8972a500674eada6a6d31626e9f5572dac0592a246ecf5c670a7972bb0c3177a

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4KK7_protected.exe

Renames multiple (95) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4KK7_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4KK7_protected.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000\Control Panel\International\Geo\Nation	4KK7_protected.exe
Key value queried	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000\Control Panel\International\Geo\Nation	mstray.exe

Executes dropped EXE 2 IoCs

pid	Process
2288	mstray.exe
828	@[email protected]

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/2820-0-0x0000000000400000-0x0000000001133000-memory.dmp	themida
behavioral2/memory/2820-2-0x0000000000400000-0x0000000001133000-memory.dmp	themida
behavioral2/memory/2820-3-0x0000000000400000-0x0000000001133000-memory.dmp	themida
behavioral2/memory/2820-55-0x0000000000400000-0x0000000001133000-memory.dmp	themida

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00060000000231e8-20.dat	upx
behavioral2/memory/2288-54-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/2288-77-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstray = "C:\\Windows\\system32\\mstray.exe"	reg.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4KK7_protected.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-433534792-1200107535-3148087551-1000\desktop.ini	explorer.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\K:	cmd.exe
File opened (read-only)	\??\O:	cmd.exe
File opened (read-only)	\??\P:	cmd.exe
File opened (read-only)	\??\T:	cmd.exe
File opened (read-only)	\??\U:	cmd.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\E:	cmd.exe
File opened (read-only)	\??\G:	cmd.exe
File opened (read-only)	\??\L:	cmd.exe
File opened (read-only)	\??\M:	cmd.exe
File opened (read-only)	\??\N:	cmd.exe
File opened (read-only)	\??\Y:	cmd.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\H:	cmd.exe
File opened (read-only)	\??\I:	cmd.exe
File opened (read-only)	\??\J:	cmd.exe
File opened (read-only)	\??\R:	cmd.exe
File opened (read-only)	\??\S:	cmd.exe
File opened (read-only)	\??\V:	cmd.exe
File opened (read-only)	\??\W:	cmd.exe
File opened (read-only)	\??\X:	cmd.exe
File opened (read-only)	\??\Z:	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\mstray.exe	cmd.exe
File created	C:\Windows\system32\mstray.exe	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2820	4KK7_protected.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 58 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
4284	timeout.exe
3244	timeout.exe
4668	timeout.exe
620	timeout.exe
3840	timeout.exe
1500	timeout.exe
2404	timeout.exe
4672	timeout.exe
2644	timeout.exe
2952	timeout.exe
2648	timeout.exe
3400	timeout.exe
2220	timeout.exe
2576	timeout.exe
3316	timeout.exe
3456	timeout.exe
4076	timeout.exe
4892	timeout.exe
4644	timeout.exe
3296	timeout.exe
4420	timeout.exe
2020	timeout.exe
2808	timeout.exe
3220	timeout.exe
2824	timeout.exe
4640	timeout.exe
2968	timeout.exe
2044	timeout.exe
2952	timeout.exe
4844	timeout.exe
4216	timeout.exe
744	timeout.exe
3384	timeout.exe
2392	timeout.exe
940	timeout.exe
3956	timeout.exe
3904	timeout.exe
1864	timeout.exe
5100	timeout.exe
4688	timeout.exe
1788	timeout.exe
4152	timeout.exe
3696	timeout.exe
4852	timeout.exe
2596	timeout.exe
4384	timeout.exe
3444	timeout.exe
4080	timeout.exe
3328	timeout.exe
3608	timeout.exe
1096	timeout.exe
852	timeout.exe
4204	timeout.exe
3184	timeout.exe
1744	timeout.exe
5012	timeout.exe
1744	timeout.exe
4420	timeout.exe
4896	timeout.exe
860	timeout.exe
2676	timeout.exe
2564	timeout.exe
3528	timeout.exe
2720	timeout.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

pid	Process
2740	tasklist.exe
1796	tasklist.exe
4992	tasklist.exe
412	tasklist.exe
4196	tasklist.exe
1676	tasklist.exe
3412	tasklist.exe
3976	tasklist.exe
1464	tasklist.exe
3828	tasklist.exe
1920	tasklist.exe
4492	tasklist.exe
4284	tasklist.exe
2732	tasklist.exe
1344	tasklist.exe
400	tasklist.exe
3364	tasklist.exe
1612	tasklist.exe
4344	tasklist.exe
880	tasklist.exe
4864	tasklist.exe
4632	tasklist.exe
1876	tasklist.exe
3452	tasklist.exe
3652	tasklist.exe
1040	tasklist.exe
3864	tasklist.exe
3368	tasklist.exe
1948	tasklist.exe
2212	tasklist.exe
2920	tasklist.exe
4960	tasklist.exe
3432	tasklist.exe
4724	tasklist.exe
1668	tasklist.exe
3080	tasklist.exe
2316	tasklist.exe
4160	tasklist.exe
376	tasklist.exe
4164	tasklist.exe
3548	tasklist.exe
1748	tasklist.exe
1140	tasklist.exe
5004	tasklist.exe
1824	tasklist.exe
4748	tasklist.exe
4884	tasklist.exe
1432	tasklist.exe
3932	tasklist.exe
2328	tasklist.exe
3652	tasklist.exe
1112	tasklist.exe
5080	tasklist.exe
4924	tasklist.exe
2212	tasklist.exe
3800	tasklist.exe
2836	tasklist.exe
1496	tasklist.exe
4264	tasklist.exe
2940	tasklist.exe
4596	tasklist.exe
4968	tasklist.exe
4108	tasklist.exe
3448	tasklist.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
556	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010007000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e7070c004100720067006a00620065007800200033000a005600610067007200650061007200670020006e0070007000720066006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001e00000074ae2078e323294282c1e41cb67d5b9c0000000000000000000000002ec53697c12cda0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e7070c004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000001f00000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000fd05fc96c12cda0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a0066000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000500000050003a005c00480066007200650066005c004e0071007a00760061005c004e006300630051006e0067006e005c005900620070006e0079005c005a00760070006500620066006200730067005c00420061007200510065007600690072005c00420061007200510065007600690072002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f50100000000000000000000e7070b00420061007200510065007600690072000a00410062006700200066007600740061007200710020007600610000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000070000000000000000000000000000000000000000000000000000000000000055e74a06a123da0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e7070b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000075ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e7070b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000081ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e7070b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000082ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e7070b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000083ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-433534792-1200107535-3148087551-1000\{5EA00BE7-6F6D-4C3C-9282-6F168AB4D7CE}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

pid	Process
3580	reg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2820	4KK7_protected.exe
2820	4KK7_protected.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	556	taskkill.exe
Token: SeShutdownPrivilege	4260	explorer.exe
Token: SeCreatePagefilePrivilege	4260	explorer.exe
Token: SeShutdownPrivilege	4260	explorer.exe
Token: SeCreatePagefilePrivilege	4260	explorer.exe
Token: SeShutdownPrivilege	4260	explorer.exe
Token: SeCreatePagefilePrivilege	4260	explorer.exe
Token: SeShutdownPrivilege	4260	explorer.exe
Token: SeCreatePagefilePrivilege	4260	explorer.exe
Token: SeShutdownPrivilege	4260	explorer.exe
Token: SeCreatePagefilePrivilege	4260	explorer.exe
Token: SeDebugPrivilege	4028	tasklist.exe
Token: SeDebugPrivilege	1056	tasklist.exe
Token: SeDebugPrivilege	3872	tasklist.exe
Token: SeDebugPrivilege	2740	tasklist.exe
Token: SeShutdownPrivilege	4260	explorer.exe
Token: SeCreatePagefilePrivilege	4260	explorer.exe
Token: SeShutdownPrivilege	4260	explorer.exe
Token: SeCreatePagefilePrivilege	4260	explorer.exe
Token: SeShutdownPrivilege	4260	explorer.exe
Token: SeCreatePagefilePrivilege	4260	explorer.exe
Token: SeShutdownPrivilege	4260	explorer.exe
Token: SeCreatePagefilePrivilege	4260	explorer.exe
Token: SeShutdownPrivilege	4260	explorer.exe
Token: SeCreatePagefilePrivilege	4260	explorer.exe
Token: SeShutdownPrivilege	4260	explorer.exe
Token: SeCreatePagefilePrivilege	4260	explorer.exe
Token: SeShutdownPrivilege	4260	explorer.exe
Token: SeCreatePagefilePrivilege	4260	explorer.exe
Token: SeShutdownPrivilege	4260	explorer.exe
Token: SeCreatePagefilePrivilege	4260	explorer.exe
Token: SeShutdownPrivilege	4260	explorer.exe
Token: SeCreatePagefilePrivilege	4260	explorer.exe
Token: SeShutdownPrivilege	4260	explorer.exe
Token: SeCreatePagefilePrivilege	4260	explorer.exe
Token: SeShutdownPrivilege	4260	explorer.exe
Token: SeCreatePagefilePrivilege	4260	explorer.exe
Token: SeShutdownPrivilege	4260	explorer.exe
Token: SeCreatePagefilePrivilege	4260	explorer.exe
Token: SeShutdownPrivilege	4260	explorer.exe
Token: SeCreatePagefilePrivilege	4260	explorer.exe
Token: SeShutdownPrivilege	4260	explorer.exe
Token: SeCreatePagefilePrivilege	4260	explorer.exe
Token: SeShutdownPrivilege	4260	explorer.exe
Token: SeCreatePagefilePrivilege	4260	explorer.exe
Token: SeShutdownPrivilege	4260	explorer.exe
Token: SeCreatePagefilePrivilege	4260	explorer.exe
Token: SeDebugPrivilege	4240	tasklist.exe
Token: SeShutdownPrivilege	4260	explorer.exe
Token: SeCreatePagefilePrivilege	4260	explorer.exe
Token: SeShutdownPrivilege	4260	explorer.exe
Token: SeCreatePagefilePrivilege	4260	explorer.exe
Token: SeShutdownPrivilege	4260	explorer.exe
Token: SeCreatePagefilePrivilege	4260	explorer.exe
Token: SeShutdownPrivilege	4260	explorer.exe
Token: SeCreatePagefilePrivilege	4260	explorer.exe
Token: SeShutdownPrivilege	4260	explorer.exe
Token: SeCreatePagefilePrivilege	4260	explorer.exe
Token: SeDebugPrivilege	4664	tasklist.exe
Token: SeShutdownPrivilege	4260	explorer.exe
Token: SeCreatePagefilePrivilege	4260	explorer.exe
Token: SeShutdownPrivilege	4260	explorer.exe
Token: SeCreatePagefilePrivilege	4260	explorer.exe
Token: SeShutdownPrivilege	4260	explorer.exe

Suspicious use of FindShellTrayWindow 60 IoCs

pid	Process
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe
4260	explorer.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
828	@[email protected]
828	@[email protected]
892	StartMenuExperienceHost.exe
4232	SearchApp.exe
3556	SearchApp.exe
3452	SearchApp.exe
4892	SearchApp.exe
1576	SearchApp.exe
3588	SearchApp.exe
4260	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 3796	2820	4KK7_protected.exe	92
PID 2820 wrote to memory of 3796	2820	4KK7_protected.exe	92
PID 3796 wrote to memory of 3580	3796	cmd.exe	95
PID 3796 wrote to memory of 3580	3796	cmd.exe	95
PID 3796 wrote to memory of 1056	3796	cmd.exe	97
PID 3796 wrote to memory of 1056	3796	cmd.exe	97
PID 3796 wrote to memory of 2200	3796	cmd.exe	96
PID 3796 wrote to memory of 2200	3796	cmd.exe	96
PID 3796 wrote to memory of 3864	3796	cmd.exe	116
PID 3796 wrote to memory of 3864	3796	cmd.exe	116
PID 3796 wrote to memory of 4944	3796	cmd.exe	115
PID 3796 wrote to memory of 4944	3796	cmd.exe	115
PID 3796 wrote to memory of 3344	3796	cmd.exe	114
PID 3796 wrote to memory of 3344	3796	cmd.exe	114
PID 3796 wrote to memory of 3552	3796	cmd.exe	113
PID 3796 wrote to memory of 3552	3796	cmd.exe	113
PID 3796 wrote to memory of 1340	3796	cmd.exe	101
PID 3796 wrote to memory of 1340	3796	cmd.exe	101
PID 3796 wrote to memory of 116	3796	cmd.exe	100
PID 3796 wrote to memory of 116	3796	cmd.exe	100
PID 3796 wrote to memory of 4044	3796	cmd.exe	98
PID 3796 wrote to memory of 4044	3796	cmd.exe	98
PID 3796 wrote to memory of 4832	3796	cmd.exe	99
PID 3796 wrote to memory of 4832	3796	cmd.exe	99
PID 3796 wrote to memory of 4000	3796	cmd.exe	107
PID 3796 wrote to memory of 4000	3796	cmd.exe	107
PID 3796 wrote to memory of 3348	3796	cmd.exe	106
PID 3796 wrote to memory of 3348	3796	cmd.exe	106
PID 3796 wrote to memory of 1824	3796	cmd.exe	103
PID 3796 wrote to memory of 1824	3796	cmd.exe	103
PID 3796 wrote to memory of 4976	3796	cmd.exe	102
PID 3796 wrote to memory of 4976	3796	cmd.exe	102
PID 3796 wrote to memory of 3720	3796	cmd.exe	105
PID 3796 wrote to memory of 3720	3796	cmd.exe	105
PID 3796 wrote to memory of 2316	3796	cmd.exe	104
PID 3796 wrote to memory of 2316	3796	cmd.exe	104
PID 3796 wrote to memory of 556	3796	cmd.exe	108
PID 3796 wrote to memory of 556	3796	cmd.exe	108
PID 3796 wrote to memory of 4260	3796	cmd.exe	111
PID 3796 wrote to memory of 4260	3796	cmd.exe	111
PID 3796 wrote to memory of 1656	3796	cmd.exe	110
PID 3796 wrote to memory of 1656	3796	cmd.exe	110
PID 3796 wrote to memory of 2288	3796	cmd.exe	112
PID 3796 wrote to memory of 2288	3796	cmd.exe	112
PID 3796 wrote to memory of 2288	3796	cmd.exe	112
PID 2288 wrote to memory of 1572	2288	mstray.exe	118
PID 2288 wrote to memory of 1572	2288	mstray.exe	118
PID 1572 wrote to memory of 4420	1572	cmd.exe	120
PID 1572 wrote to memory of 4420	1572	cmd.exe	120
PID 1572 wrote to memory of 3036	1572	cmd.exe	121
PID 1572 wrote to memory of 3036	1572	cmd.exe	121
PID 3036 wrote to memory of 4028	3036	cmd.exe	122
PID 3036 wrote to memory of 4028	3036	cmd.exe	122
PID 3036 wrote to memory of 3568	3036	cmd.exe	123
PID 3036 wrote to memory of 3568	3036	cmd.exe	123
PID 1572 wrote to memory of 828	1572	cmd.exe	124
PID 1572 wrote to memory of 828	1572	cmd.exe	124
PID 1572 wrote to memory of 828	1572	cmd.exe	124
PID 1572 wrote to memory of 2644	1572	cmd.exe	125
PID 1572 wrote to memory of 2644	1572	cmd.exe	125
PID 1572 wrote to memory of 4908	1572	cmd.exe	126
PID 1572 wrote to memory of 4908	1572	cmd.exe	126
PID 4908 wrote to memory of 1056	4908	cmd.exe	127
PID 4908 wrote to memory of 1056	4908	cmd.exe	127

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4KK7_protected.exe
"C:\Users\Admin\AppData\Local\Temp\4KK7_protected.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4E10.tmp\4E11.tmp\4E12.bat C:\Users\Admin\AppData\Local\Temp\4KK7_protected.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3796
- - C:\Windows\system32\reg.exe
    reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v wtry /f
    3⤵
    - Modifies registry key
    PID:3580
- - C:\Windows\system32\cacls.exe
    cacls "C:\Users\Admin\Music\*.*" /e /d everyone
    3⤵
    PID:2200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4044
- - C:\Windows\system32\cacls.exe
    cacls "C:\Users\Admin\Documents\*.*" /e /d everyone
    3⤵
    PID:4832
- - C:\Windows\system32\cacls.exe
    cacls "C:\Users\Admin\Favorites\*.*" /e /d everyone
    3⤵
    PID:116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1340
- - C:\Windows\system32\cacls.exe
    cacls "C:\Users\Admin\Pictures\*.*" /e /d everyone
    3⤵
    PID:4976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1824
- - C:\Windows\system32\cacls.exe
    cacls "C:\Users\Admin\Desktop\*.*" /e /d everyone
    3⤵
    PID:2316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3720
- - C:\Windows\system32\cacls.exe
    cacls "C:\Users\Admin\Videos\*.*" /e /d everyone
    3⤵
    PID:3348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:4000
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:556
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "mstray" /t REG_SZ /d "C:\Windows\system32\mstray.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1656
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    - Modifies Installed Components in the registry
    - Drops desktop.ini file(s)
    - Enumerates connected drives
    - Checks SCSI registry key(s)
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:4260
- - C:\Windows\system32\mstray.exe
    C:\Windows\system32\mstray.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\512D.tmp\512E.tmp\512F.bat C:\Windows\system32\mstray.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1572
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:4420
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3036
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4028
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:3568
    - - C:\LZYVirus\@[email protected]
        
