pid	Process
5000	netsh.exe
2688	netsh.exe
1772	netsh.exe
996	netsh.exe
4188	netsh.exe
4796	netsh.exe
212	netsh.exe
2332	netsh.exe
2196	netsh.exe
1892	netsh.exe
4376	netsh.exe
2044	netsh.exe
3524	netsh.exe
4936	netsh.exe
4296	netsh.exe
4124	netsh.exe
624	netsh.exe
4816	netsh.exe
1856	netsh.exe
1980	netsh.exe
1604	netsh.exe
1992	netsh.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	~tl7055.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	e9e34828dd3f60d69e3b5ea854a7a06906828cc5cfc8d5906897d2ab3b6765d5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	~tl9A2A.tmp

pid	Process
1224	svchost.exe
4452	~tl9A2A.tmp
2196	svchost.exe
1004	~tl7055.tmp
4532	svchost.exe
2864	~tlCD45.tmp
1328	svchost.exe
3584	~tl350B.tmp
4216	svchost.exe
3264	~tl9BB7.tmp
5052	svchost.exe
1316	~tl2C0.tmp

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[2].htm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tl350B.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tlCD45.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tl9BB7.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getlog[1].htm	~tl2C0.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

description	ioc	Process
File created	C:\Windows\System\xxx1.bak	svchost.exe
File opened for modification	C:\Windows\System\svchost.exe	e9e34828dd3f60d69e3b5ea854a7a06906828cc5cfc8d5906897d2ab3b6765d5.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	~tl9A2A.tmp
File opened for modification	C:\Windows\System\svchost.exe	~tl9A2A.tmp
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	e9e34828dd3f60d69e3b5ea854a7a06906828cc5cfc8d5906897d2ab3b6765d5.exe
File created	C:\Windows\System\svchost.exe	e9e34828dd3f60d69e3b5ea854a7a06906828cc5cfc8d5906897d2ab3b6765d5.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	~tl2C0.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	~tl350B.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	~tl9BB7.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe

pid	Process
4660	powershell.exe
4816	powershell.exe
4816	powershell.exe
4660	powershell.exe
2232	e9e34828dd3f60d69e3b5ea854a7a06906828cc5cfc8d5906897d2ab3b6765d5.exe
2232	e9e34828dd3f60d69e3b5ea854a7a06906828cc5cfc8d5906897d2ab3b6765d5.exe
3600	powershell.exe
3548	powershell.exe
3548	powershell.exe
3600	powershell.exe
4452	~tl9A2A.tmp
4452	~tl9A2A.tmp
3248	powershell.exe
3248	powershell.exe
5068	powershell.exe
5068	powershell.exe
4452	~tl9A2A.tmp
4452	~tl9A2A.tmp
2196	svchost.exe
2196	svchost.exe
3916	powershell.exe
3916	powershell.exe
3428	powershell.exe
3428	powershell.exe
1004	~tl7055.tmp
1004	~tl7055.tmp
1008	powershell.exe
1008	powershell.exe
1988	powershell.exe
1988	powershell.exe
4532	svchost.exe
4532	svchost.exe
4256	powershell.exe
4256	powershell.exe
4832	powershell.exe
4832	powershell.exe
2864	~tlCD45.tmp
2864	~tlCD45.tmp
3156	powershell.exe
1132	powershell.exe
1132	powershell.exe
3156	powershell.exe
1328	svchost.exe
1328	svchost.exe
4792	powershell.exe
1884	powershell.exe
4792	powershell.exe
1884	powershell.exe
3584	~tl350B.tmp
3584	~tl350B.tmp
320	powershell.exe
320	powershell.exe
4104	powershell.exe
4104	powershell.exe
4216	svchost.exe
4216	svchost.exe
2308	powershell.exe
4812	powershell.exe
2308	powershell.exe
4812	powershell.exe
3264	~tl9BB7.tmp
3264	~tl9BB7.tmp
4848	powershell.exe
4848	powershell.exe

description	pid	Process
Token: SeDebugPrivilege	4816	powershell.exe
Token: SeDebugPrivilege	4660	powershell.exe
Token: SeDebugPrivilege	3600	powershell.exe
Token: SeDebugPrivilege	3548	powershell.exe
Token: SeDebugPrivilege	3248	powershell.exe
Token: SeDebugPrivilege	5068	powershell.exe
Token: SeDebugPrivilege	3916	powershell.exe
Token: SeDebugPrivilege	3428	powershell.exe
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	4256	powershell.exe
Token: SeDebugPrivilege	4832	powershell.exe
Token: SeDebugPrivilege	3156	powershell.exe
Token: SeDebugPrivilege	1132	powershell.exe
Token: SeDebugPrivilege	4792	powershell.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	4812	powershell.exe
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	4456	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe

description	pid	Process	procid_target
PID 2232 wrote to memory of 4660	2232	e9e34828dd3f60d69e3b5ea854a7a06906828cc5cfc8d5906897d2ab3b6765d5.exe	87
PID 2232 wrote to memory of 4660	2232	e9e34828dd3f60d69e3b5ea854a7a06906828cc5cfc8d5906897d2ab3b6765d5.exe	87
PID 2232 wrote to memory of 4816	2232	e9e34828dd3f60d69e3b5ea854a7a06906828cc5cfc8d5906897d2ab3b6765d5.exe	89
PID 2232 wrote to memory of 4816	2232	e9e34828dd3f60d69e3b5ea854a7a06906828cc5cfc8d5906897d2ab3b6765d5.exe	89
PID 2232 wrote to memory of 5076	2232	e9e34828dd3f60d69e3b5ea854a7a06906828cc5cfc8d5906897d2ab3b6765d5.exe	93
PID 2232 wrote to memory of 5076	2232	e9e34828dd3f60d69e3b5ea854a7a06906828cc5cfc8d5906897d2ab3b6765d5.exe	93
PID 2232 wrote to memory of 1224	2232	e9e34828dd3f60d69e3b5ea854a7a06906828cc5cfc8d5906897d2ab3b6765d5.exe	95
PID 2232 wrote to memory of 1224	2232	e9e34828dd3f60d69e3b5ea854a7a06906828cc5cfc8d5906897d2ab3b6765d5.exe	95
PID 1224 wrote to memory of 3600	1224	svchost.exe	99
PID 1224 wrote to memory of 3600	1224	svchost.exe	99
PID 1224 wrote to memory of 3548	1224	svchost.exe	101
PID 1224 wrote to memory of 3548	1224	svchost.exe	101
PID 1224 wrote to memory of 4452	1224	svchost.exe	105
PID 1224 wrote to memory of 4452	1224	svchost.exe	105
PID 4452 wrote to memory of 4820	4452	~tl9A2A.tmp	106
PID 4452 wrote to memory of 4820	4452	~tl9A2A.tmp	106
PID 4452 wrote to memory of 2044	4452	~tl9A2A.tmp	108
PID 4452 wrote to memory of 2044	4452	~tl9A2A.tmp	108
PID 4452 wrote to memory of 1604	4452	~tl9A2A.tmp	110
PID 4452 wrote to memory of 1604	4452	~tl9A2A.tmp	110
PID 4452 wrote to memory of 3248	4452	~tl9A2A.tmp	112
PID 4452 wrote to memory of 3248	4452	~tl9A2A.tmp	112
PID 4452 wrote to memory of 5068	4452	~tl9A2A.tmp	114
PID 4452 wrote to memory of 5068	4452	~tl9A2A.tmp	114
PID 4452 wrote to memory of 4920	4452	~tl9A2A.tmp	116
PID 4452 wrote to memory of 4920	4452	~tl9A2A.tmp	116
PID 4452 wrote to memory of 1476	4452	~tl9A2A.tmp	118
PID 4452 wrote to memory of 1476	4452	~tl9A2A.tmp	118
PID 4452 wrote to memory of 2196	4452	~tl9A2A.tmp	120
PID 4452 wrote to memory of 2196	4452	~tl9A2A.tmp	120
PID 2196 wrote to memory of 2540	2196	svchost.exe	121
PID 2196 wrote to memory of 2540	2196	svchost.exe	121
PID 2196 wrote to memory of 3524	2196	svchost.exe	123
PID 2196 wrote to memory of 3524	2196	svchost.exe	123
PID 2196 wrote to memory of 212	2196	svchost.exe	125
PID 2196 wrote to memory of 212	2196	svchost.exe	125
PID 2196 wrote to memory of 3916	2196	svchost.exe	127
PID 2196 wrote to memory of 3916	2196	svchost.exe	127
PID 2196 wrote to memory of 3428	2196	svchost.exe	129
PID 2196 wrote to memory of 3428	2196	svchost.exe	129
PID 2196 wrote to memory of 1004	2196	svchost.exe	131
PID 2196 wrote to memory of 1004	2196	svchost.exe	131
PID 1004 wrote to memory of 448	1004	~tl7055.tmp	132
PID 1004 wrote to memory of 448	1004	~tl7055.tmp	132
PID 1004 wrote to memory of 4188	1004	~tl7055.tmp	134
PID 1004 wrote to memory of 4188	1004	~tl7055.tmp	134
PID 1004 wrote to memory of 1992	1004	~tl7055.tmp	136
PID 1004 wrote to memory of 1992	1004	~tl7055.tmp	136
PID 1004 wrote to memory of 1008	1004	~tl7055.tmp	138
PID 1004 wrote to memory of 1008	1004	~tl7055.tmp	138
PID 1004 wrote to memory of 1988	1004	~tl7055.tmp	140
PID 1004 wrote to memory of 1988	1004	~tl7055.tmp	140
PID 4532 wrote to memory of 5096	4532	svchost.exe	143
PID 4532 wrote to memory of 5096	4532	svchost.exe	143
PID 4532 wrote to memory of 2332	4532	svchost.exe	145
PID 4532 wrote to memory of 2332	4532	svchost.exe	145
PID 4532 wrote to memory of 4796	4532	svchost.exe	147
PID 4532 wrote to memory of 4796	4532	svchost.exe	147
PID 4532 wrote to memory of 4256	4532	svchost.exe	149
PID 4532 wrote to memory of 4256	4532	svchost.exe	149
PID 4532 wrote to memory of 4832	4532	svchost.exe	151
PID 4532 wrote to memory of 4832	4532	svchost.exe	151
PID 4532 wrote to memory of 2864	4532	svchost.exe	153
PID 4532 wrote to memory of 2864	4532	svchost.exe	153

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads