46dc49be65d7165e2a6009854a4f27f0088230199e61e0555cb1bd266535874a

Analysis

max time kernel
95s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2024 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

foo/0044d66e4abf7c4af6b5d207065320f7.exe
Size

127KB
MD5

0044d66e4abf7c4af6b5d207065320f7
SHA1

07e73ac58bee7bdc26d289bb2697d2588a6b7e64
SHA256

b6d19c3e6e82bbde62984f50144ce4d98a18871374ec5d313489d5831317c480
SHA512

25633ea2e3cc78262ba69de30d2d3b7f6c013ce3bcbad2eda3c424ac50d7c0b7169372c5ad2b2cd81748ea0622f3db5ba3429f0d3ecfd3feabbfc65d961af5dd
SSDEEP

3072:Z81clNypY+TjMulQXTR5aJPh7w/1VOCINO2L2Sy7CU9/7NXeLKo1tjv:ZAclNyW+PtqR5M7o1VP+2R7CU9DNXemu

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0044d66e4abf7c4af6b5d207065320f7.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2984	0044d66e4abf7c4af6b5d207065320f7.exe
2984	0044d66e4abf7c4af6b5d207065320f7.exe
2984	0044d66e4abf7c4af6b5d207065320f7.exe
2984	0044d66e4abf7c4af6b5d207065320f7.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe
Token: SeDebugPrivilege	2984	0044d66e4abf7c4af6b5d207065320f7.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 3528	2984	0044d66e4abf7c4af6b5d207065320f7.exe	56
PID 2984 wrote to memory of 612	2984	0044d66e4abf7c4af6b5d207065320f7.exe	5
PID 2984 wrote to memory of 672	2984	0044d66e4abf7c4af6b5d207065320f7.exe	7
PID 2984 wrote to memory of 772	2984	0044d66e4abf7c4af6b5d207065320f7.exe	8
PID 2984 wrote to memory of 780	2984	0044d66e4abf7c4af6b5d207065320f7.exe	9
PID 2984 wrote to memory of 788	2984	0044d66e4abf7c4af6b5d207065320f7.exe	10
PID 2984 wrote to memory of 888	2984	0044d66e4abf7c4af6b5d207065320f7.exe	11
PID 2984 wrote to memory of 940	2984	0044d66e4abf7c4af6b5d207065320f7.exe	12
PID 2984 wrote to memory of 1020	2984	0044d66e4abf7c4af6b5d207065320f7.exe	13
PID 2984 wrote to memory of 380	2984	0044d66e4abf7c4af6b5d207065320f7.exe	14
PID 2984 wrote to memory of 732	2984	0044d66e4abf7c4af6b5d207065320f7.exe	15
PID 2984 wrote to memory of 1036	2984	0044d66e4abf7c4af6b5d207065320f7.exe	16
PID 2984 wrote to memory of 1056	2984	0044d66e4abf7c4af6b5d207065320f7.exe	17
PID 2984 wrote to memory of 1100	2984	0044d66e4abf7c4af6b5d207065320f7.exe	18
PID 2984 wrote to memory of 1132	2984	0044d66e4abf7c4af6b5d207065320f7.exe	19
PID 2984 wrote to memory of 1212	2984	0044d66e4abf7c4af6b5d207065320f7.exe	20
PID 2984 wrote to memory of 1256	2984	0044d66e4abf7c4af6b5d207065320f7.exe	21
PID 2984 wrote to memory of 1328	2984	0044d66e4abf7c4af6b5d207065320f7.exe	22
PID 2984 wrote to memory of 1368	2984	0044d66e4abf7c4af6b5d207065320f7.exe	23
PID 2984 wrote to memory of 1380	2984	0044d66e4abf7c4af6b5d207065320f7.exe	24
PID 2984 wrote to memory of 1412	2984	0044d66e4abf7c4af6b5d207065320f7.exe	25
PID 2984 wrote to memory of 1440	2984	0044d66e4abf7c4af6b5d207065320f7.exe	26
PID 2984 wrote to memory of 1500	2984	0044d66e4abf7c4af6b5d207065320f7.exe	27
PID 2984 wrote to memory of 1656	2984	0044d66e4abf7c4af6b5d207065320f7.exe	28
PID 2984 wrote to memory of 1672	2984	0044d66e4abf7c4af6b5d207065320f7.exe	29
PID 2984 wrote to memory of 1744	2984	0044d66e4abf7c4af6b5d207065320f7.exe	30
PID 2984 wrote to memory of 1792	2984	0044d66e4abf7c4af6b5d207065320f7.exe	31
PID 2984 wrote to memory of 1812	2984	0044d66e4abf7c4af6b5d207065320f7.exe	32
PID 2984 wrote to memory of 1996	2984	0044d66e4abf7c4af6b5d207065320f7.exe	33
PID 2984 wrote to memory of 2016	2984	0044d66e4abf7c4af6b5d207065320f7.exe	34
PID 2984 wrote to memory of 2024	2984	0044d66e4abf7c4af6b5d207065320f7.exe	35
PID 2984 wrote to memory of 1760	2984	0044d66e4abf7c4af6b5d207065320f7.exe	36
PID 2984 wrote to memory of 2008	2984	0044d66e4abf7c4af6b5d207065320f7.exe	37
PID 2984 wrote to memory of 2140	2984	0044d66e4abf7c4af6b5d207065320f7.exe	38
PID 2984 wrote to memory of 2180	2984	0044d66e4abf7c4af6b5d207065320f7.exe	39
PID 2984 wrote to memory of 2216	2984	0044d66e4abf7c4af6b5d207065320f7.exe	40
PID 2984 wrote to memory of 2384	2984	0044d66e4abf7c4af6b5d207065320f7.exe	41
PID 2984 wrote to memory of 2492	2984	0044d66e4abf7c4af6b5d207065320f7.exe	42
PID 2984 wrote to memory of 2500	2984	0044d66e4abf7c4af6b5d207065320f7.exe	43
PID 2984 wrote to memory of 2640	2984	0044d66e4abf7c4af6b5d207065320f7.exe	44
PID 2984 wrote to memory of 2656	2984	0044d66e4abf7c4af6b5d207065320f7.exe	45
PID 2984 wrote to memory of 2708	2984	0044d66e4abf7c4af6b5d207065320f7.exe	46
PID 2984 wrote to memory of 2768	2984	0044d66e4abf7c4af6b5d207065320f7.exe	47
PID 2984 wrote to memory of 2780	2984	0044d66e4abf7c4af6b5d207065320f7.exe	48
PID 2984 wrote to memory of 2804	2984	0044d66e4abf7c4af6b5d207065320f7.exe	49
PID 2984 wrote to memory of 2820	2984	0044d66e4abf7c4af6b5d207065320f7.exe	50
PID 2984 wrote to memory of 2828	2984	0044d66e4abf7c4af6b5d207065320f7.exe	51
PID 2984 wrote to memory of 2976	2984	0044d66e4abf7c4af6b5d207065320f7.exe	52
PID 2984 wrote to memory of 3068	2984	0044d66e4abf7c4af6b5d207065320f7.exe	53
PID 2984 wrote to memory of 3432	2984	0044d66e4abf7c4af6b5d207065320f7.exe	55
PID 2984 wrote to memory of 3528	2984	0044d66e4abf7c4af6b5d207065320f7.exe	56
PID 2984 wrote to memory of 3640	2984	0044d66e4abf7c4af6b5d207065320f7.exe	57
PID 2984 wrote to memory of 3828	2984	0044d66e4abf7c4af6b5d207065320f7.exe	58
PID 2984 wrote to memory of 3916	2984	0044d66e4abf7c4af6b5d207065320f7.exe	59
PID 2984 wrote to memory of 3980	2984	0044d66e4abf7c4af6b5d207065320f7.exe	60
PID 2984 wrote to memory of 4080	2984	0044d66e4abf7c4af6b5d207065320f7.exe	61
PID 2984 wrote to memory of 3184	2984	0044d66e4abf7c4af6b5d207065320f7.exe	62
PID 2984 wrote to memory of 4352	2984	0044d66e4abf7c4af6b5d207065320f7.exe	65
PID 2984 wrote to memory of 4396	2984	0044d66e4abf7c4af6b5d207065320f7.exe	67
PID 2984 wrote to memory of 1616	2984	0044d66e4abf7c4af6b5d207065320f7.exe	68
PID 2984 wrote to memory of 4932	2984	0044d66e4abf7c4af6b5d207065320f7.exe	69
PID 2984 wrote to memory of 2888	2984	0044d66e4abf7c4af6b5d207065320f7.exe	70
PID 2984 wrote to memory of 3700	2984	0044d66e4abf7c4af6b5d207065320f7.exe	71
PID 2984 wrote to memory of 4608	2984	0044d66e4abf7c4af6b5d207065320f7.exe	72

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:788
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1020

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:780
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:3068
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3828
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3916
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3980
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:4080
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3184
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:2888
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:2688
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:3748
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3612
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:2012
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:5016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:380

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1100
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1132

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1368

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1440
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1656

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1672

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1792

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:1996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2016

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2024

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2008

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2180

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2216

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2768

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2780

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3528
- C:\Users\Admin\AppData\Local\Temp\foo\0044d66e4abf7c4af6b5d207065320f7.exe
  "C:\Users\Admin\AppData\Local\Temp\foo\0044d66e4abf7c4af6b5d207065320f7.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4352

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4932

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3700

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2984-1-0x0000000002030000-0x000000000203A000-memory.dmp

Filesize
40KB

Download
memory/2984-0-0x0000000002030000-0x000000000203A000-memory.dmp

Filesize
40KB

Download
memory/2984-2-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2984-3-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2984-4-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download