darkcomet | 61b7e04d9d3a6cd1505f5451590728cd4be52bae18a372fff3d34df35d3731df

Analysis

max time kernel
163s
max time network
199s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 17:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Crypto Trading Bot.exe
Size

5.0MB
MD5

9580c6ee0ec3d08c29020c0dbff23cfa
SHA1

4f8ee5461fe1300e42bfb62747597ed6e339ff29
SHA256

8b06f2e6daad66479102faa65ba46b40d5cd6e3335cf3902971dcd753b37d347
SHA512

491aef0102cbd7d9816b79dac6673607119bc7778c0e1564dc5e60dea6ca265530771fe7855843126fe9322871d50e52aab210984951571468a90805f0bf2f79
SSDEEP

24576:57xgtwBETvT1r+gjhgMp6RZ+XI7vkb4u+yEZEWkc5wiOCjIlwfo915SQEtxZiQWT:36wwv5nh4RWIhltp67CMwfe1+tKSM5

Score

10^/10

darkcomet crypto bot persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Crypto Bot

estherr.no-ip.biz:5604

Mutex

DC_MUTEX-4P0JZTL

Attributes

gencode
x1lNFj9h0ysn
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Crypto Trading Bot.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows\\Windows.exe"	Crypto Trading Bot.exe

Executes dropped EXE 2 IoCs

Processes:

notepad .exeap.exe

pid process

4680 notepad .exe
4056 ap.exe

pid	process
4680	notepad .exe
4056	ap.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exeCrypto Trading Bot.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	Crypto Trading Bot.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Crypto Trading Bot.exe

description pid process target process

PID 1536 set thread context of 4680 1536 Crypto Trading Bot.exe notepad .exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2016 4680 WerFault.exe notepad .exe
1656 4680 WerFault.exe notepad .exe

description	pid	process	target process
PID 1536 set thread context of 4680	1536	Crypto Trading Bot.exe	notepad .exe

pid	pid_target	process	target process
2016	4680	WerFault.exe	notepad .exe
1656	4680	WerFault.exe	notepad .exe

Delays execution with timeout.exe 64 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
3668	timeout.exe
1264	timeout.exe
2136	timeout.exe
2400	timeout.exe
3684	timeout.exe
2264	timeout.exe
4188	timeout.exe
1256	timeout.exe
4728	timeout.exe
2260	timeout.exe
4848	timeout.exe
3156	timeout.exe
792	timeout.exe
3836	timeout.exe
1652	timeout.exe
3380	timeout.exe
2136	timeout.exe
2252	timeout.exe
4028	timeout.exe
2208	timeout.exe
4032	timeout.exe
1836	timeout.exe
1836	timeout.exe
972	timeout.exe
2512	timeout.exe
2152	timeout.exe
1728	timeout.exe
4708	timeout.exe
2472	timeout.exe
2908	timeout.exe
4724	timeout.exe
3912	timeout.exe
116	timeout.exe
2372	timeout.exe
3696	timeout.exe
1108	timeout.exe
3628	timeout.exe
972	timeout.exe
4752	timeout.exe
4352	timeout.exe
1584	timeout.exe
4108	timeout.exe
4860	timeout.exe
4900	timeout.exe
4824	timeout.exe
2656	timeout.exe
4848	timeout.exe
1724	timeout.exe
4816	timeout.exe
3424	timeout.exe
3380	timeout.exe
4124	timeout.exe
456	timeout.exe
5068	timeout.exe
3580	timeout.exe
4732	timeout.exe
1724	timeout.exe
1504	timeout.exe
4700	timeout.exe
1948	timeout.exe
868	timeout.exe
2340	timeout.exe
4068	timeout.exe
3912	timeout.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	process
3628	tasklist.exe
2340	tasklist.exe
216	tasklist.exe
2256	tasklist.exe
1076	tasklist.exe
1032	tasklist.exe
1072	tasklist.exe
3048	tasklist.exe
932	tasklist.exe
4500	tasklist.exe
4324	tasklist.exe
1108	tasklist.exe
1952	tasklist.exe
3444	tasklist.exe
2848	tasklist.exe
4768	tasklist.exe
3884	tasklist.exe
1060	tasklist.exe
4284	tasklist.exe
1332	tasklist.exe
3176	tasklist.exe
480	tasklist.exe
3728	tasklist.exe
488	tasklist.exe
4212	tasklist.exe
3856	tasklist.exe
5052	tasklist.exe
4776	tasklist.exe
4888	tasklist.exe
4916	tasklist.exe
3244	tasklist.exe
3516	tasklist.exe
2924	tasklist.exe
4912	tasklist.exe
380	tasklist.exe
4856	tasklist.exe
4100	tasklist.exe
3316	tasklist.exe
520	tasklist.exe
4800	tasklist.exe
2508	tasklist.exe
4496	tasklist.exe
4076	tasklist.exe
3852	tasklist.exe
5036	tasklist.exe
820	tasklist.exe
2980	tasklist.exe
4624	tasklist.exe
3204	tasklist.exe
4612	tasklist.exe
2012	tasklist.exe
2896	tasklist.exe
1700	tasklist.exe
3180	tasklist.exe
2112	tasklist.exe
2124	tasklist.exe
4368	tasklist.exe
944	tasklist.exe
1848	tasklist.exe
2088	tasklist.exe
4924	tasklist.exe
3212	tasklist.exe
1656	tasklist.exe
4376	tasklist.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Crypto Trading Bot.exe

pid process

1536 Crypto Trading Bot.exe
1536 Crypto Trading Bot.exe
1536 Crypto Trading Bot.exe

pid	process
1536	Crypto Trading Bot.exe
1536	Crypto Trading Bot.exe
1536	Crypto Trading Bot.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Crypto Trading Bot.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	1536	Crypto Trading Bot.exe
Token: SeDebugPrivilege	3204	tasklist.exe
Token: SeDebugPrivilege	3628	tasklist.exe
Token: SeDebugPrivilege	5036	tasklist.exe
Token: SeDebugPrivilege	4496	tasklist.exe
Token: SeDebugPrivilege	4284	tasklist.exe
Token: SeDebugPrivilege	1332	tasklist.exe
Token: SeDebugPrivilege	1032	tasklist.exe
Token: SeDebugPrivilege	3176	tasklist.exe
Token: SeDebugPrivilege	4908	tasklist.exe
Token: SeDebugPrivilege	2340	tasklist.exe
Token: SeDebugPrivilege	3212	tasklist.exe
Token: SeDebugPrivilege	1700	tasklist.exe
Token: SeDebugPrivilege	820	tasklist.exe
Token: SeDebugPrivilege	4888	tasklist.exe
Token: SeDebugPrivilege	480	tasklist.exe
Token: SeDebugPrivilege	2124	tasklist.exe
Token: SeDebugPrivilege	1548	tasklist.exe
Token: SeDebugPrivilege	1656	tasklist.exe
Token: SeDebugPrivilege	2924	tasklist.exe
Token: SeDebugPrivilege	3728	tasklist.exe
Token: SeDebugPrivilege	4076	tasklist.exe
Token: SeDebugPrivilege	4480	tasklist.exe
Token: SeDebugPrivilege	4916	tasklist.exe
Token: SeDebugPrivilege	4620	tasklist.exe
Token: SeDebugPrivilege	4188	tasklist.exe
Token: SeDebugPrivilege	1072	tasklist.exe
Token: SeDebugPrivilege	3244	tasklist.exe
Token: SeDebugPrivilege	3516	tasklist.exe
Token: SeDebugPrivilege	488	tasklist.exe
Token: SeDebugPrivilege	3048	tasklist.exe
Token: SeDebugPrivilege	3992	tasklist.exe
Token: SeDebugPrivilege	4212	tasklist.exe
Token: SeDebugPrivilege	4756	tasklist.exe
Token: SeDebugPrivilege	2820	tasklist.exe
Token: SeDebugPrivilege	4912	tasklist.exe
Token: SeDebugPrivilege	1428	tasklist.exe
Token: SeDebugPrivilege	3856	tasklist.exe
Token: SeDebugPrivilege	380	tasklist.exe
Token: SeDebugPrivilege	2980	tasklist.exe
Token: SeDebugPrivilege	932	tasklist.exe
Token: SeDebugPrivilege	1952	tasklist.exe
Token: SeDebugPrivilege	4376	tasklist.exe
Token: SeDebugPrivilege	3796	tasklist.exe
Token: SeDebugPrivilege	4368	tasklist.exe
Token: SeDebugPrivilege	944	tasklist.exe
Token: SeDebugPrivilege	4856	tasklist.exe
Token: SeDebugPrivilege	4100	tasklist.exe
Token: SeDebugPrivilege	4500	tasklist.exe
Token: SeDebugPrivilege	3444	tasklist.exe
Token: SeDebugPrivilege	1504	tasklist.exe
Token: SeDebugPrivilege	2848	tasklist.exe
Token: SeDebugPrivilege	4612	tasklist.exe
Token: SeDebugPrivilege	4768	tasklist.exe
Token: SeDebugPrivilege	5052	tasklist.exe
Token: SeDebugPrivilege	216	tasklist.exe
Token: SeDebugPrivilege	2256	tasklist.exe
Token: SeDebugPrivilege	1848	tasklist.exe
Token: SeDebugPrivilege	2240	tasklist.exe
Token: SeDebugPrivilege	620	tasklist.exe
Token: SeDebugPrivilege	2012	tasklist.exe
Token: SeDebugPrivilege	4776	tasklist.exe
Token: SeDebugPrivilege	4832	tasklist.exe
Token: SeDebugPrivilege	3180	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Crypto Trading Bot.execmd.exewscript.execmd.exe

description	pid	process	target process
PID 1536 wrote to memory of 3780	1536	Crypto Trading Bot.exe	cmd.exe
PID 1536 wrote to memory of 3780	1536	Crypto Trading Bot.exe	cmd.exe
PID 1536 wrote to memory of 3780	1536	Crypto Trading Bot.exe	cmd.exe
PID 3780 wrote to memory of 536	3780	cmd.exe	wscript.exe
PID 3780 wrote to memory of 536	3780	cmd.exe	wscript.exe
PID 3780 wrote to memory of 536	3780	cmd.exe	wscript.exe
PID 1536 wrote to memory of 4680	1536	Crypto Trading Bot.exe	notepad .exe
PID 1536 wrote to memory of 4680	1536	Crypto Trading Bot.exe	notepad .exe
PID 1536 wrote to memory of 4680	1536	Crypto Trading Bot.exe	notepad .exe
PID 1536 wrote to memory of 4680	1536	Crypto Trading Bot.exe	notepad .exe
PID 1536 wrote to memory of 4680	1536	Crypto Trading Bot.exe	notepad .exe
PID 1536 wrote to memory of 4680	1536	Crypto Trading Bot.exe	notepad .exe
PID 1536 wrote to memory of 4680	1536	Crypto Trading Bot.exe	notepad .exe
PID 1536 wrote to memory of 4680	1536	Crypto Trading Bot.exe	notepad .exe
PID 1536 wrote to memory of 4680	1536	Crypto Trading Bot.exe	notepad .exe
PID 1536 wrote to memory of 4680	1536	Crypto Trading Bot.exe	notepad .exe
PID 1536 wrote to memory of 4680	1536	Crypto Trading Bot.exe	notepad .exe
PID 1536 wrote to memory of 4680	1536	Crypto Trading Bot.exe	notepad .exe
PID 1536 wrote to memory of 4680	1536	Crypto Trading Bot.exe	notepad .exe
PID 1536 wrote to memory of 4680	1536	Crypto Trading Bot.exe	notepad .exe
PID 536 wrote to memory of 684	536	wscript.exe	cmd.exe
PID 536 wrote to memory of 684	536	wscript.exe	cmd.exe
PID 536 wrote to memory of 684	536	wscript.exe	cmd.exe
PID 1536 wrote to memory of 4040	1536	Crypto Trading Bot.exe	cmd.exe
PID 1536 wrote to memory of 4040	1536	Crypto Trading Bot.exe	cmd.exe
PID 1536 wrote to memory of 4040	1536	Crypto Trading Bot.exe	cmd.exe
PID 1536 wrote to memory of 1072	1536	Crypto Trading Bot.exe	cmd.exe
PID 1536 wrote to memory of 1072	1536	Crypto Trading Bot.exe	cmd.exe
PID 1536 wrote to memory of 1072	1536	Crypto Trading Bot.exe	cmd.exe
PID 4040 wrote to memory of 4900	4040	cmd.exe	timeout.exe
PID 4040 wrote to memory of 4900	4040	cmd.exe	timeout.exe
PID 4040 wrote to memory of 4900	4040	cmd.exe	timeout.exe
PID 4040 wrote to memory of 3204	4040	cmd.exe	tasklist.exe
PID 4040 wrote to memory of 3204	4040	cmd.exe	tasklist.exe
PID 4040 wrote to memory of 3204	4040	cmd.exe	tasklist.exe
PID 4040 wrote to memory of 5080	4040	cmd.exe	find.exe
PID 4040 wrote to memory of 5080	4040	cmd.exe	find.exe
PID 4040 wrote to memory of 5080	4040	cmd.exe	find.exe
PID 4040 wrote to memory of 3684	4040	cmd.exe	timeout.exe
PID 4040 wrote to memory of 3684	4040	cmd.exe	timeout.exe
PID 4040 wrote to memory of 3684	4040	cmd.exe	timeout.exe
PID 4040 wrote to memory of 3628	4040	cmd.exe	tasklist.exe
PID 4040 wrote to memory of 3628	4040	cmd.exe	tasklist.exe
PID 4040 wrote to memory of 3628	4040	cmd.exe	tasklist.exe
PID 4040 wrote to memory of 1916	4040	cmd.exe	find.exe
PID 4040 wrote to memory of 1916	4040	cmd.exe	find.exe
PID 4040 wrote to memory of 1916	4040	cmd.exe	find.exe
PID 4040 wrote to memory of 3396	4040	cmd.exe	timeout.exe
PID 4040 wrote to memory of 3396	4040	cmd.exe	timeout.exe
PID 4040 wrote to memory of 3396	4040	cmd.exe	timeout.exe
PID 4040 wrote to memory of 5036	4040	cmd.exe	tasklist.exe
PID 4040 wrote to memory of 5036	4040	cmd.exe	tasklist.exe
PID 4040 wrote to memory of 5036	4040	cmd.exe	tasklist.exe
PID 4040 wrote to memory of 2776	4040	cmd.exe	find.exe
PID 4040 wrote to memory of 2776	4040	cmd.exe	find.exe
PID 4040 wrote to memory of 2776	4040	cmd.exe	find.exe
PID 4040 wrote to memory of 4752	4040	cmd.exe	timeout.exe
PID 4040 wrote to memory of 4752	4040	cmd.exe	timeout.exe
PID 4040 wrote to memory of 4752	4040	cmd.exe	timeout.exe
PID 4040 wrote to memory of 4496	4040	cmd.exe	tasklist.exe
PID 4040 wrote to memory of 4496	4040	cmd.exe	tasklist.exe
PID 4040 wrote to memory of 4496	4040	cmd.exe	tasklist.exe
PID 4040 wrote to memory of 3300	4040	cmd.exe	find.exe
PID 4040 wrote to memory of 3300	4040	cmd.exe	find.exe

C:\Users\Admin\AppData\Local\Temp\Crypto Trading Bot.exe
"C:\Users\Admin\AppData\Local\Temp\Crypto Trading Bot.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Windows\mata.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:3780

C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Windows\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\Windows\mata2.bat
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Windows\mata2.bat" "
4⤵
PID:684

C:\Users\Admin\AppData\Local\Temp\notepad .exe
"C:\Users\Admin\AppData\Local\Temp\notepad .exe"
2⤵
- Executes dropped EXE
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 552
3⤵
- Program crash
PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 552
3⤵
- Program crash
PID:1656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Windows\stres.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:4900

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3204

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:5080

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:3684

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:1916

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
PID:3396

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:2776

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:4752

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4496

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:3300

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:4352

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4284

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:2512

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:3156

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:4756

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:1728

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:3920

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:1584

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3176

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:2088

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:4824

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4908

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:868

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:4108

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:2224

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:4708

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:4004

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:2472

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:4676

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:4860

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:4588

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:2656

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4888

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:1724

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:4700

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:480

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:3120

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
PID:4796

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:4128

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:1948

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:1192

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:792

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:4472

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:2908

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2924

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:2264

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:1108

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3728

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:3908

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:4124

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4076

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:4320

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:4724

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:4540

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:3668

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4916

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:3492

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
PID:4940

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4620

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:4952

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:2208

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4188

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:4900

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:116

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:1920

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:1264

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3244

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:3204

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:2372

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3516

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:3520

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:3836

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:488

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:4572

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:456

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3048

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:3028

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
PID:3300

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3992

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:3984

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:3696

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4212

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:2416

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
PID:1336

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4756

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:1332

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
PID:1508

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:4332

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:4032

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4912

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:3660

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:2260

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:1436

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:868

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3856

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:1820

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:2340

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:380

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:4060

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:3912

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:4004

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:4848

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:2380

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
PID:3424

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:1632

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:3380

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4376

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:3456

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:1724

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3796

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:2488

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:972

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4368

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:4412

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:2136

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:4128

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:1836

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:3708

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4856

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
PID:3664

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4100

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:4564

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:5068

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4500

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:1164

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:2264

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3444

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:3488

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
PID:4344

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:1624

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
PID:4076

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:4468

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
PID:5048

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4612

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:4896

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
PID:4916

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4768

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:3384

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
PID:4620

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:4396

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:4188

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:2328

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
PID:4892

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:1264

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:3580

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:2372

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:3628

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:824

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:1256

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:620

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:4752

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:4728

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:4328

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:2512

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:3156

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:4068

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:1272

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:4732

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3180

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:3140

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:4816

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
PID:2088

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:828

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:2152

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
PID:3884

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:4904

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:1652

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
PID:3316

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:1816

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:2252

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
PID:520

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:2008

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:3912

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
PID:2112

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:4116

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:4848

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
PID:1076

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:4860

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:3424

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
PID:3852

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:1960

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:3380

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
PID:1060

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:4888

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:1724

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
PID:4324

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:1276

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:972

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
PID:4800

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:3736

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:2136

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
PID:2896

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:2592

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:1836

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
PID:2508

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:3880

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
PID:2908

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
PID:2448

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:2568

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:4028

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
PID:1108

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:3488

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:1504

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
PID:752

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:4076

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
- Delays execution with timeout.exe
PID:2400

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
PID:4624

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:2316

C:\Windows\SysWOW64\timeout.exe
timeout /t @@
3⤵
PID:4880

C:\Windows\SysWOW64\tasklist.exe
tasklist /nh /fi "imagename eq notepad .exe"
3⤵
- Enumerates processes with tasklist
PID:4924

C:\Windows\SysWOW64\find.exe
find /i "notepad .exe"
3⤵
PID:924

C:\Users\Admin\AppData\Local\Temp\ap.exe
"C:\Users\Admin\AppData\Local\Temp\ap.exe"
3⤵
- Executes dropped EXE
PID:4056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Windows\melt.bat
2⤵
PID:1072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4680 -ip 4680
1⤵
PID:2636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4680 -ip 4680
1⤵
PID:3664

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Windows\Windows.exe
Filesize
5.0MB

MD5
9580c6ee0ec3d08c29020c0dbff23cfa

SHA1
4f8ee5461fe1300e42bfb62747597ed6e339ff29

SHA256
8b06f2e6daad66479102faa65ba46b40d5cd6e3335cf3902971dcd753b37d347

SHA512
491aef0102cbd7d9816b79dac6673607119bc7778c0e1564dc5e60dea6ca265530771fe7855843126fe9322871d50e52aab210984951571468a90805f0bf2f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows\invs.vbs
Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows\mata.bat
Filesize
63B

MD5
260efbd339dd3b0ab091d66df5cd3a16

SHA1
69d4e59b4e8edc557ee9b9a351576ea61f3092cc

SHA256
1d87c3291eda5b1fd8f3ff3fccb7efde33955fea4487369dfa23132f63e3b969

SHA512
cad75d955bb4ca61a8d2a9f5fac0c0ddc8fe97d05ad12850b2734efadb237b5310d4264745972f8a78b3918a90e23fba8d540fd64791eac8c3be9a5e50042812

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows\mata2.bat
Filesize
68B

MD5
553af02e55667d29f9054e5c101e2681

SHA1
1e4dfaf248d5800a1b61cec13d0f47370550510b

SHA256
0cf596fc133d75e2d007682a3f9caf1ae61137e50d3eb1354edca506434d7bb9

SHA512
4fa45b23be7f6900a50f7e6540017e137b88d770960148a05a8f00f52ce98762f6f2ef4d9cd721c5b2033ae0d6f063ab0ad8a1fd4fa2c94dff30fb0fb0d53e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows\rundll11-.txt
Filesize
5.0MB

MD5
9580c6ee0ec3d08c29020c0dbff23cfa

SHA1
4f8ee5461fe1300e42bfb62747597ed6e339ff29

SHA256
8b06f2e6daad66479102faa65ba46b40d5cd6e3335cf3902971dcd753b37d347

SHA512
491aef0102cbd7d9816b79dac6673607119bc7778c0e1564dc5e60dea6ca265530771fe7855843126fe9322871d50e52aab210984951571468a90805f0bf2f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows\stres.bat
Filesize
197B

MD5
baa5967892307b9bfb407b3af219d530

SHA1
0885a05bfaf364c6558d78ab7dd2d4acadca243f

SHA256
88ab119f42700edf3b3960a0c3737570d66d869a3d81205e415526bf3534bf95

SHA512
1f1caa8923401394c3ddb7c5c3a2683f2ff01e1b20366988dabbb37d3db3cdd35f4f19412f994068eba88dfce9519d6e4a27834835d4c4ea3db2531a72b654f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ap.exe
Filesize
156KB

MD5
a5b656183ccf21ef700f56406eb21525

SHA1
554aa9e72a3be3dff7e1a069d9c2e1fcf54e6b41

SHA256
aaa68a7b2131ad9ab852a66b8110d08dcc483bcee5afec941f65fe94c3a670b5

SHA512
e98d8370a7cd04586b18694be7d7586f76b2c1b9a642ead759716c6ce4b95be2aad69fa555f2f84cb83e76163c6702d37c3d0199e52162f35d5c5229a81107df

Download Submit
C:\Users\Admin\AppData\Local\Temp\ap.exe
Filesize
156KB

MD5
a5b656183ccf21ef700f56406eb21525

SHA1
554aa9e72a3be3dff7e1a069d9c2e1fcf54e6b41

SHA256
aaa68a7b2131ad9ab852a66b8110d08dcc483bcee5afec941f65fe94c3a670b5

SHA512
e98d8370a7cd04586b18694be7d7586f76b2c1b9a642ead759716c6ce4b95be2aad69fa555f2f84cb83e76163c6702d37c3d0199e52162f35d5c5229a81107df

Download Submit
C:\Users\Admin\AppData\Local\Temp\notepad .exe
Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\notepad .exe
Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
memory/480-197-0x0000000000000000-mapping.dmp

Download
memory/536-136-0x0000000000000000-mapping.dmp

Download
memory/684-147-0x0000000000000000-mapping.dmp

Download
memory/792-205-0x0000000000000000-mapping.dmp

Download
memory/820-191-0x0000000000000000-mapping.dmp

Download
memory/868-180-0x0000000000000000-mapping.dmp

Download
memory/1032-173-0x0000000000000000-mapping.dmp

Download
memory/1072-152-0x0000000000000000-mapping.dmp

Download
memory/1108-211-0x0000000000000000-mapping.dmp

Download
memory/1192-204-0x0000000000000000-mapping.dmp

Download
memory/1332-170-0x0000000000000000-mapping.dmp

Download
memory/1536-133-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/1536-155-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/1536-132-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/1548-203-0x0000000000000000-mapping.dmp

Download
memory/1584-175-0x0000000000000000-mapping.dmp

Download
memory/1656-206-0x0000000000000000-mapping.dmp

Download
memory/1700-188-0x0000000000000000-mapping.dmp

Download
memory/1724-195-0x0000000000000000-mapping.dmp

Download
memory/1728-172-0x0000000000000000-mapping.dmp

Download
memory/1916-159-0x0000000000000000-mapping.dmp

Download
memory/1948-202-0x0000000000000000-mapping.dmp

Download
memory/2088-177-0x0000000000000000-mapping.dmp

Download
memory/2124-200-0x0000000000000000-mapping.dmp

Download
memory/2224-183-0x0000000000000000-mapping.dmp

Download
memory/2264-210-0x0000000000000000-mapping.dmp

Download
memory/2340-182-0x0000000000000000-mapping.dmp

Download
memory/2472-187-0x0000000000000000-mapping.dmp

Download
memory/2512-168-0x0000000000000000-mapping.dmp

Download
memory/2656-193-0x0000000000000000-mapping.dmp

Download
memory/2776-162-0x0000000000000000-mapping.dmp

Download
memory/2908-208-0x0000000000000000-mapping.dmp

Download
memory/2924-209-0x0000000000000000-mapping.dmp

Download
memory/3120-198-0x0000000000000000-mapping.dmp

Download
memory/3156-169-0x0000000000000000-mapping.dmp

Download
memory/3176-176-0x0000000000000000-mapping.dmp

Download
memory/3204-154-0x0000000000000000-mapping.dmp

Download
memory/3212-185-0x0000000000000000-mapping.dmp

Download
memory/3300-165-0x0000000000000000-mapping.dmp

Download
memory/3396-160-0x0000000000000000-mapping.dmp

Download
memory/3628-158-0x0000000000000000-mapping.dmp

Download
memory/3684-157-0x0000000000000000-mapping.dmp

Download
memory/3780-134-0x0000000000000000-mapping.dmp

Download
memory/3920-174-0x0000000000000000-mapping.dmp

Download
memory/4004-186-0x0000000000000000-mapping.dmp

Download
memory/4040-149-0x0000000000000000-mapping.dmp

Download
memory/4056-214-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/4108-181-0x0000000000000000-mapping.dmp

Download
memory/4128-201-0x0000000000000000-mapping.dmp

Download
memory/4284-167-0x0000000000000000-mapping.dmp

Download
memory/4352-166-0x0000000000000000-mapping.dmp

Download
memory/4472-207-0x0000000000000000-mapping.dmp

Download
memory/4496-164-0x0000000000000000-mapping.dmp

Download
memory/4588-192-0x0000000000000000-mapping.dmp

Download
memory/4676-189-0x0000000000000000-mapping.dmp

Download
memory/4680-139-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4680-145-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4680-143-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4680-137-0x0000000000000000-mapping.dmp

Download
memory/4700-196-0x0000000000000000-mapping.dmp

Download
memory/4708-184-0x0000000000000000-mapping.dmp

Download
memory/4752-163-0x0000000000000000-mapping.dmp

Download
memory/4756-171-0x0000000000000000-mapping.dmp

Download
memory/4796-199-0x0000000000000000-mapping.dmp

Download
memory/4824-178-0x0000000000000000-mapping.dmp

Download
memory/4860-190-0x0000000000000000-mapping.dmp

Download
memory/4888-194-0x0000000000000000-mapping.dmp

Download
memory/4900-153-0x0000000000000000-mapping.dmp

Download
memory/4908-179-0x0000000000000000-mapping.dmp

Download
memory/5036-161-0x0000000000000000-mapping.dmp

Download
memory/5080-156-0x0000000000000000-mapping.dmp

Download