description	ioc	process
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost_dump_SCY - Copy.exe
File created	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe
File opened for modification	C:\Windows\System\svchost.exe	svchost_dump_SCY - Copy.exe

pid	process
392	powershell.exe
392	powershell.exe
2648	powershell.exe
2648	powershell.exe
392	powershell.exe
2648	powershell.exe
420	svchost_dump_SCY - Copy.exe
420	svchost_dump_SCY - Copy.exe
2568	powershell.exe
2568	powershell.exe
3000	powershell.exe
3000	powershell.exe
2568	powershell.exe
3000	powershell.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	216	WMIC.exe
Token: SeSecurityPrivilege	216	WMIC.exe
Token: SeTakeOwnershipPrivilege	216	WMIC.exe
Token: SeLoadDriverPrivilege	216	WMIC.exe
Token: SeSystemProfilePrivilege	216	WMIC.exe
Token: SeSystemtimePrivilege	216	WMIC.exe
Token: SeProfSingleProcessPrivilege	216	WMIC.exe
Token: SeIncBasePriorityPrivilege	216	WMIC.exe
Token: SeCreatePagefilePrivilege	216	WMIC.exe
Token: SeBackupPrivilege	216	WMIC.exe
Token: SeRestorePrivilege	216	WMIC.exe
Token: SeShutdownPrivilege	216	WMIC.exe
Token: SeDebugPrivilege	216	WMIC.exe
Token: SeSystemEnvironmentPrivilege	216	WMIC.exe
Token: SeRemoteShutdownPrivilege	216	WMIC.exe
Token: SeUndockPrivilege	216	WMIC.exe
Token: SeManageVolumePrivilege	216	WMIC.exe
Token: 33	216	WMIC.exe
Token: 34	216	WMIC.exe
Token: 35	216	WMIC.exe
Token: 36	216	WMIC.exe
Token: SeIncreaseQuotaPrivilege	216	WMIC.exe
Token: SeSecurityPrivilege	216	WMIC.exe
Token: SeTakeOwnershipPrivilege	216	WMIC.exe
Token: SeLoadDriverPrivilege	216	WMIC.exe
Token: SeSystemProfilePrivilege	216	WMIC.exe
Token: SeSystemtimePrivilege	216	WMIC.exe
Token: SeProfSingleProcessPrivilege	216	WMIC.exe
Token: SeIncBasePriorityPrivilege	216	WMIC.exe
Token: SeCreatePagefilePrivilege	216	WMIC.exe
Token: SeBackupPrivilege	216	WMIC.exe
Token: SeRestorePrivilege	216	WMIC.exe
Token: SeShutdownPrivilege	216	WMIC.exe
Token: SeDebugPrivilege	216	WMIC.exe
Token: SeSystemEnvironmentPrivilege	216	WMIC.exe
Token: SeRemoteShutdownPrivilege	216	WMIC.exe
Token: SeUndockPrivilege	216	WMIC.exe
Token: SeManageVolumePrivilege	216	WMIC.exe
Token: 33	216	WMIC.exe
Token: 34	216	WMIC.exe
Token: 35	216	WMIC.exe
Token: 36	216	WMIC.exe
Token: SeDebugPrivilege	392	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeIncreaseQuotaPrivilege	392	powershell.exe
Token: SeSecurityPrivilege	392	powershell.exe
Token: SeTakeOwnershipPrivilege	392	powershell.exe
Token: SeLoadDriverPrivilege	392	powershell.exe
Token: SeSystemProfilePrivilege	392	powershell.exe
Token: SeSystemtimePrivilege	392	powershell.exe
Token: SeProfSingleProcessPrivilege	392	powershell.exe
Token: SeIncBasePriorityPrivilege	392	powershell.exe
Token: SeCreatePagefilePrivilege	392	powershell.exe
Token: SeBackupPrivilege	392	powershell.exe
Token: SeRestorePrivilege	392	powershell.exe
Token: SeShutdownPrivilege	392	powershell.exe
Token: SeDebugPrivilege	392	powershell.exe
Token: SeSystemEnvironmentPrivilege	392	powershell.exe
Token: SeRemoteShutdownPrivilege	392	powershell.exe
Token: SeUndockPrivilege	392	powershell.exe
Token: SeManageVolumePrivilege	392	powershell.exe
Token: 33	392	powershell.exe
Token: 34	392	powershell.exe
Token: 35	392	powershell.exe

description	pid	process	target process
PID 420 wrote to memory of 216	420	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 420 wrote to memory of 216	420	svchost_dump_SCY - Copy.exe	WMIC.exe
PID 420 wrote to memory of 3012	420	svchost_dump_SCY - Copy.exe	netsh.exe
PID 420 wrote to memory of 3012	420	svchost_dump_SCY - Copy.exe	netsh.exe
PID 420 wrote to memory of 2268	420	svchost_dump_SCY - Copy.exe	netsh.exe
PID 420 wrote to memory of 2268	420	svchost_dump_SCY - Copy.exe	netsh.exe
PID 420 wrote to memory of 392	420	svchost_dump_SCY - Copy.exe	powershell.exe
PID 420 wrote to memory of 392	420	svchost_dump_SCY - Copy.exe	powershell.exe
PID 420 wrote to memory of 2648	420	svchost_dump_SCY - Copy.exe	powershell.exe
PID 420 wrote to memory of 2648	420	svchost_dump_SCY - Copy.exe	powershell.exe
PID 420 wrote to memory of 1280	420	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 420 wrote to memory of 1280	420	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 420 wrote to memory of 860	420	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 420 wrote to memory of 860	420	svchost_dump_SCY - Copy.exe	schtasks.exe
PID 420 wrote to memory of 596	420	svchost_dump_SCY - Copy.exe	svchost.exe
PID 420 wrote to memory of 596	420	svchost_dump_SCY - Copy.exe	svchost.exe
PID 596 wrote to memory of 1916	596	svchost.exe	WMIC.exe
PID 596 wrote to memory of 1916	596	svchost.exe	WMIC.exe
PID 596 wrote to memory of 2828	596	svchost.exe	netsh.exe
PID 596 wrote to memory of 2828	596	svchost.exe	netsh.exe
PID 596 wrote to memory of 620	596	svchost.exe	netsh.exe
PID 596 wrote to memory of 620	596	svchost.exe	netsh.exe
PID 596 wrote to memory of 2568	596	svchost.exe	powershell.exe
PID 596 wrote to memory of 2568	596	svchost.exe	powershell.exe
PID 596 wrote to memory of 3000	596	svchost.exe	powershell.exe
PID 596 wrote to memory of 3000	596	svchost.exe	powershell.exe

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads