID 2184 wrote to memory of 2316	2184	svchost_dump_SCY - Copy.exe	43
PID 2184 wrote to memory of 2316	2184	svchost_dump_SCY - Copy.exe	43
PID 2316 wrote to memory of 1496	2316	svchost.exe	45
PID 2316 wrote to memory of 1496	2316	svchost.exe	45
PID 2316 wrote to memory of 1496	2316	svchost.exe	45
PID 2316 wrote to memory of 696	2316	svchost.exe	49
PID 2316 wrote to memory of 696	2316	svchost.exe	49
PID 2316 wrote to memory of 696	2316	svchost.exe	49
PID 2316 wrote to memory of 1160	2316	svchost.exe	51
PID 2316 wrote to memory of 1160	2316	svchost.exe	51
PID 2316 wrote to memory of 1160	2316	svchost.exe	51
PID 2316 wrote to memory of 568	2316	svchost.exe	53
PID 2316 wrote to memory of 568	2316	svchost.exe	53
PID 2316 wrote to memory of 568	2316	svchost.exe	53
PID 2316 wrote to memory of 1136	2316	svchost.exe	55
PID 2316 wrote to memory of 1136	2316	svchost.exe	55
PID 2316 wrote to memory of 1136	2316	svchost.exe	55
PID 2316 wrote to memory of 2956	2316	svchost.exe	57
PID 2316 wrote to memory of 2956	2316	svchost.exe	57
PID 2316 wrote to memory of 2956	2316	svchost.exe	57
PID 2956 wrote to memory of 2268	2956	~tlA7A5.tmp	59
PID 2956 wrote to memory of 2268	2956	~tlA7A5.tmp	59
PID 2956 wrote to memory of 2268	2956	~tlA7A5.tmp	59
PID 2956 wrote to memory of 2480	2956	~tlA7A5.tmp	61
PID 2956 wrote to memory of 2480	2956	~tlA7A5.tmp	61
PID 2956 wrote to memory of 2480	2956	~tlA7A5.tmp	61
PID 2956 wrote to memory of 2020	2956	~tlA7A5.tmp	63
PID 2956 wrote to memory of 2020	2956	~tlA7A5.tmp	63
PID 2956 wrote to memory of 2020	2956	~tlA7A5.tmp	63
PID 2956 wrote to memory of 2748	2956	~tlA7A5.tmp	65
PID 2956 wrote to memory of 2748	2956	~tlA7A5.tmp	65
PID 2956 wrote to memory of 2748	2956	~tlA7A5.tmp	65
PID 2956 wrote to memory of 616	2956	~tlA7A5.tmp	67
PID 2956 wrote to memory of 616	2956	~tlA7A5.tmp	67
PID 2956 wrote to memory of 616	2956	~tlA7A5.tmp	67
PID 2956 wrote to memory of 2860	2956	~tlA7A5.tmp	69
PID 2956 wrote to memory of 2860	2956	~tlA7A5.tmp	69
PID 2956 wrote to memory of 2860	2956	~tlA7A5.tmp	69
PID 2956 wrote to memory of 996	2956	~tlA7A5.tmp	71
PID 2956 wrote to memory of 996	2956	~tlA7A5.tmp	71
PID 2956 wrote to memory of 996	2956	~tlA7A5.tmp	71
PID 2956 wrote to memory of 2308	2956	~tlA7A5.tmp	73

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads