pid	Process
2692	netsh.exe
2884	netsh.exe
2888	netsh.exe
2064	netsh.exe
2568	netsh.exe
2032	netsh.exe
1316	netsh.exe
2904	netsh.exe
2388	netsh.exe
1944	netsh.exe
1512	netsh.exe
1924	netsh.exe
2768	netsh.exe
2388	netsh.exe
2068	netsh.exe
1540	netsh.exe
1184	netsh.exe
2000	netsh.exe
2228	netsh.exe
1608	netsh.exe
1748	netsh.exe
2888	netsh.exe

pid	Process
1512	svchost.exe
1432	~tl3A52.tmp
1520	svchost.exe
956	~tl1FA1.tmp
1896	svchost.exe
2492	~tl37F2.tmp
2064	svchost.exe
2004	~tlB3C5.tmp
628	svchost.exe
2840	~tl2195.tmp
1944	svchost.exe
1984	~tl83E0.tmp

pid	Process
1728	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe
1728	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe
1512	svchost.exe
1512	svchost.exe
1432	~tl3A52.tmp
1432	~tl3A52.tmp
1520	svchost.exe
1520	svchost.exe
1068	taskeng.exe
1896	svchost.exe
1896	svchost.exe
2596	taskeng.exe
2064	svchost.exe
2064	svchost.exe
2232	taskeng.exe
628	svchost.exe
628	svchost.exe
1132	taskeng.exe
1944	svchost.exe
1944	svchost.exe

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	~tlB3C5.tmp
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WLS0BFK3.htm	~tl2195.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	~tl83E0.tmp
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	~tl37F2.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	~tl37F2.tmp
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	~tl2195.tmp
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\getlog[1].htm	~tl83E0.tmp
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	~tl2195.tmp
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	~tlB3C5.tmp
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\output1[1].jpg	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

description	ioc	Process
File created	C:\Windows\System\xxx1.bak	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe
File created	C:\Windows\System\svchost.exe	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File opened for modification	C:\Windows\System\svchost.exe	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	~tl3A52.tmp
File opened for modification	C:\Windows\System\svchost.exe	~tl3A52.tmp

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-b2-06-dd-e7-80\WpadDecision = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-b2-06-dd-e7-80\WpadDetectedUrl	~tl83E0.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-b2-06-dd-e7-80\WpadDecisionTime = e01822b6f890da01	~tl83E0.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f013c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	~tl37F2.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-b2-06-dd-e7-80\WpadDecision = "0"	~tlB3C5.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6FE76540-4E62-4423-8017-8775C9B6F7B7}\WpadDecisionReason = "1"	~tlB3C5.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6FE76540-4E62-4423-8017-8775C9B6F7B7}\WpadDecisionTime = 80afc7bcf790da01	~tl2195.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000009000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f013c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	~tl83E0.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	~tl83E0.tmp
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6FE76540-4E62-4423-8017-8775C9B6F7B7}	~tl37F2.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	~tl37F2.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	~tl37F2.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	~tlB3C5.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000008000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f013c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	~tl2195.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-b2-06-dd-e7-80\WpadDecisionReason = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	~tlB3C5.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000007000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f013c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6FE76540-4E62-4423-8017-8775C9B6F7B7}\WpadDecisionReason = "1"	~tl37F2.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6FE76540-4E62-4423-8017-8775C9B6F7B7}\aa-b2-06-dd-e7-80	~tl83E0.tmp
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	~tlB3C5.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6FE76540-4E62-4423-8017-8775C9B6F7B7}\WpadNetworkName = "Network 3"	~tlB3C5.tmp
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6FE76540-4E62-4423-8017-8775C9B6F7B7}\WpadDecisionTime = 203ea4c1f690da01	~tlB3C5.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-b2-06-dd-e7-80\WpadDecisionTime = 203ea4c1f690da01	~tlB3C5.tmp
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6FE76540-4E62-4423-8017-8775C9B6F7B7}	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-b2-06-dd-e7-80\WpadDecisionReason = "1"	~tl37F2.tmp
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6FE76540-4E62-4423-8017-8775C9B6F7B7}	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	~tl2195.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-b2-06-dd-e7-80\WpadDecisionTime = 605a799df890da01	~tl83E0.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	~tl83E0.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000006000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f013c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	~tl83E0.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6FE76540-4E62-4423-8017-8775C9B6F7B7}\WpadDecision = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-b2-06-dd-e7-80	~tlB3C5.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-b2-06-dd-e7-80\WpadDetectedUrl	~tl2195.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	~tl2195.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	~tl2195.tmp

pid	Process
2584	powershell.exe
2592	powershell.exe
1728	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe
1276	powershell.exe
1616	powershell.exe
1432	~tl3A52.tmp
2756	powershell.exe
2852	powershell.exe
1432	~tl3A52.tmp
1520	svchost.exe
576	powershell.exe
3040	powershell.exe
956	~tl1FA1.tmp
1360	powershell.exe
2664	powershell.exe
1896	svchost.exe
1668	powershell.exe
1664	powershell.exe
2492	~tl37F2.tmp
2064	powershell.exe
2508	powershell.exe
2064	svchost.exe
604	powershell.exe
1468	powershell.exe
2004	~tlB3C5.tmp
2548	powershell.exe
2732	powershell.exe
628	svchost.exe
2552	powershell.exe
2344	powershell.exe
2840	~tl2195.tmp
2592	powershell.exe
2544	powershell.exe
1944	svchost.exe
1460	powershell.exe
1540	powershell.exe
1984	~tl83E0.tmp
2516	powershell.exe
2024	powershell.exe

description	pid	Process
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	1276	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	604	powershell.exe
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe

description	pid	Process	procid_target
PID 1728 wrote to memory of 2592	1728	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe	29
PID 1728 wrote to memory of 2592	1728	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe	29
PID 1728 wrote to memory of 2592	1728	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe	29
PID 1728 wrote to memory of 2584	1728	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe	31
PID 1728 wrote to memory of 2584	1728	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe	31
PID 1728 wrote to memory of 2584	1728	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe	31
PID 1728 wrote to memory of 2308	1728	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe	33
PID 1728 wrote to memory of 2308	1728	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe	33
PID 1728 wrote to memory of 2308	1728	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe	33
PID 1728 wrote to memory of 1512	1728	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe	35
PID 1728 wrote to memory of 1512	1728	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe	35
PID 1728 wrote to memory of 1512	1728	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe	35
PID 1512 wrote to memory of 1616	1512	svchost.exe	38
PID 1512 wrote to memory of 1616	1512	svchost.exe	38
PID 1512 wrote to memory of 1616	1512	svchost.exe	38
PID 1512 wrote to memory of 1276	1512	svchost.exe	40
PID 1512 wrote to memory of 1276	1512	svchost.exe	40
PID 1512 wrote to memory of 1276	1512	svchost.exe	40
PID 1512 wrote to memory of 1432	1512	svchost.exe	42
PID 1512 wrote to memory of 1432	1512	svchost.exe	42
PID 1512 wrote to memory of 1432	1512	svchost.exe	42
PID 1432 wrote to memory of 2412	1432	~tl3A52.tmp	45
PID 1432 wrote to memory of 2412	1432	~tl3A52.tmp	45
PID 1432 wrote to memory of 2412	1432	~tl3A52.tmp	45
PID 1432 wrote to memory of 2388	1432	~tl3A52.tmp	47
PID 1432 wrote to memory of 2388	1432	~tl3A52.tmp	47
PID 1432 wrote to memory of 2388	1432	~tl3A52.tmp	47
PID 1432 wrote to memory of 2692	1432	~tl3A52.tmp	49
PID 1432 wrote to memory of 2692	1432	~tl3A52.tmp	49
PID 1432 wrote to memory of 2692	1432	~tl3A52.tmp	49
PID 1432 wrote to memory of 2756	1432	~tl3A52.tmp	51
PID 1432 wrote to memory of 2756	1432	~tl3A52.tmp	51
PID 1432 wrote to memory of 2756	1432	~tl3A52.tmp	51
PID 1432 wrote to memory of 2852	1432	~tl3A52.tmp	53
PID 1432 wrote to memory of 2852	1432	~tl3A52.tmp	53
PID 1432 wrote to memory of 2852	1432	~tl3A52.tmp	53
PID 1432 wrote to memory of 288	1432	~tl3A52.tmp	55
PID 1432 wrote to memory of 288	1432	~tl3A52.tmp	55
PID 1432 wrote to memory of 288	1432	~tl3A52.tmp	55
PID 1432 wrote to memory of 468	1432	~tl3A52.tmp	57
PID 1432 wrote to memory of 468	1432	~tl3A52.tmp	57
PID 1432 wrote to memory of 468	1432	~tl3A52.tmp	57
PID 1432 wrote to memory of 1520	1432	~tl3A52.tmp	59
PID 1432 wrote to memory of 1520	1432	~tl3A52.tmp	59
PID 1432 wrote to memory of 1520	1432	~tl3A52.tmp	59
PID 1520 wrote to memory of 1964	1520	svchost.exe	61
PID 1520 wrote to memory of 1964	1520	svchost.exe	61
PID 1520 wrote to memory of 1964	1520	svchost.exe	61
PID 1520 wrote to memory of 2884	1520	svchost.exe	63
PID 1520 wrote to memory of 2884	1520	svchost.exe	63
PID 1520 wrote to memory of 2884	1520	svchost.exe	63
PID 1520 wrote to memory of 1944	1520	svchost.exe	65
PID 1520 wrote to memory of 1944	1520	svchost.exe	65
PID 1520 wrote to memory of 1944	1520	svchost.exe	65
PID 1520 wrote to memory of 576	1520	svchost.exe	67
PID 1520 wrote to memory of 576	1520	svchost.exe	67
PID 1520 wrote to memory of 576	1520	svchost.exe	67
PID 1520 wrote to memory of 3040	1520	svchost.exe	69
PID 1520 wrote to memory of 3040	1520	svchost.exe	69
PID 1520 wrote to memory of 3040	1520	svchost.exe	69
PID 1520 wrote to memory of 956	1520	svchost.exe	71
PID 1520 wrote to memory of 956	1520	svchost.exe	71
PID 1520 wrote to memory of 956	1520	svchost.exe	71
PID 956 wrote to memory of 2172	956	~tl1FA1.tmp	73

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads