pid	Process
2632	netsh.exe
4704	netsh.exe
4132	netsh.exe
4992	netsh.exe
636	netsh.exe
2128	netsh.exe

pid	Process
4660	svchost.exe
4576	~tl27BD.tmp
2736	svchost.exe
5112	~tlFDF9.tmp

description	ioc	Process
File opened for modification	C:\Windows\System\svchost.exe	~tl27BD.tmp
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe
File created	C:\Windows\System\svchost.exe	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe
File opened for modification	C:\Windows\System\svchost.exe	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	~tl27BD.tmp

pid	Process
3632	powershell.exe
4828	powershell.exe
3632	powershell.exe
4828	powershell.exe
4828	powershell.exe
3632	powershell.exe
880	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe
880	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe
3928	powershell.exe
3420	powershell.exe
3928	powershell.exe
3420	powershell.exe
3420	powershell.exe
3928	powershell.exe
4576	~tl27BD.tmp
4576	~tl27BD.tmp
1912	powershell.exe
1912	powershell.exe
1912	powershell.exe
4576	~tl27BD.tmp
4576	~tl27BD.tmp
2736	svchost.exe
2736	svchost.exe
1356	powershell.exe
1356	powershell.exe
1240	powershell.exe
1240	powershell.exe
1356	powershell.exe
1240	powershell.exe
5112	~tlFDF9.tmp
5112	~tlFDF9.tmp
164	powershell.exe
164	powershell.exe
2852	powershell.exe
2852	powershell.exe
164	powershell.exe
2852	powershell.exe

description	pid	Process
Token: SeDebugPrivilege	3632	powershell.exe
Token: SeDebugPrivilege	4828	powershell.exe
Token: SeIncreaseQuotaPrivilege	3632	powershell.exe
Token: SeSecurityPrivilege	3632	powershell.exe
Token: SeTakeOwnershipPrivilege	3632	powershell.exe
Token: SeLoadDriverPrivilege	3632	powershell.exe
Token: SeSystemProfilePrivilege	3632	powershell.exe
Token: SeSystemtimePrivilege	3632	powershell.exe
Token: SeProfSingleProcessPrivilege	3632	powershell.exe
Token: SeIncBasePriorityPrivilege	3632	powershell.exe
Token: SeCreatePagefilePrivilege	3632	powershell.exe
Token: SeBackupPrivilege	3632	powershell.exe
Token: SeRestorePrivilege	3632	powershell.exe
Token: SeShutdownPrivilege	3632	powershell.exe
Token: SeDebugPrivilege	3632	powershell.exe
Token: SeSystemEnvironmentPrivilege	3632	powershell.exe
Token: SeRemoteShutdownPrivilege	3632	powershell.exe
Token: SeUndockPrivilege	3632	powershell.exe
Token: SeManageVolumePrivilege	3632	powershell.exe
Token: 33	3632	powershell.exe
Token: 34	3632	powershell.exe
Token: 35	3632	powershell.exe
Token: 36	3632	powershell.exe
Token: SeDebugPrivilege	3928	powershell.exe
Token: SeDebugPrivilege	3420	powershell.exe
Token: SeIncreaseQuotaPrivilege	3928	powershell.exe
Token: SeSecurityPrivilege	3928	powershell.exe
Token: SeTakeOwnershipPrivilege	3928	powershell.exe
Token: SeLoadDriverPrivilege	3928	powershell.exe
Token: SeSystemProfilePrivilege	3928	powershell.exe
Token: SeSystemtimePrivilege	3928	powershell.exe
Token: SeProfSingleProcessPrivilege	3928	powershell.exe
Token: SeIncBasePriorityPrivilege	3928	powershell.exe
Token: SeCreatePagefilePrivilege	3928	powershell.exe
Token: SeBackupPrivilege	3928	powershell.exe
Token: SeRestorePrivilege	3928	powershell.exe
Token: SeShutdownPrivilege	3928	powershell.exe
Token: SeDebugPrivilege	3928	powershell.exe
Token: SeSystemEnvironmentPrivilege	3928	powershell.exe
Token: SeRemoteShutdownPrivilege	3928	powershell.exe
Token: SeUndockPrivilege	3928	powershell.exe
Token: SeManageVolumePrivilege	3928	powershell.exe
Token: 33	3928	powershell.exe
Token: 34	3928	powershell.exe
Token: 35	3928	powershell.exe
Token: 36	3928	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeIncreaseQuotaPrivilege	1356	powershell.exe
Token: SeSecurityPrivilege	1356	powershell.exe
Token: SeTakeOwnershipPrivilege	1356	powershell.exe
Token: SeLoadDriverPrivilege	1356	powershell.exe
Token: SeSystemProfilePrivilege	1356	powershell.exe
Token: SeSystemtimePrivilege	1356	powershell.exe
Token: SeProfSingleProcessPrivilege	1356	powershell.exe
Token: SeIncBasePriorityPrivilege	1356	powershell.exe
Token: SeCreatePagefilePrivilege	1356	powershell.exe
Token: SeBackupPrivilege	1356	powershell.exe
Token: SeRestorePrivilege	1356	powershell.exe
Token: SeShutdownPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeSystemEnvironmentPrivilege	1356	powershell.exe
Token: SeRemoteShutdownPrivilege	1356	powershell.exe

description	pid	Process	procid_target
PID 880 wrote to memory of 3632	880	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe	72
PID 880 wrote to memory of 3632	880	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe	72
PID 880 wrote to memory of 4828	880	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe	74
PID 880 wrote to memory of 4828	880	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe	74
PID 880 wrote to memory of 2144	880	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe	77
PID 880 wrote to memory of 2144	880	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe	77
PID 880 wrote to memory of 4660	880	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe	79
PID 880 wrote to memory of 4660	880	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe	79
PID 4660 wrote to memory of 3928	4660	svchost.exe	81
PID 4660 wrote to memory of 3928	4660	svchost.exe	81
PID 4660 wrote to memory of 3420	4660	svchost.exe	83
PID 4660 wrote to memory of 3420	4660	svchost.exe	83
PID 4660 wrote to memory of 4576	4660	svchost.exe	85
PID 4660 wrote to memory of 4576	4660	svchost.exe	85
PID 4576 wrote to memory of 2640	4576	~tl27BD.tmp	86
PID 4576 wrote to memory of 2640	4576	~tl27BD.tmp	86
PID 4576 wrote to memory of 2632	4576	~tl27BD.tmp	88
PID 4576 wrote to memory of 2632	4576	~tl27BD.tmp	88
PID 4576 wrote to memory of 4704	4576	~tl27BD.tmp	89
PID 4576 wrote to memory of 4704	4576	~tl27BD.tmp	89
PID 4576 wrote to memory of 4732	4576	~tl27BD.tmp	92
PID 4576 wrote to memory of 4732	4576	~tl27BD.tmp	92
PID 4576 wrote to memory of 1912	4576	~tl27BD.tmp	94
PID 4576 wrote to memory of 1912	4576	~tl27BD.tmp	94
PID 4576 wrote to memory of 4712	4576	~tl27BD.tmp	97
PID 4576 wrote to memory of 4712	4576	~tl27BD.tmp	97
PID 4576 wrote to memory of 916	4576	~tl27BD.tmp	99
PID 4576 wrote to memory of 916	4576	~tl27BD.tmp	99
PID 4576 wrote to memory of 2736	4576	~tl27BD.tmp	101
PID 4576 wrote to memory of 2736	4576	~tl27BD.tmp	101
PID 2736 wrote to memory of 3404	2736	svchost.exe	102
PID 2736 wrote to memory of 3404	2736	svchost.exe	102
PID 2736 wrote to memory of 4132	2736	svchost.exe	104
PID 2736 wrote to memory of 4132	2736	svchost.exe	104
PID 2736 wrote to memory of 4992	2736	svchost.exe	106
PID 2736 wrote to memory of 4992	2736	svchost.exe	106
PID 2736 wrote to memory of 1356	2736	svchost.exe	108
PID 2736 wrote to memory of 1356	2736	svchost.exe	108
PID 2736 wrote to memory of 1240	2736	svchost.exe	110
PID 2736 wrote to memory of 1240	2736	svchost.exe	110
PID 2736 wrote to memory of 5112	2736	svchost.exe	112
PID 2736 wrote to memory of 5112	2736	svchost.exe	112
PID 5112 wrote to memory of 4484	5112	~tlFDF9.tmp	113
PID 5112 wrote to memory of 4484	5112	~tlFDF9.tmp	113
PID 5112 wrote to memory of 636	5112	~tlFDF9.tmp	115
PID 5112 wrote to memory of 636	5112	~tlFDF9.tmp	115
PID 5112 wrote to memory of 2128	5112	~tlFDF9.tmp	117
PID 5112 wrote to memory of 2128	5112	~tlFDF9.tmp	117
PID 5112 wrote to memory of 164	5112	~tlFDF9.tmp	119
PID 5112 wrote to memory of 164	5112	~tlFDF9.tmp	119
PID 5112 wrote to memory of 2852	5112	~tlFDF9.tmp	121
PID 5112 wrote to memory of 2852	5112	~tlFDF9.tmp	121

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads