9165705656ffe7608922ff366357e3b98b0e5ece8c6d39780874c7b4bd7b2dd3

Analysis

max time kernel
129s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
06-12-2024 09:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23b25ce90f70ffa0435db8df6a6764f2.exe
Size

5.6MB
MD5

23b25ce90f70ffa0435db8df6a6764f2
SHA1

72d0c052f26309704f13c090495c3cdea4ed1bf2
SHA256

9165705656ffe7608922ff366357e3b98b0e5ece8c6d39780874c7b4bd7b2dd3
SHA512

b6c81131119b95df9d789329ffd4553c1624f7d9e38c46924ac4838e59ccb59b538646f36d8c80b9361412842f8c0328aa4177e93e72e22c15077669ee9904ec
SSDEEP

98304:tJRl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6Uc:tWOuK6mn9NzgMoYkSIvUcwti7TQlvciE

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2464	23b25ce90f70ffa0435db8df6a6764f2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates processes with tasklist 1 TTPs 64 IoCs

discovery

Process Discovery

T1057

pid	Process
1324	tasklist.exe
2212	tasklist.exe
1648	tasklist.exe
568	tasklist.exe
1764	tasklist.exe
2056	tasklist.exe
332	tasklist.exe
2080	tasklist.exe
2944	tasklist.exe
2972	tasklist.exe
2896	tasklist.exe
820	tasklist.exe
1756	tasklist.exe
1740	tasklist.exe
2692	tasklist.exe
2812	tasklist.exe
1200	tasklist.exe
2168	tasklist.exe
2880	tasklist.exe
916	tasklist.exe
2576	tasklist.exe
2464	tasklist.exe
2892	tasklist.exe
2384	tasklist.exe
2388	tasklist.exe
1776	tasklist.exe
2564	tasklist.exe
1364	tasklist.exe
2432	tasklist.exe
3004	tasklist.exe
1980	tasklist.exe
2076	tasklist.exe
1312	tasklist.exe
3056	tasklist.exe
1708	tasklist.exe
1788	tasklist.exe
2720	tasklist.exe
2624	tasklist.exe
3052	tasklist.exe
2336	tasklist.exe
948	tasklist.exe
1312	tasklist.exe
536	tasklist.exe
2244	tasklist.exe
996	tasklist.exe
568	tasklist.exe
1360	tasklist.exe
2716	tasklist.exe
1408	tasklist.exe
936	tasklist.exe
2552	tasklist.exe
2240	tasklist.exe
2008	tasklist.exe
2752	tasklist.exe
776	tasklist.exe
2748	tasklist.exe
1112	tasklist.exe
1940	tasklist.exe
2688	tasklist.exe
2776	tasklist.exe
572	tasklist.exe
2568	tasklist.exe
1164	tasklist.exe
3056	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
2828	timeout.exe
324	timeout.exe
908	timeout.exe
356	timeout.exe
2644	timeout.exe
1344	timeout.exe
1196	timeout.exe
2156	timeout.exe
2092	timeout.exe
316	timeout.exe
2676	timeout.exe
2136	timeout.exe
2384	timeout.exe
1028	timeout.exe
2820	timeout.exe
1916	timeout.exe
1924	timeout.exe
2204	timeout.exe
2916	timeout.exe
588	timeout.exe
2924	timeout.exe
332	timeout.exe
2352	timeout.exe
320	timeout.exe
1800	timeout.exe
2712	timeout.exe
2732	timeout.exe
1760	timeout.exe
2700	timeout.exe
1996	timeout.exe
2740	timeout.exe
3060	timeout.exe
2760	timeout.exe
1564	timeout.exe
2400	timeout.exe
1684	timeout.exe
1076	timeout.exe
3000	timeout.exe
2660	timeout.exe
3020	timeout.exe
2436	timeout.exe
1256	timeout.exe
980	timeout.exe
2948	timeout.exe
844	timeout.exe
2908	timeout.exe
564	timeout.exe
1340	timeout.exe
1108	timeout.exe
2356	timeout.exe
2944	timeout.exe
1564	timeout.exe
2344	timeout.exe
2864	timeout.exe
2992	timeout.exe
2684	timeout.exe
340	timeout.exe
756	timeout.exe
764	timeout.exe
2640	timeout.exe
2316	timeout.exe
2976	timeout.exe
2072	timeout.exe
1004	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2464	23b25ce90f70ffa0435db8df6a6764f2.exe
2464	23b25ce90f70ffa0435db8df6a6764f2.exe
2464	23b25ce90f70ffa0435db8df6a6764f2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2464	23b25ce90f70ffa0435db8df6a6764f2.exe
Token: SeDebugPrivilege	2944	tasklist.exe
Token: SeDebugPrivilege	2692	tasklist.exe
Token: SeDebugPrivilege	2432	tasklist.exe
Token: SeDebugPrivilege	2716	tasklist.exe
Token: SeDebugPrivilege	3004	tasklist.exe
Token: SeDebugPrivilege	2844	tasklist.exe
Token: SeDebugPrivilege	2812	tasklist.exe
Token: SeDebugPrivilege	2008	tasklist.exe
Token: SeDebugPrivilege	1860	tasklist.exe
Token: SeDebugPrivilege	536	tasklist.exe
Token: SeDebugPrivilege	1768	tasklist.exe
Token: SeDebugPrivilege	1940	tasklist.exe
Token: SeDebugPrivilege	1156	tasklist.exe
Token: SeDebugPrivilege	1836	tasklist.exe
Token: SeDebugPrivilege	568	tasklist.exe
Token: SeDebugPrivilege	340	tasklist.exe
Token: SeDebugPrivilege	1664	tasklist.exe
Token: SeDebugPrivilege	1784	tasklist.exe
Token: SeDebugPrivilege	2404	tasklist.exe
Token: SeDebugPrivilege	1408	tasklist.exe
Token: SeDebugPrivilege	2216	tasklist.exe
Token: SeDebugPrivilege	2236	tasklist.exe
Token: SeDebugPrivilege	352	tasklist.exe
Token: SeDebugPrivilege	1764	tasklist.exe
Token: SeDebugPrivilege	1748	tasklist.exe
Token: SeDebugPrivilege	2892	tasklist.exe
Token: SeDebugPrivilege	2776	tasklist.exe
Token: SeDebugPrivilege	2108	tasklist.exe
Token: SeDebugPrivilege	2752	tasklist.exe
Token: SeDebugPrivilege	2632	tasklist.exe
Token: SeDebugPrivilege	1616	tasklist.exe
Token: SeDebugPrivilege	1200	tasklist.exe
Token: SeDebugPrivilege	2056	tasklist.exe
Token: SeDebugPrivilege	3056	tasklist.exe
Token: SeDebugPrivilege	2972	tasklist.exe
Token: SeDebugPrivilege	1164	tasklist.exe
Token: SeDebugPrivilege	2688	tasklist.exe
Token: SeDebugPrivilege	1364	tasklist.exe
Token: SeDebugPrivilege	332	tasklist.exe
Token: SeDebugPrivilege	2120	tasklist.exe
Token: SeDebugPrivilege	2384	tasklist.exe
Token: SeDebugPrivilege	1820	tasklist.exe
Token: SeDebugPrivilege	2080	tasklist.exe
Token: SeDebugPrivilege	1572	tasklist.exe
Token: SeDebugPrivilege	1324	tasklist.exe
Token: SeDebugPrivilege	900	tasklist.exe
Token: SeDebugPrivilege	496	tasklist.exe
Token: SeDebugPrivilege	1368	tasklist.exe
Token: SeDebugPrivilege	692	tasklist.exe
Token: SeDebugPrivilege	1692	tasklist.exe
Token: SeDebugPrivilege	2160	tasklist.exe
Token: SeDebugPrivilege	1668	tasklist.exe
Token: SeDebugPrivilege	2168	tasklist.exe
Token: SeDebugPrivilege	2524	tasklist.exe
Token: SeDebugPrivilege	2340	tasklist.exe
Token: SeDebugPrivilege	2880	tasklist.exe
Token: SeDebugPrivilege	2720	tasklist.exe
Token: SeDebugPrivilege	2900	tasklist.exe
Token: SeDebugPrivilege	2908	tasklist.exe
Token: SeDebugPrivilege	2624	tasklist.exe
Token: SeDebugPrivilege	1616	tasklist.exe
Token: SeDebugPrivilege	2432	tasklist.exe
Token: SeDebugPrivilege	2056	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2868	2464	23b25ce90f70ffa0435db8df6a6764f2.exe	32
PID 2464 wrote to memory of 2868	2464	23b25ce90f70ffa0435db8df6a6764f2.exe	32
