4e74ab8a64e7691dbe14d9bfd4cb38608abdc26ae4c5631fa2eee317cda587c6

Analysis

max time kernel
160s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 11:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

doenerium-win.exe
Size

104.5MB
MD5

33f7d180d1484c7ce9c0ba132dcda207
SHA1

5991a54f82e4cbef23119c3b6bbd63b28eb6c9b1
SHA256

4e74ab8a64e7691dbe14d9bfd4cb38608abdc26ae4c5631fa2eee317cda587c6
SHA512

20fd04488c2b87c8856cdd1669026ea2b5de1a1cfc14af9a907a2dce743b245ed1f5f9505d914edf64bfed5d4302c4c3e6e39a205513432eed664992c42a2630
SSDEEP

786432:d0LoCOn+2Zs4urYDNulLBiu3kUfA3zxPk9rzge2S8ef8NXSi4mXjY9VqhJawXMcX:dMoCm/ZXwiMda

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1360	doenerium-win.exe
1360	doenerium-win.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

pid	Process
1832	tasklist.exe
1780	tasklist.exe
1396	tasklist.exe
2772	tasklist.exe
4448	tasklist.exe
3848	tasklist.exe
2904	tasklist.exe
3944	tasklist.exe
1604	tasklist.exe
4164	tasklist.exe
4380	tasklist.exe
808	tasklist.exe
2844	tasklist.exe
3868	tasklist.exe
3960	tasklist.exe
728	tasklist.exe
1824	tasklist.exe
3368	tasklist.exe
2264	tasklist.exe
4420	tasklist.exe
3652	tasklist.exe
3472	tasklist.exe
4420	tasklist.exe
428	tasklist.exe
2252	tasklist.exe
780	tasklist.exe
4480	tasklist.exe
4264	tasklist.exe
5004	tasklist.exe
2844	tasklist.exe
4336	tasklist.exe
1280	tasklist.exe
3216	tasklist.exe
1384	tasklist.exe
4928	tasklist.exe
4844	tasklist.exe
2488	tasklist.exe
4088	tasklist.exe
4052	tasklist.exe
1568	tasklist.exe
3688	tasklist.exe
2612	tasklist.exe
3300	tasklist.exe
4620	tasklist.exe
4428	tasklist.exe
4780	tasklist.exe
2568	tasklist.exe
3280	tasklist.exe
2208	tasklist.exe
4740	tasklist.exe
4496	tasklist.exe
3356	tasklist.exe
2592	tasklist.exe
4328	tasklist.exe
4620	tasklist.exe
4872	tasklist.exe
1700	tasklist.exe
4812	tasklist.exe
2020	tasklist.exe
4080	tasklist.exe
100	tasklist.exe
5112	tasklist.exe
2864	tasklist.exe
3420	tasklist.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1156	powershell.exe
1156	powershell.exe
1360	doenerium-win.exe
1360	doenerium-win.exe
1360	doenerium-win.exe
1360	doenerium-win.exe
1360	doenerium-win.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	3432	tasklist.exe
Token: SeDebugPrivilege	1660	tasklist.exe
Token: SeDebugPrivilege	2380	tasklist.exe
Token: SeDebugPrivilege	4972	tasklist.exe
Token: SeDebugPrivilege	4336	tasklist.exe
Token: SeDebugPrivilege	3420	tasklist.exe
Token: SeDebugPrivilege	4568	tasklist.exe
Token: SeDebugPrivilege	2452	tasklist.exe
Token: SeDebugPrivilege	2904	tasklist.exe
Token: SeDebugPrivilege	4844	tasklist.exe
Token: SeDebugPrivilege	2748	tasklist.exe
Token: SeDebugPrivilege	4740	tasklist.exe
Token: SeDebugPrivilege	4964	tasklist.exe
Token: SeDebugPrivilege	3280	tasklist.exe
Token: SeDebugPrivilege	4496	tasklist.exe
Token: SeDebugPrivilege	2272	tasklist.exe
Token: SeDebugPrivilege	2488	tasklist.exe
Token: SeDebugPrivilege	4620	tasklist.exe
Token: SeDebugPrivilege	216	tasklist.exe
Token: SeDebugPrivilege	3840	tasklist.exe
Token: SeDebugPrivilege	1604	tasklist.exe
Token: SeDebugPrivilege	4420	tasklist.exe
Token: SeDebugPrivilege	4428	tasklist.exe
Token: SeDebugPrivilege	1824	tasklist.exe
Token: SeDebugPrivilege	548	tasklist.exe
Token: SeDebugPrivilege	4772	tasklist.exe
Token: SeDebugPrivilege	4080	tasklist.exe
Token: SeDebugPrivilege	2528	tasklist.exe
Token: SeDebugPrivilege	3344	tasklist.exe
Token: SeDebugPrivilege	2252	tasklist.exe
Token: SeDebugPrivilege	780	tasklist.exe
Token: SeDebugPrivilege	3700	tasklist.exe
Token: SeDebugPrivilege	2760	tasklist.exe
Token: SeDebugPrivilege	4872	tasklist.exe
Token: SeDebugPrivilege	1600	tasklist.exe
Token: SeDebugPrivilege	1280	tasklist.exe
Token: SeDebugPrivilege	1752	tasklist.exe
Token: SeDebugPrivilege	4780	tasklist.exe
Token: SeDebugPrivilege	4660	tasklist.exe
Token: SeDebugPrivilege	4964	tasklist.exe
Token: SeDebugPrivilege	3276	tasklist.exe
Token: SeDebugPrivilege	776	tasklist.exe
Token: SeDebugPrivilege	3960	tasklist.exe
Token: SeDebugPrivilege	2032	tasklist.exe
Token: SeDebugPrivilege	1700	tasklist.exe
Token: SeDebugPrivilege	4620	tasklist.exe
Token: SeDebugPrivilege	112	tasklist.exe
Token: SeDebugPrivilege	2248	tasklist.exe
