8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55

Analysis

max time kernel
592s
max time network
413s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/05/2023, 04:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe
Size

1.2MB
MD5

0a56f559dc0bad2522eb1b757e942ffc
SHA1

e0099c491144882394e7923c874a3b5d0da54e34
SHA256

8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55
SHA512

91d0df3dceb6958179b481b9d568d131f4aee1b9d75f0b15b47a5377cd83fb5b59a4111693712d84853d4a5d4012f7deba844d9f16abb88f08a7c82de9a1146b
SSDEEP

24576:8Nx1G7wdV0SBgvVKDq/R1d+rNj0GyAehO4M3t4P9LNSV+36Bl2UaMxWRBGe:O1GkdV0SBgFp1e0GyAMMY9IV+KBJaMx2

Score

9^/10

persistence ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Creates new service(s) 1 TTPs
persistence

New Service
T1050

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe
File opened (read-only)	\??\K:	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe
File opened (read-only)	\??\N:	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe
File opened (read-only)	\??\O:	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe
File opened (read-only)	\??\T:	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe
File opened (read-only)	\??\W:	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe
File opened (read-only)	\??\X:	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe
File opened (read-only)	\??\B:	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe
File opened (read-only)	\??\Z:	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe
File opened (read-only)	\??\Q:	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe
File opened (read-only)	\??\S:	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe
File opened (read-only)	\??\H:	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe
File opened (read-only)	\??\E:	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe
File opened (read-only)	\??\F:	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe
File opened (read-only)	\??\G:	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe
File opened (read-only)	\??\R:	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe
File opened (read-only)	\??\A:	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe
File opened (read-only)	\??\L:	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe
File opened (read-only)	\??\M:	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe
File opened (read-only)	\??\P:	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe
File opened (read-only)	\??\U:	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe
File opened (read-only)	\??\V:	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe
File opened (read-only)	\??\Y:	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe
File opened (read-only)	\??\I:	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api.ipify.org

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysMain.sys	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe
File opened for modification	C:\Windows\SysMain.sys	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1420	sc.exe
1812	sc.exe
760	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
880	schtasks.exe

Delays execution with timeout.exe 38 IoCs

evasion

pid	Process
316	timeout.exe
1604	timeout.exe
1780	timeout.exe
1484	timeout.exe
2004	timeout.exe
1984	timeout.exe
1720	timeout.exe
1708	timeout.exe
1536	timeout.exe
672	timeout.exe
1536	timeout.exe
1956	timeout.exe
964	timeout.exe
860	timeout.exe
1420	timeout.exe
964	timeout.exe
1756	timeout.exe
2016	timeout.exe
964	timeout.exe
1728	timeout.exe
2012	timeout.exe
576	timeout.exe
880	timeout.exe
316	timeout.exe
1184	timeout.exe
560	timeout.exe
1624	timeout.exe
1816	timeout.exe
188	timeout.exe
2032	timeout.exe
1136	timeout.exe
1444	timeout.exe
1716	timeout.exe
1988	timeout.exe
912	timeout.exe
912	timeout.exe
1680	timeout.exe
1104	timeout.exe

Enumerates processes with tasklist 1 TTPs 40 IoCs

Process Discovery

T1057

pid	Process
1548	tasklist.exe
916	tasklist.exe
536	tasklist.exe
280	tasklist.exe
1692	tasklist.exe
1048	tasklist.exe
1124	tasklist.exe
276	tasklist.exe
828	tasklist.exe
832	tasklist.exe
1680	tasklist.exe
536	tasklist.exe
1720	tasklist.exe
1588	tasklist.exe
1048	tasklist.exe
1708	tasklist.exe
1632	tasklist.exe
908	tasklist.exe
1344	tasklist.exe
1992	tasklist.exe
1552	tasklist.exe
1240	tasklist.exe
2004	tasklist.exe
772	tasklist.exe
932	tasklist.exe
812	tasklist.exe
1864	tasklist.exe
1244	tasklist.exe
1704	tasklist.exe
396	tasklist.exe
1540	tasklist.exe
1260	tasklist.exe
2012	tasklist.exe
1452	tasklist.exe
668	tasklist.exe
880	tasklist.exe
576	tasklist.exe
316	tasklist.exe
2036	tasklist.exe
1192	tasklist.exe

Gathers system information 1 TTPs 2 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
912	systeminfo.exe
1548	systeminfo.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1552	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
908	tasklist.exe
908	tasklist.exe
1864	tasklist.exe
1864	tasklist.exe
1704	tasklist.exe
1704	tasklist.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	908	tasklist.exe
Token: SeDebugPrivilege	1864	tasklist.exe
Token: SeBackupPrivilege	1376	vssvc.exe
Token: SeRestorePrivilege	1376	vssvc.exe
Token: SeAuditPrivilege	1376	vssvc.exe
Token: SeDebugPrivilege	832	tasklist.exe
Token: SeDebugPrivilege	1680	tasklist.exe
Token: SeDebugPrivilege	536	tasklist.exe
Token: SeDebugPrivilege	1548	tasklist.exe
Token: SeDebugPrivilege	1240	tasklist.exe
Token: SeDebugPrivilege	1048	tasklist.exe
Token: SeDebugPrivilege	1244	tasklist.exe
Token: SeDebugPrivilege	916	tasklist.exe
Token: SeDebugPrivilege	536	tasklist.exe
Token: SeDebugPrivilege	2004	tasklist.exe
Token: SeDebugPrivilege	668	tasklist.exe
Token: SeDebugPrivilege	880	tasklist.exe
Token: SeDebugPrivilege	1260	tasklist.exe
Token: SeDebugPrivilege	1344	tasklist.exe
Token: SeDebugPrivilege	576	tasklist.exe
Token: SeDebugPrivilege	1720	tasklist.exe
Token: SeDebugPrivilege	1992	tasklist.exe
Token: SeDebugPrivilege	2012	tasklist.exe
Token: SeDebugPrivilege	772	tasklist.exe
Token: SeDebugPrivilege	280	tasklist.exe
Token: SeDebugPrivilege	1704	tasklist.exe
Token: SeDebugPrivilege	396	tasklist.exe
Token: SeDebugPrivilege	1588	tasklist.exe
Token: SeDebugPrivilege	932	tasklist.exe
Token: SeDebugPrivilege	1692	tasklist.exe
Token: SeDebugPrivilege	1048	tasklist.exe
Token: SeDebugPrivilege	1452	tasklist.exe
Token: SeDebugPrivilege	1708	tasklist.exe
Token: SeDebugPrivilege	1124	tasklist.exe
Token: SeDebugPrivilege	1540	tasklist.exe
Token: SeDebugPrivilege	316	tasklist.exe
Token: SeDebugPrivilege	812	tasklist.exe
Token: SeDebugPrivilege	1552	tasklist.exe
Token: SeDebugPrivilege	828	tasklist.exe
Token: SeDebugPrivilege	1632	tasklist.exe
Token: SeDebugPrivilege	2036	tasklist.exe
Token: SeDebugPrivilege	276	tasklist.exe
Token: SeDebugPrivilege	1192	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 928	1320	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe	29
PID 1320 wrote to memory of 928	1320	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe	29
PID 1320 wrote to memory of 928	1320	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe	29
PID 1320 wrote to memory of 928	1320	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe	29
PID 928 wrote to memory of 908	928	cmd.exe	30
PID 928 wrote to memory of 908	928	cmd.exe	30
PID 928 wrote to memory of 908	928	cmd.exe	30
PID 928 wrote to memory of 908	928	cmd.exe	30
PID 928 wrote to memory of 1344	928	cmd.exe	31
PID 928 wrote to memory of 1344	928	cmd.exe	31
PID 928 wrote to memory of 1344	928	cmd.exe	31
PID 928 wrote to memory of 1344	928	cmd.exe	31
PID 1320 wrote to memory of 1604	1320	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe	33
PID 1320 wrote to memory of 1604	1320	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe	33
PID 1320 wrote to memory of 1604	1320	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe	33
PID 1320 wrote to memory of 1604	1320	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe	33
PID 1604 wrote to memory of 1420	1604	cmd.exe	34
PID 1604 wrote to memory of 1420	1604	cmd.exe	34
PID 1604 wrote to memory of 1420	1604	cmd.exe	34
PID 1604 wrote to memory of 1420	1604	cmd.exe	34
PID 1320 wrote to memory of 856	1320	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe	35
PID 1320 wrote to memory of 856	1320	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe	35
PID 1320 wrote to memory of 856	1320	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe	35
PID 1320 wrote to memory of 856	1320	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe	35
PID 856 wrote to memory of 1812	856	cmd.exe	36
PID 856 wrote to memory of 1812	856	cmd.exe	36
PID 856 wrote to memory of 1812	856	cmd.exe	36
PID 856 wrote to memory of 1812	856	cmd.exe	36
PID 1320 wrote to memory of 852	1320	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe	37
PID 1320 wrote to memory of 852	1320	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe	37
PID 1320 wrote to memory of 852	1320	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe	37
PID 1320 wrote to memory of 852	1320	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe	37
PID 852 wrote to memory of 760	852	cmd.exe	38
PID 852 wrote to memory of 760	852	cmd.exe	38
PID 852 wrote to memory of 760	852	cmd.exe	38
PID 852 wrote to memory of 760	852	cmd.exe	38
PID 1320 wrote to memory of 672	1320	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe	39
PID 1320 wrote to memory of 672	1320	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe	39
PID 1320 wrote to memory of 672	1320	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe	39
PID 1320 wrote to memory of 672	1320	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe	39
PID 1320 wrote to memory of 556	1320	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe	40
PID 1320 wrote to memory of 556	1320	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe	40
PID 1320 wrote to memory of 556	1320	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe	40
PID 1320 wrote to memory of 556	1320	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe	40
PID 556 wrote to memory of 1048	556	cmd.exe	41
PID 556 wrote to memory of 1048	556	cmd.exe	41
PID 556 wrote to memory of 1048	556	cmd.exe	41
PID 556 wrote to memory of 1048	556	cmd.exe	41
PID 1320 wrote to memory of 1708	1320	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe	42
PID 1320 wrote to memory of 1708	1320	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe	42
PID 1320 wrote to memory of 1708	1320	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe	42
PID 1320 wrote to memory of 1708	1320	8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe	42
PID 1708 wrote to memory of 880	1708	cmd.exe	43
PID 1708 wrote to memory of 880	1708	cmd.exe	43
PID 1708 wrote to memory of 880	1708	cmd.exe	43
PID 1708 wrote to memory of 880	1708	cmd.exe	43
PID 1048 wrote to memory of 1944	1048	WScript.exe	44
PID 1048 wrote to memory of 1944	1048	WScript.exe	44
PID 1048 wrote to memory of 1944	1048	WScript.exe	44
PID 1048 wrote to memory of 1944	1048	WScript.exe	44
PID 1048 wrote to memory of 1968	1048	WScript.exe	46
PID 1048 wrote to memory of 1968	1048	WScript.exe	46
PID 1048 wrote to memory of 1968	1048	WScript.exe	46
PID 1048 wrote to memory of 1968	1048	WScript.exe	46

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe
"C:\Users\Admin\AppData\Local\Temp\8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe"
1⤵
- Drops startup file
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:928
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /v /fo csv
    3⤵
    - Enumerates processes with tasklist
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:908
- - C:\Windows\SysWOW64\findstr.exe
    findstr /i "dcdcf"
    3⤵
    PID:1344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Windows\SysWOW64\sc.exe
    sc create SqlBakup binPath= "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto
    3⤵
    - Launches sc.exe
    PID:1420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Windows\SysWOW64\sc.exe
    sc create SqlBakup binPath= "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
    3⤵
    - Launches sc.exe
    PID:1812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Documents and Settings\Admin\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Windows\SysWOW64\sc.exe
    sc create SqlBakup binPath= "C:\Documents and Settings\Admin\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
    3⤵
    - Launches sc.exe
    PID:760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:556
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\S-8459.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1048
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C echo C:\Users\Admin\AppData\S-6748.bat
      4⤵
      PID:1944
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\S-6748.bat" "
      4⤵
      PID:1968
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /v
        5⤵
        Enumerates processes with tasklist
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
    - - C:\Windows\SysWOW64\find.exe
        
        find /I /c "dcdcf"
        5⤵
        
        PID:1744
    - - C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin.exe Delete Shadows /All /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:1552
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:860
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe"
        5⤵
        
        PID:964
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:316
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe"
        5⤵
        
        PID:1784
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:560
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe"
        5⤵
        
        PID:1612
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:576
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe"
        5⤵
        
        PID:396
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1624
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1240
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe"
        5⤵
        
        PID:1708
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:880
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe"
        5⤵
        
        PID:852
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:316
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe"
        5⤵
        
        PID:1216
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1420
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:916
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe"
        5⤵
        
        PID:808
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:912
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe"
        5⤵
        
        PID:1612
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1720
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe"
        5⤵
        
        PID:1748
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1604
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:668
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe"
        5⤵
        
        PID:672
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1708
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe"
        5⤵
        
        PID:884
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1184
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1260
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe"
        5⤵
        
        PID:556
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1536
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1344
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe"
        5⤵
        
        PID:916
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:912
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:576
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe"
        5⤵
        
        PID:1484
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1816
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe"
        5⤵
        
        PID:828
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:188
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe"
        5⤵
        
        PID:1604
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:672
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe"
        5⤵
        
        PID:1160
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:964
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe"
        5⤵
        
        PID:1068
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1680
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:280
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe"
        5⤵
        
        PID:1816
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1444
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:396
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe"
        5⤵
        
        PID:268
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:964
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe"
        5⤵
        
        PID:880
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1536
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:932
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe"
        5⤵
        
        PID:1792
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1104
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe"
        5⤵
        
        PID:1484
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2032
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe"
        5⤵
        
        PID:1680
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1756
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1452
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe"
        5⤵
        
        PID:1624
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1716
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe"
        5⤵
        
        PID:816
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1956
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1124
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe"
        5⤵
        
        PID:1160
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1780
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe"
        5⤵
        
        PID:1740
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1988
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe"
        5⤵
        
        PID:1588
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2016
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:812
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe"
        5⤵
        
        PID:1612
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1484
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe"
        5⤵
        
        PID:1480
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2004
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:828
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe"
        5⤵
        
        PID:1532
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1136
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe"
        5⤵
        
        PID:2000
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1728
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe"
        5⤵
        
        PID:1488
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1984
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:276
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe"
        5⤵
        
        PID:676
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2012
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1192
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "8e288d4319a518755a6e58e0506b9ec1a6b4559edfa3285b0ab3b56cf37b5e55.exe"
        5⤵
        
        PID:1768
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\S-2153.bat'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\Admin\AppData\S-2153.bat'" /f
    3⤵
    - Creates scheduled task(s)
    PID:880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c echo %date%-%time%
  2⤵
  PID:1536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c systeminfo|find /i "os name"
  2⤵
  PID:1128
- - C:\Windows\SysWOW64\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:912
- - C:\Windows\SysWOW64\find.exe
    find /i "os name"
    3⤵
    PID:1772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c systeminfo|find /i "original"
  2⤵
  PID:276
- - C:\Windows\SysWOW64\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:1548
- - C:\Windows\SysWOW64\find.exe
    find /i "original"
    3⤵
    PID:396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:280

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Windows\system32\taskeng.exe
taskeng.exe {6BE5D6CA-2B74-4D0E-807A-E5B1E79272D8} S-1-5-21-2647223082-2067913677-935928954-1000:BPOQNXYB\Admin:Interactive:[1]
1⤵
PID:1260
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\S-2153.bat"
  2⤵
  PID:1420
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\S-8459.vbs"
    3⤵
    PID:2036
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C echo C:\Users\Admin\AppData\S-6748.bat
      4⤵
      PID:1328
  - - C:\Windows\System32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\S-6748.bat" "
      4⤵
      PID:1488
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /v
        5⤵
        Enumerates processes with tasklist
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
    - - C:\Windows\system32\find.exe
        
        find /I /c "dcdcf"
        5⤵
        
        PID:1336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

New Service

T1050

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\S-2153.bat

Filesize
138B

MD5
82a528cbf39b8ea7e2982e7b2305204c

SHA1
717836e0e2b304ed7ae239cc1db0f6f80e0419b1

SHA256
616738526c38e04f992b7b9fc60cb7feb3ee416bf47b69aa2c3a5f1a722a653b

SHA512
eff7654e171dbd9bc471718a7e14ee3c84a9edf948f4c8863c8107e653be8ba06bc7a2876d506d6e4ae7ef2280e820d04615ebcd88894ef01b3667d070241db3

Download Submit
C:\Users\Admin\AppData\S-6748.bat

Filesize
2KB

MD5
6a32e8a38b6b76200038c0efb8be6f2e

SHA1
8eaf7761ffcda65251c28f886e60014aaaafdc7e

SHA256
e757118ecd18f751f0cf4088e12f24c16c125a9b664d38cd45db12c3b606e979

SHA512
5f5f9bd2f48e70afd573cd65e1b7848200ee44b68e48f72d7a0199fbe060a9c16ce2e9826d07adcf6389594b5398a3b7406c2942c52a8e5eb09271eedf4bfa1f

Download Submit
C:\Users\Admin\AppData\S-8459.vbs

Filesize
686B

MD5
ed7a274ff8ac640416952bfb5d6c927a

SHA1
6b33cd5b39db6e9a900336e446f64a137f0a0f42

SHA256
4d68e4a7a437eb4a7ad9c7b28bdda894a68ae41efba8a5e4d3a6a930bebfeea5

SHA512
8f3a4f071550afe716c5d39601cf1e8559084fbb701e95b28eb7685fed6d8a972e662ad19124a2242fd30c291b8dd1f18f1a2dcf56ac6c98f2bf96bac91510f3

Download Submit