0411bb4a4de3861d3ab4847bacea07ded82ab69d84548847d76ab6aa1f4ba33b

Analysis

max time kernel
6s
max time network
4s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/05/2024, 06:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TCR.cmd
Size

2KB
MD5

4ae373b1ff4ab4c11a734d33624e6bb8
SHA1

8ea41e130c1a6a880770bc0fa3f6c4ca635746da
SHA256

0411bb4a4de3861d3ab4847bacea07ded82ab69d84548847d76ab6aa1f4ba33b
SHA512

f17282038612fc0e01ef6ff7c33aadde1b3e6509c0926d1bcb74a26ad2487e9732500fbe2e4f5a9bd816132f4467a6fcae812a5d33f6ce4860e238441aed6756

Score

1^/10

Malware Config

Signatures

Delays execution with timeout.exe 7 IoCs

evasion

pid	Process
3188	timeout.exe
3280	timeout.exe
2572	timeout.exe
2768	timeout.exe
1968	timeout.exe
2812	timeout.exe
2564	timeout.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
1672	tasklist.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
2684	taskkill.exe
3156	taskkill.exe
3204	taskkill.exe
3240	taskkill.exe
3292	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1672	tasklist.exe
1672	tasklist.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2684	taskkill.exe
Token: SeSystemtimePrivilege	1368	cmd.exe
Token: SeSystemtimePrivilege	1368	cmd.exe
Token: SeDebugPrivilege	1672	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 2684	1368	cmd.exe	29
PID 1368 wrote to memory of 2684	1368	cmd.exe	29
PID 1368 wrote to memory of 2684	1368	cmd.exe	29
PID 1368 wrote to memory of 2660	1368	cmd.exe	31
PID 1368 wrote to memory of 2660	1368	cmd.exe	31
PID 1368 wrote to memory of 2660	1368	cmd.exe	31
PID 1368 wrote to memory of 2588	1368	cmd.exe	33
PID 1368 wrote to memory of 2588	1368	cmd.exe	33
PID 1368 wrote to memory of 2588	1368	cmd.exe	33
PID 1368 wrote to memory of 2528	1368	cmd.exe	34
PID 1368 wrote to memory of 2528	1368	cmd.exe	34
PID 1368 wrote to memory of 2528	1368	cmd.exe	34
PID 1368 wrote to memory of 2128	1368	cmd.exe	35
PID 1368 wrote to memory of 2128	1368	cmd.exe	35
PID 1368 wrote to memory of 2128	1368	cmd.exe	35
PID 1368 wrote to memory of 576	1368	cmd.exe	39
PID 1368 wrote to memory of 576	1368	cmd.exe	39
PID 1368 wrote to memory of 576	1368	cmd.exe	39
PID 2128 wrote to memory of 2348	2128	cmd.exe	40
PID 2128 wrote to memory of 2348	2128	cmd.exe	40
PID 2128 wrote to memory of 2348	2128	cmd.exe	40
PID 2128 wrote to memory of 1084	2128	cmd.exe	41
PID 2128 wrote to memory of 1084	2128	cmd.exe	41
PID 2128 wrote to memory of 1084	2128	cmd.exe	41
PID 2588 wrote to memory of 1660	2588	cmd.exe	43
PID 2588 wrote to memory of 1660	2588	cmd.exe	43
PID 2588 wrote to memory of 1660	2588	cmd.exe	43
PID 2348 wrote to memory of 1984	2348	cmd.exe	44
PID 2348 wrote to memory of 1984	2348	cmd.exe	44
PID 2348 wrote to memory of 1984	2348	cmd.exe	44
PID 2348 wrote to memory of 1272	2348	cmd.exe	45
PID 2348 wrote to memory of 1272	2348	cmd.exe	45
PID 2348 wrote to memory of 1272	2348	cmd.exe	45
PID 1084 wrote to memory of 840	1084	cmd.exe	46
PID 1084 wrote to memory of 840	1084	cmd.exe	46
PID 1084 wrote to memory of 840	1084	cmd.exe	46
PID 1084 wrote to memory of 1588	1084	cmd.exe	47
PID 1084 wrote to memory of 1588	1084	cmd.exe	47
PID 1084 wrote to memory of 1588	1084	cmd.exe	47
PID 2528 wrote to memory of 948	2528	cmd.exe	48
PID 2528 wrote to memory of 948	2528	cmd.exe	48
PID 2528 wrote to memory of 948	2528	cmd.exe	48
PID 1984 wrote to memory of 1712	1984	cmd.exe	49
PID 1984 wrote to memory of 1712	1984	cmd.exe	49
PID 1984 wrote to memory of 1712	1984	cmd.exe	49
PID 1660 wrote to memory of 1672	1660	cmd.exe	50
PID 1660 wrote to memory of 1672	1660	cmd.exe	50
PID 1660 wrote to memory of 1672	1660	cmd.exe	50
PID 1984 wrote to memory of 1592	1984	cmd.exe	51
PID 1984 wrote to memory of 1592	1984	cmd.exe	51
PID 1984 wrote to memory of 1592	1984	cmd.exe	51
PID 1712 wrote to memory of 2384	1712	cmd.exe	52
PID 1712 wrote to memory of 2384	1712	cmd.exe	52
PID 1712 wrote to memory of 2384	1712	cmd.exe	52
PID 1712 wrote to memory of 2632	1712	cmd.exe	53
PID 1712 wrote to memory of 2632	1712	cmd.exe	53
PID 1712 wrote to memory of 2632	1712	cmd.exe	53
PID 840 wrote to memory of 2604	840	cmd.exe	54
PID 840 wrote to memory of 2604	840	cmd.exe	54
PID 840 wrote to memory of 2604	840	cmd.exe	54
PID 840 wrote to memory of 2688	840	cmd.exe	55
PID 840 wrote to memory of 2688	840	cmd.exe	55
PID 840 wrote to memory of 2688	840	cmd.exe	55
PID 576 wrote to memory of 2572	576	cmd.exe	56

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\TCR.cmd"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\system32\taskkill.exe
  taskkill /IM explorer.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Windows\system32\cmd.exe
  cmd /c sys32.cmd
  2⤵
  PID:2660
- C:\Windows\system32\cmd.exe
  cmd /c sys64.cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c TASKLIST /FI "USERNAME eq KXIPPCKF\Admin" /FI "STATUS eq running"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - \??\c:\Windows\System32\tasklist.exe
      TASKLIST /FI "USERNAME eq KXIPPCKF\Admin" /FI "STATUS eq running"
      4⤵
      Enumerates processes with tasklist
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1672
- - \??\c:\Windows\System32\taskkill.exe
    taskkill /f /im "taskhost.exe"
    3⤵
    - Kills process with taskkill
    PID:3156
- - \??\c:\Windows\System32\taskkill.exe
    taskkill /f /im "dwm.exe"
    3⤵
    - Kills process with taskkill
    PID:3204
- - \??\c:\Windows\System32\taskkill.exe
    taskkill /f /im "dllhost.exe"
    3⤵
    - Kills process with taskkill
    PID:3240
- - \??\c:\Windows\System32\taskkill.exe
    taskkill /f /im "conhost.exe"
    3⤵
    - Kills process with taskkill
    PID:3292
- C:\Windows\system32\cmd.exe
  cmd /c out2.cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir C:\*.* /b /a-d /s | findstr /vile ".bat .cmd"
    3⤵
    PID:948
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" dir C:\*.* /b /a-d /s "
      4⤵
      PID:2004
  - - C:\Windows\system32\findstr.exe
      findstr /vile ".bat .cmd"
      4⤵
      PID:2716
- C:\Windows\system32\cmd.exe
  cmd /c sys16.cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1984
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1712
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        6⤵
        
        PID:2384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        7⤵
        
        PID:1896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        8⤵
        
        PID:2260
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        9⤵
        
        PID:1824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        10⤵
        
        PID:1608
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        11⤵
        
        PID:1476
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        11⤵
        
        PID:2316
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        10⤵
        
        PID:1500
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        9⤵
        
        PID:1336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        10⤵
        
        PID:3520
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        8⤵
        
        PID:3056
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        9⤵
        
        PID:2252
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        9⤵
        
        PID:2392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        10⤵
        
        PID:3840
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        7⤵
        
        PID:1996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        8⤵
        
        PID:3044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        9⤵
        
        PID:3068
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        10⤵
        
        PID:1364
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        11⤵
        
        PID:3816
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        10⤵
        
        PID:2852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        11⤵
        
        PID:3440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        11⤵
        
        PID:3752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        9⤵
        
        PID:1516
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        10⤵
        
        PID:2512
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        11⤵
        
        PID:3584
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        10⤵
        
        PID:2876
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        8⤵
        
        PID:436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        9⤵
        
        PID:1820
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        10⤵
        
        PID:3728
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        10⤵
        
        PID:3992
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        9⤵
        
        PID:2116
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        6⤵
        
        PID:2632
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        7⤵
        
        PID:2228
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        8⤵
        
        PID:2200
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        9⤵
        
        PID:700
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        10⤵
        
        PID:1648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        11⤵
        
        PID:1600
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        12⤵
        
        PID:3336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        12⤵
        
        PID:3352
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        12⤵
        
        PID:3408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        12⤵
        
        PID:3544
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        11⤵
        
        PID:3076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        10⤵
        
        PID:2772
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        11⤵
        
        PID:3432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        11⤵
        
        PID:3696
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        9⤵
        
        PID:1564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        10⤵
        
        PID:1000
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        11⤵
        
        PID:3416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        11⤵
        
        PID:3616
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        10⤵
        
        PID:3092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        8⤵
        
        PID:3052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        9⤵
        
        PID:1056
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        10⤵
        
        PID:3704
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        9⤵
        
        PID:980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        10⤵
        
        PID:2520
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        10⤵
        
        PID:1484
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        11⤵
        
        PID:3768
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        7⤵
        
        PID:1704
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        8⤵
        
        PID:1640
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        9⤵
        
        PID:1668
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        10⤵
        
        PID:2120
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        11⤵
        
        PID:3856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        10⤵
        
        PID:2196
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        11⤵
        
        PID:3832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        9⤵
        
        PID:2556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        10⤵
        
        PID:3968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        8⤵
        
        PID:792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        9⤵
        
        PID:1684
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        10⤵
        
        PID:2856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        11⤵
        
        PID:2888
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        11⤵
        
        PID:2376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        12⤵
        
        PID:3552
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        10⤵
        
        PID:3084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        11⤵
        
        PID:3648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        9⤵
        
        PID:2368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        10⤵
        
        PID:3664
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        10⤵
        
        PID:3952
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        5⤵
        
        PID:1592
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        6⤵
        
        PID:2008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        7⤵
        
        PID:2336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        8⤵
        
        PID:1572
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        9⤵
        
        PID:1352
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        10⤵
        
        PID:2596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        10⤵
        
        PID:3104
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        9⤵
        
        PID:1728
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        10⤵
        
        PID:2460
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        11⤵
        
        PID:3536
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        11⤵
        
        PID:3912
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        10⤵
        
        PID:1744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        8⤵
        
        PID:2240
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        9⤵
        
        PID:2060
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        10⤵
        
        PID:3488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        10⤵
        
        PID:3872
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        9⤵
        
        PID:896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        10⤵
        
        PID:2592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        11⤵
        
        PID:3936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        10⤵
        
        PID:3136
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        11⤵
        
        PID:3560
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        7⤵
        
        PID:1724
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        8⤵
        
        PID:596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        9⤵
        
        PID:340
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        10⤵
        
        PID:2608
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        11⤵
        
        PID:3600
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        10⤵
        
        PID:2832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        11⤵
        
        PID:3864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        9⤵
        
        PID:2864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        10⤵
        
        PID:3400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        10⤵
        
        PID:3512
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        8⤵
        
        PID:1784
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        9⤵
        
        PID:1212
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        10⤵
        
        PID:3688
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        10⤵
        
        PID:3984
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        9⤵
        
        PID:2292
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        6⤵
        
        PID:760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        7⤵
        
        PID:1964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        8⤵
        
        PID:1764
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        9⤵
        
        PID:2808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        10⤵
        
        PID:3568
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        9⤵
        
        PID:2340
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        10⤵
        
        PID:3592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        8⤵
        
        PID:548
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        7⤵
        
        PID:2256
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        8⤵
        
        PID:1344
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        9⤵
        
        PID:2576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        10⤵
        
        PID:3496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        10⤵
        
        PID:3880
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        9⤵
        
        PID:3112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        8⤵
        
        PID:2552
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        9⤵
        
        PID:3464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        9⤵
        
        PID:3776
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
      4⤵
      PID:1272
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        5⤵
        
        PID:1504
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        6⤵
        
        PID:1604
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        7⤵
        
        PID:1624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        8⤵
        
        PID:2680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        9⤵
        
        PID:3632
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        8⤵
        
        PID:2396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        7⤵
        
        PID:2248
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        6⤵
        
        PID:2780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        7⤵
        
        PID:2984
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        8⤵
        
        PID:568
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        9⤵
        
        PID:2188
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        10⤵
        
        PID:3608
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        10⤵
        
        PID:3928
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        9⤵
        
        PID:2968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        10⤵
        
        PID:3888
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        8⤵
        
        PID:2872
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        9⤵
        
        PID:3624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        7⤵
        
        PID:1224
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        8⤵
        
        PID:3672
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        8⤵
        
        PID:3960
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        5⤵
        
        PID:1176
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        6⤵
        
        PID:1644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        7⤵
        
        PID:2952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        8⤵
        
        PID:1716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        9⤵
        
        PID:3300
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        9⤵
        
        PID:3328
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        8⤵
        
        PID:1708
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        9⤵
        
        PID:3656
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        9⤵
        
        PID:3944
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        7⤵
        
        PID:2648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        8⤵
        
        PID:3808
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        6⤵
        
        PID:528
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        7⤵
        
        PID:2344
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        8⤵
        
        PID:2480
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        9⤵
        
        PID:3528
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        9⤵
        
        PID:3904
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        8⤵
        
        PID:2448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        7⤵
        
        PID:1512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1084
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:840
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        5⤵
        
        PID:2604
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        6⤵
        
        PID:1884
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        7⤵
        
        PID:2928
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        8⤵
        
        PID:2136
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        9⤵
        
        PID:2628
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        9⤵
        
        PID:3128
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        8⤵
        
        PID:1028
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        9⤵
        
        PID:3144
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        9⤵
        
        PID:3180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        7⤵
        
        PID:2328
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        8⤵
        
        PID:2948
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        9⤵
        
        PID:3744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        8⤵
        
        PID:800
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        6⤵
        
        PID:1920
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        7⤵
        
        PID:1636
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        8⤵
        
        PID:476
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        9⤵
        
        PID:1812
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        10⤵
        
        PID:2612
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        10⤵
        
        PID:3120
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        9⤵
        
        PID:880
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        8⤵
        
        PID:2020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        9⤵
        
        PID:2860
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        10⤵
        
        PID:3736
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        9⤵
        
        PID:3032
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        10⤵
        
        PID:3448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        7⤵
        
        PID:2284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        8⤵
        
        PID:1160
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        9⤵
        
        PID:2492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        10⤵
        
        PID:3640
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        9⤵
        
        PID:2408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        8⤵
        
        PID:2820
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        5⤵
        
        PID:2688
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        6⤵
        
        PID:1780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        7⤵
        
        PID:1308
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        8⤵
        
        PID:2940
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        9⤵
        
        PID:976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        10⤵
        
        PID:2684
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        11⤵
        
        PID:3848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        10⤵
        
        PID:2416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        9⤵
        
        PID:2536
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        10⤵
        
        PID:3424
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        10⤵
        
        PID:3680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        8⤵
        
        PID:1804
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        9⤵
        
        PID:1388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        10⤵
        
        PID:3384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        10⤵
        
        PID:3456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        9⤵
        
        PID:2472
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        10⤵
        
        PID:3976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        7⤵
        
        PID:2776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        8⤵
        
        PID:1376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        9⤵
        
        PID:2036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        10⤵
        
        PID:3720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        9⤵
        
        PID:2712
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        8⤵
        
        PID:1760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        9⤵
        
        PID:3344
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        9⤵
        
        PID:3360
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        9⤵
        
        PID:3824
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        6⤵
        
        PID:940
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        7⤵
        
        PID:1524
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        8⤵
        
        PID:1620
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        9⤵
        
        PID:1596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        10⤵
        
        PID:3392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        10⤵
        
        PID:3504
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        9⤵
        
        PID:2532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        8⤵
        
        PID:2160
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        9⤵
        
        PID:3368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        9⤵
        
        PID:3376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        7⤵
        
        PID:3000
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        8⤵
        
        PID:1428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        9⤵
        
        PID:1808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        10⤵
        
        PID:3896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        9⤵
        
        PID:2664
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        10⤵
        
        PID:3760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        8⤵
        
        PID:2324
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        9⤵
        
        PID:3712
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        9⤵
        
        PID:4000
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
      4⤵
      PID:1588
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        5⤵
        