Token: SeDebugPrivilege	3652	tasklist.exe
Token: SeDebugPrivilege	4164	tasklist.exe
Token: SeDebugPrivilege	4416	tasklist.exe
Token: SeDebugPrivilege	5072	tasklist.exe
Token: SeDebugPrivilege	4380	tasklist.exe
Token: SeDebugPrivilege	4480	tasklist.exe
Token: SeDebugPrivilege	4716	tasklist.exe
Token: SeDebugPrivilege	1508	tasklist.exe
Token: SeDebugPrivilege	4580	tasklist.exe
Token: SeDebugPrivilege	1820	tasklist.exe
Token: SeDebugPrivilege	3356	tasklist.exe
Token: SeDebugPrivilege	2380	tasklist.exe
Token: SeDebugPrivilege	4052	tasklist.exe
Token: SeDebugPrivilege	3296	tasklist.exe
Token: SeDebugPrivilege	4508	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1360 wrote to memory of 1224	1360	doenerium-win.exe	82
PID 1360 wrote to memory of 1224	1360	doenerium-win.exe	82
PID 1224 wrote to memory of 1156	1224	cmd.exe	83
PID 1224 wrote to memory of 1156	1224	cmd.exe	83
PID 1156 wrote to memory of 3364	1156	powershell.exe	84
PID 1156 wrote to memory of 3364	1156	powershell.exe	84
PID 3364 wrote to memory of 4428	3364	csc.exe	85
PID 3364 wrote to memory of 4428	3364	csc.exe	85
PID 1360 wrote to memory of 4240	1360	doenerium-win.exe	86
PID 1360 wrote to memory of 4240	1360	doenerium-win.exe	86
PID 4240 wrote to memory of 444	4240	cmd.exe	88
PID 4240 wrote to memory of 444	4240	cmd.exe	88
PID 1360 wrote to memory of 2104	1360	doenerium-win.exe	89
PID 1360 wrote to memory of 2104	1360	doenerium-win.exe	89
PID 2104 wrote to memory of 3432	2104	cmd.exe	90
PID 2104 wrote to memory of 3432	2104	cmd.exe	90
PID 1360 wrote to memory of 3984	1360	doenerium-win.exe	92
PID 1360 wrote to memory of 3984	1360	doenerium-win.exe	92
PID 3984 wrote to memory of 1660	3984	cmd.exe	93
PID 3984 wrote to memory of 1660	3984	cmd.exe	93
PID 1360 wrote to memory of 3972	1360	doenerium-win.exe	94
PID 1360 wrote to memory of 3972	1360	doenerium-win.exe	94
PID 3972 wrote to memory of 2380	3972	cmd.exe	95
PID 3972 wrote to memory of 2380	3972	cmd.exe	95
PID 1360 wrote to memory of 4828	1360	doenerium-win.exe	97
PID 1360 wrote to memory of 4828	1360	doenerium-win.exe	97
PID 4828 wrote to memory of 4972	4828	cmd.exe	98
PID 4828 wrote to memory of 4972	4828	cmd.exe	98
PID 1360 wrote to memory of 4752	1360	doenerium-win.exe	99
PID 1360 wrote to memory of 4752	1360	doenerium-win.exe	99
PID 4752 wrote to memory of 4336	4752	cmd.exe	100
PID 4752 wrote to memory of 4336	4752	cmd.exe	100
PID 1360 wrote to memory of 4324	1360	doenerium-win.exe	101
PID 1360 wrote to memory of 4324	1360	doenerium-win.exe	101
PID 4324 wrote to memory of 3420	4324	cmd.exe	102
PID 4324 wrote to memory of 3420	4324	cmd.exe	102
PID 1360 wrote to memory of 2056	1360	doenerium-win.exe	103
PID 1360 wrote to memory of 2056	1360	doenerium-win.exe	103
PID 2056 wrote to memory of 4568	2056	cmd.exe	104
PID 2056 wrote to memory of 4568	2056	cmd.exe	104
PID 1360 wrote to memory of 4892	1360	doenerium-win.exe	105
PID 1360 wrote to memory of 4892	1360	doenerium-win.exe	105
PID 4892 wrote to memory of 2452	4892	cmd.exe	106
PID 4892 wrote to memory of 2452	4892	cmd.exe	106
PID 1360 wrote to memory of 4504	1360	doenerium-win.exe	107
PID 1360 wrote to memory of 4504	1360	doenerium-win.exe	107
PID 4504 wrote to memory of 2904	4504	cmd.exe	108
PID 4504 wrote to memory of 2904	4504	cmd.exe	108
PID 1360 wrote to memory of 4016	1360	doenerium-win.exe	109
PID 1360 wrote to memory of 4016	1360	doenerium-win.exe	109
PID 4016 wrote to memory of 4844	4016	cmd.exe	110
PID 4016 wrote to memory of 4844	4016	cmd.exe	110
PID 1360 wrote to memory of 2376	1360	doenerium-win.exe	112
PID 1360 wrote to memory of 2376	1360	doenerium-win.exe	112
PID 2376 wrote to memory of 2748	2376	cmd.exe	113
PID 2376 wrote to memory of 2748	2376	cmd.exe	113
PID 1360 wrote to memory of 456	1360	doenerium-win.exe	114
PID 1360 wrote to memory of 456	1360	doenerium-win.exe	114
PID 456 wrote to memory of 4740	456	cmd.exe	115
PID 456 wrote to memory of 4740	456	cmd.exe	115
PID 1360 wrote to memory of 2568	1360	doenerium-win.exe	116
PID 1360 wrote to memory of 2568	1360	doenerium-win.exe	116
PID 2568 wrote to memory of 4964	2568	cmd.exe	117
PID 2568 wrote to memory of 4964	2568	cmd.exe	117

C:\Users\Admin\AppData\Local\Temp\doenerium-win.exe
"C:\Users\Admin\AppData\Local\Temp\doenerium-win.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "Powershell -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAUQBXAFIAawBMAFYAUgA1AGMARwBVAGcATABVADUAaABiAFcAVQBnAFYAMgBsAHUAWgBHADkAMwBJAEMAMQBPAFkAVwAxAGwAYwAzAEIAaABZADIAVQBnAFEAMgA5AHUAYwAyADkAcwBaAFMAQQB0AFQAVwBWAHQAWQBtAFYAeQBSAEcAVgBtAGEAVwA1AHAAZABHAGwAdgBiAGkAQQBuAEQAUQBvAGcASQBDAEEAZwBJAEMAQQBnAEkARgB0AEUAYgBHAHgASgBiAFgAQgB2AGMAbgBRAG8ASQBrAHQAbABjAG0ANQBsAGIARABNAHkATABtAFIAcwBiAEMASQBwAFgAUQAwAEsASQBDAEEAZwBJAEMAQQBnAEkAQwBCAHcAZABXAEoAcwBhAFcATQBnAGMAMwBSAGgAZABHAGwAagBJAEcAVgA0AGQARwBWAHkAYgBpAEIASgBiAG4AUgBRAGQASABJAGcAUgAyAFYAMABRADIAOQB1AGMAMgA5AHMAWgBWAGQAcABiAG0AUgB2AGQAeQBnAHAATwB3ADAASwBJAEMAQQBnAEkAQQAwAEsASQBDAEEAZwBJAEMAQQBnAEkAQwBCAGIAUgBHAHgAcwBTAFcAMQB3AGIAMwBKADAASwBDAEoAMQBjADIAVgB5AE0AegBJAHUAWgBHAHgAcwBJAGkAbABkAEQAUQBvAGcASQBDAEEAZwBJAEMAQQBnAEkASABCADEAWQBtAHgAcABZAHkAQgB6AGQARwBGADAAYQBXAE0AZwBaAFgAaAAwAFoAWABKAHUASQBHAEoAdgBiADIAdwBnAFUAMgBoAHYAZAAxAGQAcABiAG0AUgB2AGQAeQBoAEoAYgBuAFIAUQBkAEgASQBnAGEARgBkAHUAWgBDAHcAZwBTAFcANQAwAE0AegBJAGcAYgBrAE4AdABaAEYATgBvAGIAMwBjAHAATwB3ADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEEAbgBEAFEAbwBnAEkAQwBBAGcARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBDAFIAagBiADIANQB6AGIAMgB4AGwAVQBIAFIAeQBJAEQAMABnAFcAMABOAHYAYgBuAE4AdgBiAEcAVQB1AFYAMgBsAHUAWgBHADkAMwBYAFQAbwA2AFIAMgBWADAAUQAyADkAdQBjADIAOQBzAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEQAUQBvAGcASQBDAEEAZwBJAEMAQQBnAEkAQwBNAHcASQBHAGgAcABaAEcAVQBOAEMAaQBBAGcASQBDAEEAZwBJAEMAQQBnAFcAMABOAHYAYgBuAE4AdgBiAEcAVQB1AFYAMgBsAHUAWgBHADkAMwBYAFQAbwA2AFUAMgBoAHYAZAAxAGQAcABiAG0AUgB2AGQAeQBnAGsAWQAyADkAdQBjADIAOQBzAFoAVgBCADAAYwBpAHcAZwBNAEMAawBOAEMAZwA9AD0AIgB9ACcAIAB8ACAAQwBvAG4AdgBlAHIAdABGAHIAbwBtAC0ASgBzAG8AbgApAC4AUwBjAHIAaQBwAHQAKQApACAAfAAgAGkAZQB4AA=="
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAUQBXAFIAawBMAFYAUgA1AGMARwBVAGcATABVADUAaABiAFcAVQBnAFYAMgBsAHUAWgBHADkAMwBJAEMAMQBPAFkAVwAxAGwAYwAzAEIAaABZADIAVQBnAFEAMgA5AHUAYwAyADkAcwBaAFMAQQB0AFQAVwBWAHQAWQBtAFYAeQBSAEcAVgBtAGEAVwA1AHAAZABHAGwAdgBiAGkAQQBuAEQAUQBvAGcASQBDAEEAZwBJAEMAQQBnAEkARgB0AEUAYgBHAHgASgBiAFgAQgB2AGMAbgBRAG8ASQBrAHQAbABjAG0ANQBsAGIARABNAHkATABtAFIAcwBiAEMASQBwAFgAUQAwAEsASQBDAEEAZwBJAEMAQQBnAEkAQwBCAHcAZABXAEoAcwBhAFcATQBnAGMAMwBSAGgAZABHAGwAagBJAEcAVgA0AGQARwBWAHkAYgBpAEIASgBiAG4AUgBRAGQASABJAGcAUgAyAFYAMABRADIAOQB1AGMAMgA5AHMAWgBWAGQAcABiAG0AUgB2AGQAeQBnAHAATwB3ADAASwBJAEMAQQBnAEkAQQAwAEsASQBDAEEAZwBJAEMAQQBnAEkAQwBCAGIAUgBHAHgAcwBTAFcAMQB3AGIAMwBKADAASwBDAEoAMQBjADIAVgB5AE0AegBJAHUAWgBHAHgAcwBJAGkAbABkAEQAUQBvAGcASQBDAEEAZwBJAEMAQQBnAEkASABCADEAWQBtAHgAcABZAHkAQgB6AGQARwBGADAAYQBXAE0AZwBaAFgAaAAwAFoAWABKAHUASQBHAEoAdgBiADIAdwBnAFUAMgBoAHYAZAAxAGQAcABiAG0AUgB2AGQAeQBoAEoAYgBuAFIAUQBkAEgASQBnAGEARgBkAHUAWgBDAHcAZwBTAFcANQAwAE0AegBJAGcAYgBrAE4AdABaAEYATgBvAGIAMwBjAHAATwB3ADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEEAbgBEAFEAbwBnAEkAQwBBAGcARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBDAFIAagBiADIANQB6AGIAMgB4AGwAVQBIAFIAeQBJAEQAMABnAFcAMABOAHYAYgBuAE4AdgBiAEcAVQB1AFYAMgBsAHUAWgBHADkAMwBYAFQAbwA2AFIAMgBWADAAUQAyADkAdQBjADIAOQBzAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEQAUQBvAGcASQBDAEEAZwBJAEMAQQBnAEkAQwBNAHcASQBHAGgAcABaAEcAVQBOAEMAaQBBAGcASQBDAEEAZwBJAEMAQQBnAFcAMABOAHYAYgBuAE4AdgBiAEcAVQB1AFYAMgBsAHUAWgBHADkAMwBYAFQAbwA2AFUAMgBoAHYAZAAxAGQAcABiAG0AUgB2AGQAeQBnAGsAWQAyADkAdQBjADIAOQBzAFoAVgBCADAAYwBpAHcAZwBNAEMAawBOAEMAZwA9AD0AIgB9ACcAIAB8ACAAQwBvAG4AdgBlAHIAdABGAHIAbwBtAC0ASgBzAG8AbgApAC4AUwBjAHIAaQBwAHQAKQApACAAfAAgAGkAZQB4AA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1156
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ihrhfpws\ihrhfpws.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3364
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES20F5.tmp" "c:\Users\Admin\AppData\Local\Temp\ihrhfpws\CSC10DB32D6594E479BB14BC76EDEC6755A.TMP"
        5⤵
        
        PID:4428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "chcp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4240
- - C:\Windows\system32\chcp.com
    chcp
    3⤵
    PID:444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3984
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3972
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4324
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4016
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:456
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1548
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1104
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2832
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1484
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3388
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1124
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1180
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1552
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2812
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4720
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5028
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1224
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4908
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4848
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4448
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4168
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4012
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2440
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4432
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2320
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4912
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3384
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:324
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2748
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2788
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1476
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4424
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3856
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3860
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3104
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3656
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4856
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4876
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:32
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1664
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3840
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4076
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1928
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1580
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3644
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1824
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3392
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4396
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4188
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2740
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4156
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2708
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4148
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5108
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4308
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2440
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:4196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4672
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:2364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5056
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:2976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1272
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4440
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:2804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5012
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:3160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2308
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4252
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:1280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1768
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:1388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1528
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:3144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4068
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4756
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4708
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:3640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4776
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3260
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3656
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4856
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:3388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4492
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4584
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:256
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3884
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4840
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:2304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1460
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:428
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4224
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:4720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3928
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4808
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4716
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:4864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3924
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3432
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:4908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4848
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2528
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4800
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:2008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3684
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:4324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2944
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2132
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:3452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3096
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4988
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2808
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1792
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:4032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4764
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4844
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3196
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5012
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2308
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:324
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4952
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:4180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1416
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3124
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2332
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:1548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3052
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:4496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2232
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1472
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:3500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2164
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2732
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3948
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:2580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1836
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5096
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:828
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3884
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:3992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4840
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1460
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:5044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3364
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4380
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:2428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1932
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1924
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1488
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4408
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:1844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2408
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:2448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5100
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:4864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2648
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:4392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4396
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2824
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3464
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:4532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2584
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:4880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES20F5.tmp