PID 2464 wrote to memory of 2868	2464	23b25ce90f70ffa0435db8df6a6764f2.exe	32
PID 2868 wrote to memory of 2732	2868	cmd.exe	34
PID 2868 wrote to memory of 2732	2868	cmd.exe	34
PID 2868 wrote to memory of 2732	2868	cmd.exe	34
PID 2868 wrote to memory of 2944	2868	cmd.exe	35
PID 2868 wrote to memory of 2944	2868	cmd.exe	35
PID 2868 wrote to memory of 2944	2868	cmd.exe	35
PID 2868 wrote to memory of 2616	2868	cmd.exe	36
PID 2868 wrote to memory of 2616	2868	cmd.exe	36
PID 2868 wrote to memory of 2616	2868	cmd.exe	36
PID 2868 wrote to memory of 2684	2868	cmd.exe	37
PID 2868 wrote to memory of 2684	2868	cmd.exe	37
PID 2868 wrote to memory of 2684	2868	cmd.exe	37
PID 2868 wrote to memory of 2692	2868	cmd.exe	38
PID 2868 wrote to memory of 2692	2868	cmd.exe	38
PID 2868 wrote to memory of 2692	2868	cmd.exe	38
PID 2868 wrote to memory of 2740	2868	cmd.exe	39
PID 2868 wrote to memory of 2740	2868	cmd.exe	39
PID 2868 wrote to memory of 2740	2868	cmd.exe	39
PID 2868 wrote to memory of 2172	2868	cmd.exe	40
PID 2868 wrote to memory of 2172	2868	cmd.exe	40
PID 2868 wrote to memory of 2172	2868	cmd.exe	40
PID 2868 wrote to memory of 2432	2868	cmd.exe	41
PID 2868 wrote to memory of 2432	2868	cmd.exe	41
PID 2868 wrote to memory of 2432	2868	cmd.exe	41
PID 2868 wrote to memory of 2660	2868	cmd.exe	42
PID 2868 wrote to memory of 2660	2868	cmd.exe	42
PID 2868 wrote to memory of 2660	2868	cmd.exe	42
PID 2868 wrote to memory of 1340	2868	cmd.exe	43
PID 2868 wrote to memory of 1340	2868	cmd.exe	43
PID 2868 wrote to memory of 1340	2868	cmd.exe	43
PID 2868 wrote to memory of 2716	2868	cmd.exe	44
PID 2868 wrote to memory of 2716	2868	cmd.exe	44
PID 2868 wrote to memory of 2716	2868	cmd.exe	44
PID 2868 wrote to memory of 2176	2868	cmd.exe	45
PID 2868 wrote to memory of 2176	2868	cmd.exe	45
PID 2868 wrote to memory of 2176	2868	cmd.exe	45
PID 2868 wrote to memory of 2224	2868	cmd.exe	46
PID 2868 wrote to memory of 2224	2868	cmd.exe	46
PID 2868 wrote to memory of 2224	2868	cmd.exe	46
PID 2868 wrote to memory of 3004	2868	cmd.exe	47
PID 2868 wrote to memory of 3004	2868	cmd.exe	47
PID 2868 wrote to memory of 3004	2868	cmd.exe	47
PID 2868 wrote to memory of 3020	2868	cmd.exe	48
PID 2868 wrote to memory of 3020	2868	cmd.exe	48
PID 2868 wrote to memory of 3020	2868	cmd.exe	48
PID 2868 wrote to memory of 2828	2868	cmd.exe	49
PID 2868 wrote to memory of 2828	2868	cmd.exe	49
PID 2868 wrote to memory of 2828	2868	cmd.exe	49
PID 2868 wrote to memory of 2844	2868	cmd.exe	50
PID 2868 wrote to memory of 2844	2868	cmd.exe	50
PID 2868 wrote to memory of 2844	2868	cmd.exe	50
PID 2868 wrote to memory of 2852	2868	cmd.exe	51
PID 2868 wrote to memory of 2852	2868	cmd.exe	51
PID 2868 wrote to memory of 2852	2868	cmd.exe	51
PID 2868 wrote to memory of 3000	2868	cmd.exe	52
PID 2868 wrote to memory of 3000	2868	cmd.exe	52
PID 2868 wrote to memory of 3000	2868	cmd.exe	52
PID 2868 wrote to memory of 2812	2868	cmd.exe	53
PID 2868 wrote to memory of 2812	2868	cmd.exe	53
PID 2868 wrote to memory of 2812	2868	cmd.exe	53
PID 2868 wrote to memory of 3024	2868	cmd.exe	54