        C:\LZYVirus\@[email protected]
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:828
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:2644
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4908
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:1616
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:1744
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4292
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3872
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:5112
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:3636
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:2672
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:1904
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:732
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:1648
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4240
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:3308
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:2204
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:2672
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4664
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4708
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:3444
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:1432
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:2316
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:1688
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:2824
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3628
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:3572
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:3468
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:4420
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4144
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:3364
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4184
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:3752
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:5040
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:1824
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:3348
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:1632
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3456
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:1696
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4960
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:3492
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3496
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:4176
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:1340
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:3004
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:452
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:4708
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:1764
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:2204
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:5024
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:4884
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4796
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:2720
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3696
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:4968
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:3232
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:2952
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:2824
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:4232
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:752
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:4844
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3972
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:3468
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:2128
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:3132
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:116
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:1612
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4100
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:4836
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:5076
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:464
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:2752
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:4832
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4324
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:412
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:2332
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:3032
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:1256
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:4108
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:1632
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:1696
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:2644
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:2696
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:3492
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:3992
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3392
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:912
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:1340
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:3824
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:2672
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:3008
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:3104
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:4144
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3776
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:2884
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:2348
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:3956
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4484
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:2720
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:3596
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:4080
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:2040
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:3988
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:3444
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:4276
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:1660
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:4888
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:2316
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:3724
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:2992
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:1040
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:2412
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:3132
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:848
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:1496
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:1092
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:4452
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4264
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:1080
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:5056
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:4304
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4188
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:3588
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:2752
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:5004
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4508
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:1432
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:3568
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:552
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:1360
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:4984
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:412
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:3840
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4616
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:1140
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4028
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:852
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:5008
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:2032
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:3964
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:732
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:2644
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:180
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4736
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:1616
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:912
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:1984
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:3004
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:4708
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:2672
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:348
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4608
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:3928
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:1940
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:4160
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:3484
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:752
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:1332
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:3828
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:1028
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:2220
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:5012
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:3932
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4512
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:4896
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3724
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:1860
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:3580
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:1016
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4016
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:4492
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:412
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:1256
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3864
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:2024
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4472
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:3504
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3080
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:4060
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:3456
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:4384
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4420
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:452
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:3392
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:1268
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:2184
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:400
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4716
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:5044
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3500
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:2348
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4164
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:2124
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4080
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:1056
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:1744
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:2020
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3244
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:2160
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:2824
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:3444
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:2316
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:1920
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4844
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:3016
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:380
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:2412
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:2356
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:2576
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3632
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:3316
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:2404
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:3292
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4020
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:4304
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4068
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:3560
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4416
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:60
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4120
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:4308
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:2648
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:2328
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:1432
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:552
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:2084
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:3448
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:2832
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:4956
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3532
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:3800
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:3132
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:2808
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:2332
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:376
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4000
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:852
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4044
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:3864
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4836
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:3808
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3504
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:1796
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4316
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:3080
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3540
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:2816
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:2200
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:3392
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:1344
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:1348
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:1536
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:4464
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4912
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:4716
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:2184
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:4788
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:2676
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:3884
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:456
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:1424
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3860
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:2984
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4280
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:4204
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4596
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:2028
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:228
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:384
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3404
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:868
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:1772
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:1668
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:2348
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:4164
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:3500
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:2976
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3708
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:3820
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:2060
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:4872
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4232
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:532
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:3572
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:3828
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:2824
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:4960
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4296
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:5012
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:1396
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:1660
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:2996
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:3016
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:1860
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:2212
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4408
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:2932
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4516
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:1612
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:2576
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:3316
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:2852
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:3916
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:3608
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:1500
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:464
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:1904
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4932
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:3296
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3076
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:3368
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:2876
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:2192
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:552
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:2236
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:2392
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:2084
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:1632
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:3800
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:1788
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:2808
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3788
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:3432
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4648
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:852
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4452
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:5080
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4472
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:3492
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4240
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:1796
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:3496
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:1340
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:912
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:452
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:3004
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:4256
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4892
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:4196
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4692
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:2560
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4464
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:2836
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4148
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:4912
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3192
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:3060
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4812
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:1548
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:1568
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:2984
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4732
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:3528
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3408
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:3996
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:1816
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:2408
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:620
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:1492
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4024
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:3876
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3792
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:4216
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:220
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:3696
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:1732
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:3956
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:3464
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:4396
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3436
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:2652
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:1512
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:3384
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3708
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:1676
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4312
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:4284
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3484
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:2040
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4860
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:1744
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4348
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:3056
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:1332
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:3244
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3972
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:4808
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4896
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:4876
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:380
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:2356
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4136
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:2628
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4852
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:4264
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:1612
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:2404
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:388
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:4304
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:5076
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:2044
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:1944
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:5004
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4584
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:4932
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3888
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:3412
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:3716
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:2648
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3368
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:2876
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:3076
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:2832
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3008
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:3836
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:1360
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:1788
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4640
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:4000
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:2024
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:4648
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4084
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:2696
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:3808
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:4472
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4064
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:180
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:3064
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:3496
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:1340
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:2200
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:1096
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:3948
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:1536
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:1344
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:516
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:2720
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4608
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:400
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:2164
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:3912
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:5016
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:3760
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:1328
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:1484
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4496
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:2220
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4760
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:3904
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3860
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:4088
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:1576
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:4688
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3460
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:3408
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:2144
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:4668
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:2408
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:3548
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:928
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:620
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3428
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:4924
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:2276
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:2740
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:1508
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:4708
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:3464
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:4672
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:2700
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:4748
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4268
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:3184
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4976
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:3384
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:992
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:1676
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3960
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:4284
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:5060
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:2952
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3484
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:3104
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4960
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:3828
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4296
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:2884
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:2128
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:5012
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:2996
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:5112
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:2212
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:2928
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:2628
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:3188
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:2860
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:4852
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3916
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:3688
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:1556
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:3608
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3348
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:3560
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:404
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:4644
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:2456
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:4120
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4308
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:860
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4324
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:3372
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:1872
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:3224
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4492
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:3032
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:3532
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:1068
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:2332
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:440
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4984
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:3012
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:1140
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:4344
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:1464
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:1064
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4452
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:3080
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4316
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:3456
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3364
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:3540
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4176
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:1096
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:880
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:912
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:3392
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:1348
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:784
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:4992
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:2560
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:1864
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:2004
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:1948
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4864
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:3220
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4140
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:4400
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:408
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:3612
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:2220
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:4760
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4496
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:1620
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3988
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:4724
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:1020
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:3736
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3408
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:2144
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:3460
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:3328
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:1876
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:3452
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4668
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:868
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4956
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:620
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:3696
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:4216
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4144
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:1732
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:2208
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:1708
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4432
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:4528
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:3520
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:4268
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:2976
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:3976
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:1440
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:3400
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:5052
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:2732
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:1028
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:5100
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4048
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:4276
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:5064
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:1332
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:1660
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:3244
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:2128
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:1228
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:5112
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:2212
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:2996
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:4152
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:116
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:2628
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4468
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:388
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3316
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:1824
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:2852
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:1904
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3592
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:3348
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:384
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:3412
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4412
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:3652
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4416
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:2596
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:2192
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:2920
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:3628
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:2564
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4188
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:2940
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:3532
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:4640
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:440
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:4984
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:2332
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:4084
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4344
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:1464
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:1140
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:1064
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3064
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:3504
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:184
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:4972
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:2880
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:3540
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:2216
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:4892
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4592
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:880
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4068
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:940
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4148
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:1536
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:1072
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:3884
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3036
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:4864
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:2004
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:4804
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:1460
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:3192
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4400
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:2392
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:540
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:4280
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:2796
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:3904
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:1548
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:4696
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:1568
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:4688
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4928
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:4632
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4272
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:3616
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:1908
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:4980
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4012
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:2968
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:5088
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:2580
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:2376
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:2152
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:2120
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:3600
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:2224
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:1668
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:3696
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:4216
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:1688
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:1264
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4184
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:1708
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:2896
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:4748
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4884
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:4268
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3552
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:3524
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:3976
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:3400
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4424
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:2020
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4868
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:5100
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:556
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:1744
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:4276
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:4896
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:2356
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:3244
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4844
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:1228
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4100
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:2212
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:2928
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:4152
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:2980
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:2628
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4516
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:5004
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4356
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:4584
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:3588
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:4644
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:228
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:1112
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:468
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:1432
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4504
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:3652
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4120
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:3368
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:2084
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:2920
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:3372
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:4076
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:1632
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:1748
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:1480
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:376
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4900
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:5080
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4016
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:2840
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4192
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:4328
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4456
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:5008
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4316
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:180
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:3504
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:4384
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4240
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:3496
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:3540
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:3140
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:2440
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:1268
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:3840
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:4292
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:512
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:4020
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:880
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:2676
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:2184
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:400
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:396
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:3884
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3832
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:2688
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4864
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:4804
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4812
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:408
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:1124
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:2392
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3268
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:1424
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4280
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:3928
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:5092
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:4596
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:3796
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:744
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4724
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:3648
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:3872
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:1020
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:4808
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:3616
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:5044
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        
        PID:3408
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist|find /i "@[email protected]"
        5⤵
        
        PID:3452
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        
        PID:868
      - C:\Windows\system32\find.exe
        
        find /i "@[email protected]"
        6⤵
        
        PID:4484
- - C:\Windows\system32\cacls.exe
    cacls "C:\Users\Admin\Links\*.*" /e /d everyone
    3⤵
    PID:3552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3344
- - C:\Windows\system32\cacls.exe
    cacls "C:\Users\Admin\Downloads\*.*" /e /d everyone
    3⤵
    PID:4944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3864

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4232

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:892

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3556

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3452

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4892

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1576

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3588

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies registry class
PID:2992

C:\Windows\system32\find.exe
find /i "@[email protected]"
1⤵
PID:1772

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

System Information Discovery