Filesize
1KB

MD5
e1fbd3ed9724bdcded95609a642cd520

SHA1
8b1e698325d1c99f27cd1b6e663099a6f58685b9

SHA256
95e09507ba15f2f9ee92c8f6b0e6c45bd2d25f9c5f92f01435a6f6b3704ac867

SHA512
94d2afa80f9cf75075171fabe32a2641572c090c6cf3bd785be73a15ed84de21b1470bf0ee0c30c0ba9782639fe9452ca7b737e19d9c5db7dd05d2445a85998b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ihrhfpws\ihrhfpws.dll

Filesize
3KB

MD5
bab0f3ace064088a78ccbc11a4ecbc84

SHA1
57d0aad88b6c9140e333fd60330ce3b67ea345a2

SHA256
53d4f726a0b035947f87e9d8dc83c840d17db8673b8a167722ec12c51f8e3c9a

SHA512
747a5a7975ca9a466f642546c7b881684f503267bf1b6237c5098b80920635cebeb7c0cffba3257d7a516796750538d5ac99984ab8a1bc5be463b207eec73d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\152ddddf0ebc8fd9fdd0143778b6765e49678532a2b1e33e66adc235fa88b7a7\sqlite3\lib\binding\napi-v6-win32-unknown-x64\node_sqlite3.node

Filesize
1.6MB

MD5
d5d477af6910a4856d5457b8e667f84b

SHA1
80e99d5b15c1c65ffa7e44c52c14056691ee3295

SHA256
152ddddf0ebc8fd9fdd0143778b6765e49678532a2b1e33e66adc235fa88b7a7

SHA512
435bc0f5b6af33549e59b5c50c43bd62ef5faf6acad85ad9d79f5ee80c82fed86f45391f20a35c0114d92aa80cc8c68aef0420501f4d5f5e2eed701c830013f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\65c46d4832187cac650c6ff1a7156e5bcfc4cb8a96d13abf8a94894bbcc95a36\win-dpapi\build\Release\node-dpapi.node

Filesize
154KB

MD5
1f215c59c2c77bb945de1ae411b1ed10

SHA1
f6ef612ba4cbb73d38c6c7d3ce2a82fa208b3283

SHA256
65c46d4832187cac650c6ff1a7156e5bcfc4cb8a96d13abf8a94894bbcc95a36

SHA512
053ccb69266aae1455e2c0419a00ac3c5e2e8f07462fec80a33922b7d6aa97b0d11dc9e8beaf97f3917ee593a74192a88553f61db81156e0d4c3b21886f14355

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ihrhfpws\CSC10DB32D6594E479BB14BC76EDEC6755A.TMP

Filesize
652B

MD5
447651ae3a44aaf6281cda2efab2f6dc

SHA1
eac09a75a76b0d9e3a09fb69c51657c714a36284

SHA256
0ac428855cef148a3b5f3c3822de837723362be87147c1a4a1efdeca6afe1e82

SHA512
27571c0497314822fcb26e1dd1bfdf0b0e189d61301975bee0aa9afb89bf7d146823d301da2d441a36147cb3de575d60a502df74b68edd92b53ea0b59f17abf5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ihrhfpws\ihrhfpws.0.cs

Filesize
342B

MD5
fb818b5af427cdf4bd5e9e48265dbd9b

SHA1
4494f9fe806d3d0ec6601ab8a6bdb5ff9b37a4ed

SHA256
6914d7afe54b19a22b8dad75c0781e9dc7321bbf43d3fd8fb00179d2d6a7f3f2

SHA512
843c02c18c777ae614a49d27722c495472c2b3ed4d45dc26bbb03d009a189e7241440a77107a7f17f26d03a8771c74efb49af9c98ce83020535c9027abb64cd4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ihrhfpws\ihrhfpws.cmdline

Filesize
369B

MD5
fb54c9cae5a79143dbb947d483c36103

SHA1
e7a4aa79b07df14abb2b73fdbfcef82571b34e69

SHA256
256d4a9f41254ef34dc045ea00cb4a8c4d01b82370f626df0ea6662c1a2c1ecf

SHA512
7d41a2b640ecbac11326fe9104fa3dd974b6cf8ff9d4e908b5c345a7a5b77da6a8da79f0850ab9f10b47cbe8d3133eb61c883c4705f05e71aea7ffcf1ecfb110

Download Submit
memory/1156-137-0x000002059F3C0000-0x000002059F8E8000-memory.dmp

Filesize
5.2MB

Download
memory/1156-136-0x000002059ECC0000-0x000002059EE82000-memory.dmp

Filesize
1.8MB

Download
memory/1156-145-0x00007FFF783C0000-0x00007FFF78E81000-memory.dmp

Filesize
10.8MB

Download
memory/1156-135-0x00007FFF783C0000-0x00007FFF78E81000-memory.dmp

Filesize
10.8MB

Download
memory/1156-134-0x000002059E730000-0x000002059E752000-memory.dmp

Filesize
136KB

Download