383039e73c92a8a99307d6c28896ce8e678cfeaacd52f6ab2dcd87ba0d05d5c3

Analysis

max time kernel
379s
max time network
57s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
03-07-2023 16:41

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Windows-Build-for-Microsoft-Windows-Developers.exe
Size

100.3MB
MD5

3b8447945246a2eb5613000774acf43c
SHA1

af40fabcd5e1e6240e71d46ce5d5c88e2ba87d82
SHA256

383039e73c92a8a99307d6c28896ce8e678cfeaacd52f6ab2dcd87ba0d05d5c3
SHA512

c6b4395d98c633db1dcabb9c923d48fb556cd526a224cf727330e5823a23c7ebf878d97a2c2888939c2540efcfb34295ac170fb44e7e141fa2def685c578d411
SSDEEP

6144:eTouKrWBEu3/Z2lpGDHU3ykJSL7i/yO7zX:eToPWBv/cpGrU3yDL7myu

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
976	SilentCMD.exe

Loads dropped DLL 1 IoCs

pid	Process
868	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

pid	Process
1408	tasklist.exe
692	tasklist.exe
1044	tasklist.exe
900	tasklist.exe
1036	tasklist.exe
1636	tasklist.exe
692	tasklist.exe
692	tasklist.exe
1276	tasklist.exe
1976	tasklist.exe
1492	tasklist.exe
1360	tasklist.exe
1044	tasklist.exe
1044	tasklist.exe
1276	tasklist.exe
1276	tasklist.exe
1624	tasklist.exe
1492	tasklist.exe
1092	tasklist.exe
1792	tasklist.exe
1960	tasklist.exe
1152	tasklist.exe
832	tasklist.exe
1964	tasklist.exe
1668	tasklist.exe
932	tasklist.exe
1624	tasklist.exe
1044	tasklist.exe
520	tasklist.exe
560	tasklist.exe
1084	tasklist.exe
848	tasklist.exe
684	tasklist.exe
1380	tasklist.exe
1640	tasklist.exe
1704	tasklist.exe
1964	tasklist.exe
1100	tasklist.exe
1672	tasklist.exe
1044	tasklist.exe
1196	tasklist.exe
1488	tasklist.exe
560	tasklist.exe
1384	tasklist.exe
1396	tasklist.exe
2044	tasklist.exe
1100	tasklist.exe
340	tasklist.exe
848	tasklist.exe
336	tasklist.exe
1396	tasklist.exe
692	tasklist.exe
1568	tasklist.exe
1952	tasklist.exe
1036	tasklist.exe
1380	tasklist.exe
1960	tasklist.exe
540	tasklist.exe
520	tasklist.exe
1964	tasklist.exe
2036	tasklist.exe
1488	tasklist.exe
1408	tasklist.exe
1860	tasklist.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
992	taskkill.exe
1260	taskkill.exe
2024	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
552	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	992	taskkill.exe
Token: SeDebugPrivilege	1680	tasklist.exe
Token: SeDebugPrivilege	468	tasklist.exe
Token: SeDebugPrivilege	560	tasklist.exe
Token: SeDebugPrivilege	988	tasklist.exe
Token: SeDebugPrivilege	764	tasklist.exe
Token: SeDebugPrivilege	1100	tasklist.exe
Token: SeDebugPrivilege	1084	tasklist.exe
Token: SeDebugPrivilege	1044	tasklist.exe
Token: SeDebugPrivilege	1408	tasklist.exe
Token: SeDebugPrivilege	1668	tasklist.exe
Token: SeDebugPrivilege	1596	tasklist.exe
Token: SeDebugPrivilege	2044	tasklist.exe
Token: SeDebugPrivilege	984	tasklist.exe
Token: SeDebugPrivilege	1396	tasklist.exe
Token: SeDebugPrivilege	520	tasklist.exe
Token: SeDebugPrivilege	1492	tasklist.exe
Token: SeDebugPrivilege	1860	tasklist.exe
Token: SeDebugPrivilege	1088	tasklist.exe
Token: SeDebugPrivilege	756	tasklist.exe
Token: SeDebugPrivilege	1540	tasklist.exe
Token: SeDebugPrivilege	1380	tasklist.exe
Token: SeDebugPrivilege	1952	tasklist.exe
Token: SeDebugPrivilege	1680	tasklist.exe
Token: SeDebugPrivilege	1772	tasklist.exe
Token: SeDebugPrivilege	1260	tasklist.exe
Token: SeDebugPrivilege	1704	tasklist.exe
Token: SeDebugPrivilege	764	tasklist.exe
Token: SeDebugPrivilege	1640	tasklist.exe
Token: SeDebugPrivilege	932	tasklist.exe
Token: SeDebugPrivilege	1384	tasklist.exe
Token: SeDebugPrivilege	2036	tasklist.exe
Token: SeDebugPrivilege	1148	tasklist.exe
Token: SeDebugPrivilege	1960	tasklist.exe
Token: SeDebugPrivilege	1396	tasklist.exe
Token: SeDebugPrivilege	520	tasklist.exe
Token: SeDebugPrivilege	1964	tasklist.exe
Token: SeDebugPrivilege	1792	tasklist.exe
Token: SeDebugPrivilege	1492	tasklist.exe
Token: SeDebugPrivilege	1320	tasklist.exe
Token: SeDebugPrivilege	1636	tasklist.exe
Token: SeDebugPrivilege	1044	tasklist.exe
Token: SeDebugPrivilege	540	tasklist.exe
Token: SeDebugPrivilege	1276	tasklist.exe
Token: SeDebugPrivilege	1740	tasklist.exe
Token: SeDebugPrivilege	2044	tasklist.exe
Token: SeDebugPrivilege	340	tasklist.exe
Token: SeDebugPrivilege	560	tasklist.exe
Token: SeDebugPrivilege	1672	tasklist.exe
Token: SeDebugPrivilege	692	tasklist.exe
Token: SeDebugPrivilege	1100	tasklist.exe
Token: SeDebugPrivilege	1084	tasklist.exe
Token: SeDebugPrivilege	1384	tasklist.exe
Token: SeDebugPrivilege	2036	tasklist.exe
Token: SeDebugPrivilege	1148	tasklist.exe
Token: SeDebugPrivilege	1960	tasklist.exe
Token: SeDebugPrivilege	1396	tasklist.exe
Token: SeDebugPrivilege	520	tasklist.exe
Token: SeDebugPrivilege	1964	tasklist.exe
Token: SeDebugPrivilege	1792	tasklist.exe
Token: SeDebugPrivilege	1492	tasklist.exe
Token: SeDebugPrivilege	1320	tasklist.exe
Token: SeDebugPrivilege	1636	tasklist.exe
Token: SeDebugPrivilege	1044	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 1000	1260	Windows-Build-for-Microsoft-Windows-Developers.exe	28
PID 1260 wrote to memory of 1000	1260	Windows-Build-for-Microsoft-Windows-Developers.exe	28
PID 1260 wrote to memory of 1000	1260	Windows-Build-for-Microsoft-Windows-Developers.exe	28
PID 1260 wrote to memory of 1000	1260	Windows-Build-for-Microsoft-Windows-Developers.exe	28
PID 1000 wrote to memory of 992	1000	cmd.exe	30
PID 1000 wrote to memory of 992	1000	cmd.exe	30
PID 1000 wrote to memory of 992	1000	cmd.exe	30
PID 1000 wrote to memory of 992	1000	cmd.exe	30
PID 1000 wrote to memory of 868	1000	cmd.exe	32
PID 1000 wrote to memory of 868	1000	cmd.exe	32
PID 1000 wrote to memory of 868	1000	cmd.exe	32
PID 1000 wrote to memory of 868	1000	cmd.exe	32
PID 1000 wrote to memory of 1544	1000	cmd.exe	33
PID 1000 wrote to memory of 1544	1000	cmd.exe	33
PID 1000 wrote to memory of 1544	1000	cmd.exe	33
PID 1000 wrote to memory of 1544	1000	cmd.exe	33
PID 1000 wrote to memory of 552	1000	cmd.exe	36
PID 1000 wrote to memory of 552	1000	cmd.exe	36
PID 1000 wrote to memory of 552	1000	cmd.exe	36
PID 1000 wrote to memory of 552	1000	cmd.exe	36
PID 868 wrote to memory of 976	868	cmd.exe	37
PID 868 wrote to memory of 976	868	cmd.exe	37
PID 868 wrote to memory of 976	868	cmd.exe	37
PID 868 wrote to memory of 976	868	cmd.exe	37
PID 1544 wrote to memory of 828	1544	cmd.exe	38
PID 1544 wrote to memory of 828	1544	cmd.exe	38
PID 1544 wrote to memory of 828	1544	cmd.exe	38
PID 1544 wrote to memory of 828	1544	cmd.exe	38
PID 976 wrote to memory of 1948	976	SilentCMD.exe	39
PID 976 wrote to memory of 1948	976	SilentCMD.exe	39
PID 976 wrote to memory of 1948	976	SilentCMD.exe	39
PID 1948 wrote to memory of 2044	1948	cmd.exe	41
PID 1948 wrote to memory of 2044	1948	cmd.exe	41
PID 1948 wrote to memory of 2044	1948	cmd.exe	41
PID 2044 wrote to memory of 1680	2044	cmd.exe	42
PID 2044 wrote to memory of 1680	2044	cmd.exe	42
PID 2044 wrote to memory of 1680	2044	cmd.exe	42
PID 1948 wrote to memory of 984	1948	cmd.exe	43
PID 1948 wrote to memory of 984	1948	cmd.exe	43
PID 1948 wrote to memory of 984	1948	cmd.exe	43
PID 984 wrote to memory of 468	984	cmd.exe	44
PID 984 wrote to memory of 468	984	cmd.exe	44
PID 984 wrote to memory of 468	984	cmd.exe	44
PID 1948 wrote to memory of 1916	1948	cmd.exe	45
PID 1948 wrote to memory of 1916	1948	cmd.exe	45
PID 1948 wrote to memory of 1916	1948	cmd.exe	45
PID 1916 wrote to memory of 560	1916	cmd.exe	46
PID 1916 wrote to memory of 560	1916	cmd.exe	46
PID 1916 wrote to memory of 560	1916	cmd.exe	46
PID 1948 wrote to memory of 520	1948	cmd.exe	47
PID 1948 wrote to memory of 520	1948	cmd.exe	47
PID 1948 wrote to memory of 520	1948	cmd.exe	47
PID 520 wrote to memory of 988	520	cmd.exe	48
PID 520 wrote to memory of 988	520	cmd.exe	48
PID 520 wrote to memory of 988	520	cmd.exe	48
PID 1948 wrote to memory of 1492	1948	cmd.exe	49
PID 1948 wrote to memory of 1492	1948	cmd.exe	49
PID 1948 wrote to memory of 1492	1948	cmd.exe	49
PID 1492 wrote to memory of 764	1492	cmd.exe	50
PID 1492 wrote to memory of 764	1492	cmd.exe	50
PID 1492 wrote to memory of 764	1492	cmd.exe	50
PID 1948 wrote to memory of 1860	1948	cmd.exe	51
PID 1948 wrote to memory of 1860	1948	cmd.exe	51
PID 1948 wrote to memory of 1860	1948	cmd.exe	51

C:\Users\Admin\AppData\Local\Temp\Windows-Build-for-Microsoft-Windows-Developers.exe
"C:\Users\Admin\AppData\Local\Temp\Windows-Build-for-Microsoft-Windows-Developers.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Windows Build for Microsoft Windows Developers\launcher.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1000
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /IM wscript.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K startwscript.bat
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:868
  - - C:\Users\Admin\AppData\Local\Temp\Windows Build for Microsoft Windows Developers\SilentCMD.exe
      SilentCMD wscript.bat
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:976
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""wscript.bat""
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1948
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:984
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:468
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:520
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:988
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:764
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1860
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1088
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1084
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:756
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1540
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1408
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1380
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1952
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1680
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:468
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:984
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1516
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1396
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:988
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:520
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:764
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1100
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1084
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1044
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:756
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1408
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1668
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1380
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1596
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:2044
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:340
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:560
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1260
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1672
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1492
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:764
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1320
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1636
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:932
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:848
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1384
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1408
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1668
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1596
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:2032
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1396
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:468
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:520
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1516
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:988
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:764
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1640
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:932
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1484
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1364
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:564
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1276
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:984
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1916
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:856
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:340
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:900
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1860
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1088
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:692
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1956
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:284
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1084
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:848
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1384
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1408
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1668
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1596
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:2032
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1396
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:468
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:520
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1516
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:988
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1488
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1640
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:932
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1484
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1364
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:540
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:564
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:1276
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:984
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:1740
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1916
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:2044
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:856
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:340
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:900
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:560
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1860
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:1672
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1088
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:692
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1956
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:1100
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1952
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:1636
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1688
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:1044
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1772
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:540
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1732
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:1276
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:992
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:1740
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1196
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:2044
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1060
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:340
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1760
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:560
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1316
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:1672
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:2024
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:692
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1728
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:1100
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1684
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:1636
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:2016
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:1044
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1864
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:540
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:936
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:1276
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:788
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:1740
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1340
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:2044
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:756
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:340
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1540
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:560
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1824
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:1672
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1152
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:692
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1336
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:1100
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1536
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:1636
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1260
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:1044
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:676
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:540
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1668
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:1148
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1596
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:1960
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:2032
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:1396
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:468
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:520
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1516
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:1964
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:988
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:1792
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1488
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:684
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1092
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:1320
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1084
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:284
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1384
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:848
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:2036
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:1408
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1624
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:1148
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1976
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:1960
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:900
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:1396
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1380
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:520
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1368
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:1964
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:2024
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:1792
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1728
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:684
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1688
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:1320
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1772
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:284
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1864
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:848
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:992
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:1408
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:764
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:1276
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1596
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:1740
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:2032
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:2044
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1492
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:340
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1516
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:560
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1484
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:1672
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1488
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:692
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1092
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:1100
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:832
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:1636
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1384
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:1044
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:856
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:1568
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:916
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:1624
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1860
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:1976
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1508
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:900
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1680
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:1380
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1964
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:1952
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1364
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:2024
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1152
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:564
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:984
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:1688
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1536
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:1036
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1700
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:1864
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:992
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:676
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1168
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:1196
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1740
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:1596
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1956
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:2028
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:340
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:1492
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1516
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:932
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:2016
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:660
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:692
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:1488
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1100
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:1092
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1668
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:1636
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1060
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:1360
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1760
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:2036
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1088
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:1624
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:2032
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:1960
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:988
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:900
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1684
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:1380
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1484
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:1952
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:624
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:1824
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:564
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:1152
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1688
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:984
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1536
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:1036
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1260
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:1864
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:540
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:1408
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1168
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:1196
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:788
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:336
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1528
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:2028
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:340
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:1492
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:560
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:1640
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1916
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:1672
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1744
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:1488
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1100
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:1092
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1936
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:832
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq wscript.exe"
        6⤵
        
        PID:1360
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /NH /FI "IMAGENAME eq wscript.exe"
        7⤵
        
        PID:1060
      - C:\Windows\system32\taskkill.exe
        
        TASKKILL /IM svchost.exe /F
        6⤵
        Kills process with taskkill
        
        PID:2024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K dialog.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1544
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Windows Build for Microsoft Windows Developers\redscreendialog.vbs"
      4⤵
      PID:828
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 20
    3⤵
    - Runs ping.exe
    PID:552
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /IM svchost.exe /F
    3⤵
    - Kills process with taskkill
    PID:1260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:2040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:820

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1188

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Windows Build for Microsoft Windows Developers\SilentCMD.exe

Filesize
14KB

MD5
341bf386e067095bb17b875a451c96f2

SHA1
d2cd382f512d096049fcc850ef17e26d12c5e51b

SHA256
2d2ee85092147f08db4ab93b2952e42a971c6c7491985419ac375feda8674c60

SHA512
72b983f16ec4688434790ae662570f1ac0cafc9f6b2264f177ea5fed79b9bd568c996ee3ea8d774851ea3abfb578a8b2533b1d3286c261fce3ed96e2a241c64e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Build for Microsoft Windows Developers\SilentCMD.exe

Filesize
14KB

MD5
341bf386e067095bb17b875a451c96f2

SHA1
d2cd382f512d096049fcc850ef17e26d12c5e51b

SHA256
2d2ee85092147f08db4ab93b2952e42a971c6c7491985419ac375feda8674c60

SHA512
72b983f16ec4688434790ae662570f1ac0cafc9f6b2264f177ea5fed79b9bd568c996ee3ea8d774851ea3abfb578a8b2533b1d3286c261fce3ed96e2a241c64e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Build for Microsoft Windows Developers\SilentCMD.exe.config

Filesize
1KB

MD5
21d29cb345f3cce1fed75f560cf3e88d

SHA1
62672ad278a74617c9e94770cc2cd751b6129f8f

SHA256
dda25a37e941569c6b1cad3f073e2e6694a77397acc44c020b90f42223a6192d

SHA512
4a63de5c86f2582f2511f76ed0b2e7854e68f7da5bc7cf7c367fe060f2b9196e0ae5fb26f43cb748d13f70a062aad58681a22d5b546b8a1bfa119fce25e8c564

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Build for Microsoft Windows Developers\bluescreen.bat

Filesize
27B

MD5
185c6a1a6a67aa56376895e9af1c844c

SHA1
554f3bd4b28be7417a7110ae53fb9b2020ec5849

SHA256
088b26648dea20201ae89c10eb3f6ceb854a6059a43af918bfb654cbe8b07f3f

SHA512
465f688c6bc666c954b5dc3c45c8bd3f8340f23c1f21ec75e07cbc6c0e12009c57ad293eb0cecc54d1904fd9f7407a2efec8021d2bcfd935668400d7426de51c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Build for Microsoft Windows Developers\dialog.bat

Filesize
36B

MD5
86a7e4cd6aae2fac61a762594e3866ff

SHA1
66c2e08e3a95da98f875d4cca8fd7b53ed9cbcdb

SHA256
1fa5665c513a15b3f2e95e051e68be430923cbd13e0d82e91f2d110945031d6c

SHA512
2d2acc68982dbe099c6ec7231b6d75475c72e70345152c617636b6240dca2a7587ba36a731b9b769bb901e756fda3168210b88bbcff082f10a2cdc8a7883587a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Build for Microsoft Windows Developers\launcher.bat

Filesize
124B

MD5
66e69e7cce25138db2e0172992f97bf0

SHA1
d9575eb2ab7d71858851f5abbe61d30f07b5962d

SHA256
3534f4c44e447889ecc4d9f1c0b5979656ce15dd83dab30ee8c3eb329a3b5959

SHA512
3c0c90bb7f7c296a6eefaf4fd9ca36f9b422d48374fa647034e5af8af9101e2699239f7c15c903d5b7849bf4da321b8d3a4ae53f4cb90ee51c3de15677330e23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Build for Microsoft Windows Developers\launcher.bat

Filesize
124B

MD5
66e69e7cce25138db2e0172992f97bf0

SHA1
d9575eb2ab7d71858851f5abbe61d30f07b5962d

SHA256
3534f4c44e447889ecc4d9f1c0b5979656ce15dd83dab30ee8c3eb329a3b5959

SHA512
3c0c90bb7f7c296a6eefaf4fd9ca36f9b422d48374fa647034e5af8af9101e2699239f7c15c903d5b7849bf4da321b8d3a4ae53f4cb90ee51c3de15677330e23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Build for Microsoft Windows Developers\redscreendialog.vbs

Filesize
351B

MD5
9f5a59c103bfe22675f7c01c5632073e

SHA1
beeddab4e5ce2899ffe4afbf8e83cec5bd81d745

SHA256
25bcd776b3deb311d552f9fb68df501bcd29fde516fbaeb294a449a66b914847

SHA512
556f5bb1ab8defc38433079e4488285e5631f798eb287e122418bd5b626e4565a906a80a9638a07d420f95f2cc6633a2560e3adbde4068bf57069f8c0b493aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Build for Microsoft Windows Developers\startwscript.bat

Filesize
32B

MD5
cd726bffa3cbe837642053c6ebce95e4

SHA1
efaa3b2df8b364cd7906df4da3aeed4526404938

SHA256
6f2e6de7768930939aa095a765317f4299207546736a25ada9980de8b96ee615

SHA512
2263a8fe6b41f87ae4a906222b2c02707ce2c94261d9546634f4d40de8535963bc5623a7713e37e87dc97220a9f5f5b295df6e3f86502cf7a7cb66dfa127c987

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Build for Microsoft Windows Developers\wscript.bat

Filesize
264B

MD5
37ac819f7802526a269a002c902e7e6a

SHA1
8d6665b468a8ac939b209b9ac77e8a702291546a

SHA256
e9161dffa009d79c6ade356bc2d41e1968cecc90f9fcd993b492d7787ef02163

SHA512
19cee76c31cbe0a7ccd0532172ed7f03fd30dc4a7a59f0bf3e37b168e48ef7a16eabc9183f0a6482ff11af0c6fe87aca4b3df79929dbf686087c5720b7839d21

Download Submit
\Users\Admin\AppData\Local\Temp\Windows Build for Microsoft Windows Developers\SilentCMD.exe

Filesize
14KB

MD5
341bf386e067095bb17b875a451c96f2

SHA1
d2cd382f512d096049fcc850ef17e26d12c5e51b

SHA256
2d2ee85092147f08db4ab93b2952e42a971c6c7491985419ac375feda8674c60

SHA512
72b983f16ec4688434790ae662570f1ac0cafc9f6b2264f177ea5fed79b9bd568c996ee3ea8d774851ea3abfb578a8b2533b1d3286c261fce3ed96e2a241c64e

Download Submit
memory/976-130-0x000000001B2C0000-0x000000001B340000-memory.dmp

Filesize
512KB

Download
memory/976-131-0x000000001B2C0000-0x000000001B340000-memory.dmp

Filesize
512KB

Download
memory/976-124-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/1188-134-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download