bd84270f0817b62d7407a54f967312fb3f695aef267618173576022147b74382

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gold-crypted.exe
Size

19.9MB
MD5

a877c33e85699533c1b38def5705805d
SHA1

0183458283e77ddbe20f54af8d7adb6aaee40fc3
SHA256

bd84270f0817b62d7407a54f967312fb3f695aef267618173576022147b74382
SHA512

dc47087d4e0210fd298e439fef630bf083c7afcfb9e1b0472ae208b4b5d1d3582eb3a0de1e2abde9fc98764cc9cbebd7e80d2200c497a40f4d3533f64d7a355a
SSDEEP

393216:Xqu/p92ZxPCGywUP1xX4TFLl/ht3W1aDcq33TxNX+9yl/l7Am71G:BDsxFwroRN3MaDN3ju9GdEm7

Score

7^/10

discovery pyinstaller

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1704	Output.exe
2216	sqli_dumper_gold.exe
2828	built (2).exe
2736	MSUpdate.exe
2196	MSUpdate.exe
1208	Process not Found

Loads dropped DLL 7 IoCs

pid	Process
2616	gold-crypted.exe
2616	gold-crypted.exe
2616	gold-crypted.exe
1704	Output.exe
2828	built (2).exe
2196	MSUpdate.exe
1208	Process not Found

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates processes with tasklist 1 TTPs 64 IoCs

discovery

Process Discovery

T1057

pid	Process
2992	tasklist.exe
3192	tasklist.exe
3704	tasklist.exe
3644	tasklist.exe
3736	tasklist.exe
2892	tasklist.exe
3592	tasklist.exe
3640	tasklist.exe
3796	tasklist.exe
1276	tasklist.exe
3796	tasklist.exe
3236	tasklist.exe
1308	tasklist.exe
2528	tasklist.exe
2144	tasklist.exe
892	tasklist.exe
2260	tasklist.exe
3404	tasklist.exe
3844	tasklist.exe
3296	tasklist.exe
3380	tasklist.exe
3948	tasklist.exe
2680	tasklist.exe
2576	tasklist.exe
2068	tasklist.exe
3176	tasklist.exe
2112	tasklist.exe
1880	tasklist.exe
1832	tasklist.exe
3500	tasklist.exe
2460	tasklist.exe
3900	tasklist.exe
2556	tasklist.exe
2988	tasklist.exe
2968	tasklist.exe
3940	tasklist.exe
2688	tasklist.exe
2044	tasklist.exe
3076	tasklist.exe
3964	tasklist.exe
2360	tasklist.exe
3028	tasklist.exe
3212	tasklist.exe
3264	tasklist.exe
348	tasklist.exe
688	tasklist.exe
928	tasklist.exe
3352	tasklist.exe
3740	tasklist.exe
2156	tasklist.exe
3696	tasklist.exe
2256	tasklist.exe
4016	tasklist.exe
3436	tasklist.exe
2340	tasklist.exe
4044	tasklist.exe
3376	tasklist.exe
2612	tasklist.exe
2916	tasklist.exe
776	tasklist.exe
3120	tasklist.exe
768	tasklist.exe
1328	tasklist.exe
2712	tasklist.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0007000000016d6b-39.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gold-crypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sqli_dumper_gold.exe

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
3148	timeout.exe
356	timeout.exe
2904	timeout.exe
3252	timeout.exe
3416	timeout.exe
3860	timeout.exe
3580	timeout.exe
1632	timeout.exe
3008	timeout.exe
3664	timeout.exe
3772	timeout.exe
788	timeout.exe
1520	timeout.exe
2376	timeout.exe
3916	timeout.exe
3928	timeout.exe
3448	timeout.exe
1456	timeout.exe
2136	timeout.exe
3348	timeout.exe
4000	timeout.exe
1256	timeout.exe
2016	timeout.exe
3832	timeout.exe
1840	timeout.exe
2492	timeout.exe
1576	timeout.exe
2472	timeout.exe
3880	timeout.exe
2960	timeout.exe
1992	timeout.exe
1768	timeout.exe
2540	timeout.exe
2656	timeout.exe
2488	timeout.exe
3760	timeout.exe
1560	timeout.exe
2844	timeout.exe
3196	timeout.exe
4068	timeout.exe
2520	timeout.exe
3496	timeout.exe
1744	timeout.exe
3440	timeout.exe
788	timeout.exe
3116	timeout.exe
3496	timeout.exe
2488	timeout.exe
3108	timeout.exe
3792	timeout.exe
3100	timeout.exe
3536	timeout.exe
1636	timeout.exe
1728	timeout.exe
2920	timeout.exe
3460	timeout.exe
1368	timeout.exe
1964	timeout.exe
3248	timeout.exe
2740	timeout.exe
2676	timeout.exe
4004	timeout.exe
1560	timeout.exe
3100	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2828	built (2).exe
2828	built (2).exe
2828	built (2).exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2828	built (2).exe
Token: SeDebugPrivilege	2892	tasklist.exe
Token: SeDebugPrivilege	2968	tasklist.exe
Token: SeDebugPrivilege	2360	tasklist.exe
Token: SeDebugPrivilege	2612	tasklist.exe
Token: SeDebugPrivilege	2916	tasklist.exe
Token: SeDebugPrivilege	2040	tasklist.exe
Token: SeDebugPrivilege	1084	tasklist.exe
Token: SeDebugPrivilege	3112	tasklist.exe
Token: SeDebugPrivilege	3160	tasklist.exe
Token: SeDebugPrivilege	3212	tasklist.exe
Token: SeDebugPrivilege	3260	tasklist.exe
Token: SeDebugPrivilege	3304	tasklist.exe
Token: SeDebugPrivilege	3352	tasklist.exe
Token: SeDebugPrivilege	3404	tasklist.exe
Token: SeDebugPrivilege	3452	tasklist.exe
Token: SeDebugPrivilege	3500	tasklist.exe
Token: SeDebugPrivilege	3544	tasklist.exe
Token: SeDebugPrivilege	3592	tasklist.exe
Token: SeDebugPrivilege	3640	tasklist.exe
Token: SeDebugPrivilege	3688	tasklist.exe
Token: SeDebugPrivilege	3740	tasklist.exe
Token: SeDebugPrivilege	3796	tasklist.exe
Token: SeDebugPrivilege	3844	tasklist.exe
Token: SeDebugPrivilege	3888	tasklist.exe
Token: SeDebugPrivilege	3940	tasklist.exe
Token: SeDebugPrivilege	3988	tasklist.exe
Token: SeDebugPrivilege	4032	tasklist.exe
Token: SeDebugPrivilege	4080	tasklist.exe
Token: SeDebugPrivilege	964	tasklist.exe
Token: SeDebugPrivilege	2392	tasklist.exe
Token: SeDebugPrivilege	2680	tasklist.exe
Token: SeDebugPrivilege	768	tasklist.exe
Token: SeDebugPrivilege	2688	tasklist.exe
Token: SeDebugPrivilege	1080	tasklist.exe
Token: SeDebugPrivilege	1884	tasklist.exe
Token: SeDebugPrivilege	1796	tasklist.exe
Token: SeDebugPrivilege	1328	tasklist.exe
Token: SeDebugPrivilege	2576	tasklist.exe
Token: SeDebugPrivilege	2528	tasklist.exe
Token: SeDebugPrivilege	2068	tasklist.exe
Token: SeDebugPrivilege	2852	tasklist.exe
Token: SeDebugPrivilege	2820	tasklist.exe
Token: SeDebugPrivilege	348	tasklist.exe
Token: SeDebugPrivilege	1616	tasklist.exe
Token: SeDebugPrivilege	2992	tasklist.exe
Token: SeDebugPrivilege	2144	tasklist.exe
Token: SeDebugPrivilege	2720	tasklist.exe
Token: SeDebugPrivilege	2096	tasklist.exe
Token: SeDebugPrivilege	688	tasklist.exe
Token: SeDebugPrivilege	1444	tasklist.exe
Token: SeDebugPrivilege	776	tasklist.exe
Token: SeDebugPrivilege	568	tasklist.exe
Token: SeDebugPrivilege	2932	tasklist.exe
Token: SeDebugPrivilege	3044	tasklist.exe
Token: SeDebugPrivilege	2044	tasklist.exe
Token: SeDebugPrivilege	2500	tasklist.exe
Token: SeDebugPrivilege	3076	tasklist.exe
Token: SeDebugPrivilege	3120	tasklist.exe
Token: SeDebugPrivilege	3192	tasklist.exe
Token: SeDebugPrivilege	3236	tasklist.exe
Token: SeDebugPrivilege	3284	tasklist.exe
Token: SeDebugPrivilege	3296	tasklist.exe
Token: SeDebugPrivilege	3380	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 1704	2616	gold-crypted.exe	30
PID 2616 wrote to memory of 1704	2616	gold-crypted.exe	30
PID 2616 wrote to memory of 1704	2616	gold-crypted.exe	30
PID 2616 wrote to memory of 1704	2616	gold-crypted.exe	30
PID 2616 wrote to memory of 2216	2616	gold-crypted.exe	31
PID 2616 wrote to memory of 2216	2616	gold-crypted.exe	31
PID 2616 wrote to memory of 2216	2616	gold-crypted.exe	31
PID 2616 wrote to memory of 2216	2616	gold-crypted.exe	31
PID 1704 wrote to memory of 2828	1704	Output.exe	32
PID 1704 wrote to memory of 2828	1704	Output.exe	32
PID 1704 wrote to memory of 2828	1704	Output.exe	32
PID 1704 wrote to memory of 2736	1704	Output.exe	33
PID 1704 wrote to memory of 2736	1704	Output.exe	33
PID 1704 wrote to memory of 2736	1704	Output.exe	33
PID 2736 wrote to memory of 2196	2736	MSUpdate.exe	34
PID 2736 wrote to memory of 2196	2736	MSUpdate.exe	34
PID 2736 wrote to memory of 2196	2736	MSUpdate.exe	34
PID 2828 wrote to memory of 1932	2828	built (2).exe	35
PID 2828 wrote to memory of 1932	2828	built (2).exe	35
PID 2828 wrote to memory of 1932	2828	built (2).exe	35
PID 1932 wrote to memory of 2596	1932	cmd.exe	37
PID 1932 wrote to memory of 2596	1932	cmd.exe	37
PID 1932 wrote to memory of 2596	1932	cmd.exe	37
PID 1932 wrote to memory of 2892	1932	cmd.exe	38
PID 1932 wrote to memory of 2892	1932	cmd.exe	38
PID 1932 wrote to memory of 2892	1932	cmd.exe	38
PID 1932 wrote to memory of 1996	1932	cmd.exe	39
PID 1932 wrote to memory of 1996	1932	cmd.exe	39
PID 1932 wrote to memory of 1996	1932	cmd.exe	39
PID 1932 wrote to memory of 2732	1932	cmd.exe	41
PID 1932 wrote to memory of 2732	1932	cmd.exe	41
PID 1932 wrote to memory of 2732	1932	cmd.exe	41
PID 1932 wrote to memory of 2968	1932	cmd.exe	42
PID 1932 wrote to memory of 2968	1932	cmd.exe	42
PID 1932 wrote to memory of 2968	1932	cmd.exe	42
PID 1932 wrote to memory of 2904	1932	cmd.exe	43
PID 1932 wrote to memory of 2904	1932	cmd.exe	43
PID 1932 wrote to memory of 2904	1932	cmd.exe	43
PID 1932 wrote to memory of 2752	1932	cmd.exe	44
PID 1932 wrote to memory of 2752	1932	cmd.exe	44
PID 1932 wrote to memory of 2752	1932	cmd.exe	44
PID 1932 wrote to memory of 2360	1932	cmd.exe	46
PID 1932 wrote to memory of 2360	1932	cmd.exe	46
PID 1932 wrote to memory of 2360	1932	cmd.exe	46
PID 1932 wrote to memory of 2520	1932	cmd.exe	47
PID 1932 wrote to memory of 2520	1932	cmd.exe	47
PID 1932 wrote to memory of 2520	1932	cmd.exe	47
PID 1932 wrote to memory of 788	1932	cmd.exe	48
PID 1932 wrote to memory of 788	1932	cmd.exe	48
PID 1932 wrote to memory of 788	1932	cmd.exe	48
PID 1932 wrote to memory of 2612	1932	cmd.exe	49
PID 1932 wrote to memory of 2612	1932	cmd.exe	49
PID 1932 wrote to memory of 2612	1932	cmd.exe	49
PID 1932 wrote to memory of 1828	1932	cmd.exe	50
PID 1932 wrote to memory of 1828	1932	cmd.exe	50
PID 1932 wrote to memory of 1828	1932	cmd.exe	50
PID 1932 wrote to memory of 1744	1932	cmd.exe	51
PID 1932 wrote to memory of 1744	1932	cmd.exe	51
PID 1932 wrote to memory of 1744	1932	cmd.exe	51
PID 1932 wrote to memory of 2916	1932	cmd.exe	52
PID 1932 wrote to memory of 2916	1932	cmd.exe	52
PID 1932 wrote to memory of 2916	1932	cmd.exe	52
PID 1932 wrote to memory of 1032	1932	cmd.exe	53
PID 1932 wrote to memory of 1032	1932	cmd.exe	53

C:\Users\Admin\AppData\Local\Temp\gold-crypted.exe
"C:\Users\Admin\AppData\Local\Temp\gold-crypted.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Users\Admin\AppData\Roaming\Output.exe
  "C:\Users\Admin\AppData\Roaming\Output.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Users\Admin\AppData\Roaming\built (2).exe
    "C:\Users\Admin\AppData\Roaming\built (2).exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpC590.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpC590.tmp.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1932
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2596
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1996
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:2732
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2904
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:2752
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2520
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:788
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1828
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1744
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1032
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2472
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1836
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2016
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1084
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3040
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:3100
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3112
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3120
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:3148
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3160
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3168
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:3196
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3212
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3220
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:3248
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3260
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3268
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:3296
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3304
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3312
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:3340
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3352
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3360
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:3392
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3404
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3412
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:3440
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3452
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3460
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:3488
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3500
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3508
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:3536
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3544
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3552
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:3580
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3592
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3600
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:3628
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3640
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3648
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:3676
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3688
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3696
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:3724
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3740
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3748
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:3776
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3796
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3804
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:3832
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3844
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3852
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:3880
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3888
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3900
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:3928
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3940
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3948
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:3976
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3988
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3996
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:4024
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4032
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:4040
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:4068
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4080
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:4088
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:2804
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:964
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2336
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1632
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2172
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2656
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2072
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:1568
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:916
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:1260
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2268
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:356
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1080
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2844
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:1636
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1884
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2248
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1560
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1796
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1576
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:1456
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1328
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1964
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:3036
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2184
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:1992
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1980
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:2352
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:988
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:1728
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1668
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2488
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1552
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1520
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:348
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3056
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:2872
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2264
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:2136
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1104
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:2596
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1264
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2960
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2708
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2904
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2344
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:2548
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:688
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:772
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:1968
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1444
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3024
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1840
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:776
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2876
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:2036
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2812
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:788
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:320
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2492
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1816
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:3008
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1724
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:2004
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2032
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:3084
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3076
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3104
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:3116
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3120
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1832
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:3148
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3192
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3176
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:3196
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3236
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3228
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:3252
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3284
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3276
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:3256
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3296
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3328
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:3312
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3380
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3364
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:3348
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        
        PID:3436
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3420
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:3400
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        
        PID:3484
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3468
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:3448
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        
        PID:3532
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3516
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:3496
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        
        PID:3536
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3572
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:3584
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        
        PID:3612
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3604
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:3664
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        
        PID:3660
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3652
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:3720
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        
        PID:3704
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3708
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2740
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        
        PID:2340
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2728
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:3760
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        
        PID:3740
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3748
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:3812
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        
        PID:3796
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3804
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:3864
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        
        PID:3856
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3840
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:3896
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        
        PID:3900
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3932
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:3944
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        
        PID:3948
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3980
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:4000
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        
        PID:3988
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3984
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:4048
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        
        PID:4044
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:4072
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:4080
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        
        PID:4076
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2804
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:964
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        
        PID:2592
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1632
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:2392
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        
        PID:2112
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2656
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:2680
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        
        PID:2072
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1440
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:644
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        
        PID:1880
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2692
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:356
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        
        PID:968
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2972
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1636
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        
        PID:992
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1148
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1560
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        
        PID:2156
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1352
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1456
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        
        PID:904
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:804
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:2228
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        
        PID:2312
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1984
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1992
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        
        PID:2556
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2104
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:2352
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        
        PID:2560
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2808
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1728
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        
        PID:2188
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1672
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2488
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        
        PID:892
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2444
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2920
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        
        PID:1600
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2636
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:2872
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        
        PID:1624
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2824
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2136
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        
        PID:2988
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2404
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:2596
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        
        PID:2508
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2892
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:2960
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        
        PID:2712
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2704
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2520
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        
        PID:2984
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1240
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1768
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        
        PID:1336
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1172
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:1508
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        
        PID:3028
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1444
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:1716
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        
        PID:708
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:776
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2376
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        
        PID:1276
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2768
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1256
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        
        PID:532
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2932
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:2916
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        
        PID:1684
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3044
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:636
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        
        PID:828
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2044
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:3088
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        
        PID:1620
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:572
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2676
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        
        PID:2256
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3084
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:3100
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        
        PID:1308
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3116
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:3108
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        
        PID:1832
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3188
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:3164
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        
        PID:3176
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2432
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:3208
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        
        PID:3212
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3240
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:2952
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        
        PID:3264
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3288
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:3256
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        
        PID:3316
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3324
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:3360
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        
        PID:3376
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3384
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:3416
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        
        PID:3408
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3428
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:3460
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        
        PID:3476
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3480
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:3448
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        
        PID:3500
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3504
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:3496
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        
        PID:3556
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3560
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:3624
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        
        PID:928
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3584
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:3588
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        
        PID:3612
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2152
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:3676
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        
        PID:3644
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3660
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:2772
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        
        PID:3696
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3704
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:3772
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        
        PID:3724
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2784
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:3820
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        
        PID:3736
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3776
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:3860
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        
        PID:3872
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3796
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:3916
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        
        PID:3852
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3884
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:3972
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        
        PID:3964
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3900
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:4004
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        
        PID:4016
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3976
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:4036
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        
        PID:4060
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3996
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:4084
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        
        PID:2460
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:4044
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2540
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        
        PID:2452
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:4076
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1368
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        
        PID:2428
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2384
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:2084
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        
        PID:556
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2396
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:692
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        Enumerates processes with tasklist
        
        PID:2260
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2180
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:2236
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        
        PID:2332
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2456
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2844
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        
        PID:2764
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:968
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:1524
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        
        PID:1876
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1888
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1576
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        
        PID:1692
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1332
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:1456
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        
        PID:844
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1328
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1964
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2828"
        5⤵
        
        PID:1640
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:564
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:3792
- - C:\Users\Admin\AppData\Roaming\MSUpdate.exe
    "C:\Users\Admin\AppData\Roaming\MSUpdate.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Users\Admin\AppData\Roaming\MSUpdate.exe
      "C:\Users\Admin\AppData\Roaming\MSUpdate.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2196
- C:\Users\Admin\AppData\Roaming\sqli_dumper_gold.exe
  "C:\Users\Admin\AppData\Roaming\sqli_dumper_gold.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI27362\python312.dll

Filesize
6.6MB

MD5
b243d61f4248909bc721674d70a633de

SHA1
1d2fb44b29c4ac3cfd5a7437038a0c541fce82fc

SHA256
93488fa7e631cc0a2bd808b9eee8617280ee9b6ff499ab424a1a1cbf24d77dc7

SHA512
10460c443c7b9a6d7e39ad6e2421b8ca4d8329f1c4a0ff5b71ce73352d2e9438d45f7d59edb13ce30fad3b4f260bd843f4d9b48522d448310d43e0988e075fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC590.tmp.bat

Filesize
286B

MD5
70a4cee940aec62696c88a044a11c969

SHA1
eee4522abdf56018db6db947c9dc2048d919a789

SHA256
489a27653726db1efef17fff97291705de44eb26d312aa9a4f5877593439ca8c

SHA512
dbab5823b094a2d91821089654f4a3b47b9d15bb674ea7b7c4d2835eb140802943eb848b5f591f590db5487bcceb209a7931eac2edbcfbef14e85f63e4592b0a

Download Submit
C:\Users\Admin\AppData\Roaming\MSUpdate.exe

Filesize
10.5MB

MD5
79d19e7b20c0a9f3ac172041dcf84c97

SHA1
2e8a9c7d1aac017c1fabae50677e5bedea55c16d

SHA256
6080208516fa0312f72202ff528cf3ae055fcec32049191c8b4043bdb52bf072

SHA512
1d3fa42566c332501300da43e462a68341f9fc5aa5328d1b57cbb947e9b3e3eaa86d3368f52e82e3294fff63dc53587fda070967fa9a533dc4f9497a71e72e35

Download Submit
C:\Users\Admin\AppData\Roaming\Output.exe

Filesize
16.2MB

MD5
a66f1bbaa98eed711a0322f0dee36514

SHA1
f7ce80beb7b83cb6d7fd2c5f3a84f1e8873295bf

SHA256
7f13042ba9475c3cd8c6026c1a57108c7f2bb9fafe2d2784035231df3a9c3936

SHA512
92e2b0e9995d077d436c2178cabcbe7ed72f3ae2ea2d17162ac1e9872caeeb14d89861b84f634ab881caa4910da5e8d0bbfb8d78f370e2ae95b135af23942a69

Download Submit
C:\Users\Admin\AppData\Roaming\built (2).exe

Filesize
5.6MB

MD5
ded0f51c666f4d042d490161a9b6f50b

SHA1
ea07f12d4030f38ae6d417e6be9fa73ee74e7863

SHA256
0a4a5035648029af21e2a5f8476ee6326f75fffd35bd63d3dac6202a7b7400e7

SHA512
c38311c183880220ddc81d7361a8e1afa943ca7617c35a1848c8b6e3c8ac82d35dda416dd37db4e6d8a0107fe48a5702ffa8ef1cc2d8dea84229d9b06b4dde29

Download Submit
\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

Filesize
1.7MB

MD5
65ccd6ecb99899083d43f7c24eb8f869

SHA1
27037a9470cc5ed177c0b6688495f3a51996a023

SHA256
aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

SHA512
533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

Download Submit
\Users\Admin\AppData\Roaming\sqli_dumper_gold.exe

Filesize
3.7MB

MD5
be1c83af0d700658a6037904d94e6f69

SHA1
4c7575f7557ee1d31ef23465daa8afd95b99f25c

SHA256
57ab912baaf7076612e0f9cee9455beff11cf3b4096467da59ac7155ecddee53

SHA512
cf46381178f5d6bb9e94684a2d7c8c0465217f459291c0be297857e440d4d14688687b3fca3b0ee637b477c5c2db30bfea08f63e44816f208c9f57a474a40652

Download Submit
memory/1704-28-0x00000000001C0000-0x00000000011EE000-memory.dmp

Filesize
16.2MB

Download
memory/2216-26-0x00000000001C0000-0x000000000057E000-memory.dmp

Filesize
3.7MB

Download
memory/2616-24-0x0000000000230000-0x0000000001627000-memory.dmp

Filesize
20.0MB

Download
memory/2616-0-0x0000000001E30000-0x000000000321C000-memory.dmp

Filesize
19.9MB

Download
memory/2616-8-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/2616-27-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/2616-7-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/2616-6-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/2616-5-0x000000000C5E0000-0x000000000D9CA000-memory.dmp

Filesize
19.9MB

Download
memory/2616-4-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/2616-3-0x000000007499E000-0x000000007499F000-memory.dmp

Filesize
4KB

Download
memory/2616-2-0x0000000001E30000-0x000000000321C000-memory.dmp

Filesize
19.9MB

Download
memory/2828-34-0x00000000003E0000-0x0000000000982000-memory.dmp

Filesize
5.6MB

Download