        PID:1912
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        6⤵
        
        PID:2436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        7⤵
        
        PID:2140
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        7⤵
        
        PID:972
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        8⤵
        
        PID:3576
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        6⤵
        
        PID:2964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        7⤵
        
        PID:3480
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        7⤵
        
        PID:3792
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        5⤵
        
        PID:1092
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        6⤵
        
        PID:1900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        7⤵
        
        PID:2424
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        8⤵
        
        PID:3800
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        7⤵
        
        PID:752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        8⤵
        
        PID:3920
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        6⤵
        
        PID:320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        7⤵
        
        PID:2624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd"
        8⤵
        
        PID:3472
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        8⤵
        
        PID:3784
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sys16.cmd "
        7⤵
        
        PID:2516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K main.cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:576
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2572
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2768
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1968
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2812
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2564
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3188
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3280

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:3232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\main.cmd

Filesize
938B

MD5
9997affa8c0054fda0894c6f83119fad

SHA1
6223cd27becb30e01365a605d81281b6ff99ac37

SHA256
5d25381795b52c52c1f6a852ed7c89b5c0c3ebf5880b27dcc815d8cecff7c713

SHA512
287b74f217f447454ad2c8dea0b2a4ea631b121938695d8f426bbc64af24c78193a1622401a5cb429a386ea15afc94fd5bd4ef0cfe2a34f41e83657daa7bf8d7

Download Submit
C:\Users\Admin\Desktop\main.cmd

Filesize
972B

MD5
48f5a62ffe42606c186b73fe6ff45339

SHA1
d97cfaab3e6ca5537f1996cc57fc839645def0e0

SHA256
d67834c65dc1b129515787ec91929287d7ca6f50502f675e0f2af4badd117bbc

SHA512
0433283625404b6f085072de00905376440919187e6f70cb7d1f1d283fe3fc11ad31315b9634559e83dfefd77e35aa946d0780ddc24c916375cfeb9cccdaeb63

Download Submit
C:\Users\Admin\Desktop\out2.cmd

Filesize
94B

MD5
e649fdcd6f8531573884ec9ceb15f800

SHA1
26aff8503b3887fcc34fa66f9071d87501ea4cfc

SHA256
b63bde8e00348537a5a887b24521e1c13bbe7e113dbee3935212a56d8066c708

SHA512
265e3fb504f0c5c2946f4d79e05dd9323b55ccf377b80ada021b8bde4a845ed6089789ce6bf497d171b8ad282fcaf4280e1ca89492d313970e96c9e367ada96c

Download Submit
C:\Users\Admin\Desktop\sys16.cmd

Filesize
28B

MD5
a97d92b7537f5bb9988197ef15f27f62

SHA1
1de0609322760c89fd0369f56382938fe3e3e0b7

SHA256
1ceb33c9df179fb04b16e62efa8bfe8cece1afd75efa6a5326d4037348f618fb

SHA512
a28d67b6087be4473cd2d456d47a875cac5ef5b21ba0da1b6fcba0db6e3136ceebd80c158012f0f5c53f7e001a1e6e79b3aa0c2149cd3465ff1adb54b918feb0

Download Submit
C:\Users\Admin\Desktop\sys32.cmd

Filesize
34B

MD5
082bc9e817074dfe94c2a878e811d1b4

SHA1
b5805771fc7fc49a95d5e344bc971196f40bc926

SHA256
f7ebda48c2b0a26cc6726b73fdee22c5d7da92b534af6a3b89a89ca5e7b0755a

SHA512
6ae9632e4bd742de8c3be460341a2d1ecebead7ea29c161c38431d88f0c2724e99749728ef3d56ece15d967b81a16feb268005dd5e675b26f37e259565b8ca76

Download Submit
C:\Users\Admin\Desktop\sys64.cmd

Filesize
361B

MD5
74809fab1e4dbcd5f61787db8284e77b

SHA1
46faf581b4803cd9965ddd047eb4f8e27d0ceb59

SHA256
3f3ae4a59afc2a65574b6c2b274c8425126a2f89627379c4db1eb8ef44ee7a47

SHA512
2893d5ec7799b1e7fa32a4c9aa28e5e50d8ea1fb782bffdb2972a7025750c12f7409c11084f017f5a1854c2b7386ca73f00bb52ea07339913e39e1429b267909

Download Submit