C:\Users\Admin\AppData\Local\Temp\23b25ce90f70ffa0435db8df6a6764f2.exe
"C:\Users\Admin\AppData\Local\Temp\23b25ce90f70ffa0435db8df6a6764f2.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp6A5.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp6A5.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2732
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2944
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2616
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2684
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2692
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2740
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2172
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2432
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2660
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1340
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2716
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2176
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2224
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3004
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3020
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2828
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2844
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2852
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3000
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2812
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3024
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2856
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2008
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3036
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3060
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1860
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2412
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1636
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:536
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:448
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:320
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1768
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2200
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1440
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1940
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1052
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2368
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1156
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:996
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1256
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1836
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2396
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:816
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:568
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2504
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2304
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:340
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1080
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2584
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1664
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:348
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1028
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1784
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:840
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:764
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2404
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1544
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:980
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1408
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1708
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1628
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2216
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1648
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2144
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2236
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2140
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2700
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:352
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2220
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1004
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1764
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:924
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2096
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1748
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2012
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2072
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    PID:1312
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1580
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2400
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2892
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2100
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2480
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2776
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:584
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2756
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2108
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2184
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2916
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2752
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1056
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2640
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2632
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2276
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2948
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1616
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:936
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2092
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1200
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2436
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1472
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2056
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2136
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2820
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3056
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3012
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2980
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2972
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2976
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2808
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1164
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2812
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2424
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2688
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1160
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2840
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1364
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:760
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1916
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:332
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:648
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:908
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2120
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2596
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1800
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2384
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1940
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:588
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1820
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1792
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2344
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2080
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1804
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2044
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1572
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2068
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1108
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1324
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:316
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:844
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:900
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2520
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1972
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:496
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1524
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2760
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1368
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1828
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2356
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:692
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1956
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1924
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1692
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:608
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2864
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2160
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2236
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:3064
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1668
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:352
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:356
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2168
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:544
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2316
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2524
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1852
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2712
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2340
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1312
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1476
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2880
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2892
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2644
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2720
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2776
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2924
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2900
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2108
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2732
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2908
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2752
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2944
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2624
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2276
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2992
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1616
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:936
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2660
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2432
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2476
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2176
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2056
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2224
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3020
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    PID:3056
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3012
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2848
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    PID:2844
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2984
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:3008
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    PID:572
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2840
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1364
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    PID:3052
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1916
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:332
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    PID:2600
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2364
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2596
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    PID:2388
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2368
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1868
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    PID:2212
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1256
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1156
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    PID:776
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:816
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1836
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    PID:2296
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2304
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:324
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    PID:1108
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2560
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:316
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    PID:820
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1028
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1344
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    PID:1000
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:764
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1784
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    PID:1776
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:980
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1996
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    PID:1756
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1628
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1720
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    PID:1924
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1260
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:608
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    PID:1732
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1680
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1212
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    PID:580
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2160
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1004
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    PID:2564
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1668
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2096
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    PID:1980
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2168
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2072
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    PID:1740
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2524
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1564
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    PID:2748
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2340
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2904
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    PID:1112
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2880
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2204
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    PID:2336
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3040
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2676
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    PID:2896
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2392
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1196
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    PID:1384
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1656
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1508
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    PID:2568
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1952
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2908
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    PID:2052
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2944
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2624
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    PID:2636
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2612
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2740
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    PID:936
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2416
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2436
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    PID:2476
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1412
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2136
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    PID:2960
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2716
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:564
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    PID:3056
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2836
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2976
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    PID:2972
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:836
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1304
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    PID:2244
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:572
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:536
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    PID:320
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1808
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2120
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    PID:2076
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1632
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2468
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    PID:2452
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2824
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2384
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    PID:2552
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1800
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2352
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    PID:996
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2212
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2080
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    PID:916
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1148
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2280
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    PID:568
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2504
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:340
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    PID:2584
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1108
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:900
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    PID:1664
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2572
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1684
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    PID:948
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:764
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2408
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    PID:2760
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1544
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2320
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    PID:1708
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1756
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1076
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    PID:1648
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1924
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2156
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    PID:928
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1732
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1576
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    PID:2240
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:580
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1760
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    PID:1360
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2564
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1696
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    PID:1788
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:884
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2072
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    PID:2704
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1592
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1564
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    PID:1312
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2928
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2644
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    PID:2576
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2876
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:756
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    PID:2776
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2720
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1288
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    PID:2764
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3028
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2732
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    PID:1136
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2952
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1508
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2464"
    3⤵
    - Enumerates processes with tasklist
    PID:2464
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6A5.tmp.bat

Filesize
286B

MD5
ee3bcbc3fb0bbb81a2aa02cda6caf5e9

SHA1
bdb0fbd7003e31f9d7d7c93c73cb75c07f570c96

SHA256
09abed5bbd37ea60736633fb72036a57abec866fb3088508c270aa1d39f847bf

SHA512
7a2b52af4ada34f44b2f79974a7e7296ef5e916936c64c5d8c8c84312d980742a07e99e98e8c471786d1077cbb0acad0c12927ba809325017bc1805b046f14a8

Download Submit
\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

Filesize
1.7MB

MD5
65ccd6ecb99899083d43f7c24eb8f869

SHA1
27037a9470cc5ed177c0b6688495f3a51996a023

SHA256
aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

SHA512
533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

Download Submit
memory/2464-0-0x000007FEF4F13000-0x000007FEF4F14000-memory.dmp

Filesize
4KB

Download
memory/2464-1-0x0000000001390000-0x0000000001932000-memory.dmp

Filesize
5.6MB

Download
memory/2464-6-0x000007FEF4F10000-0x000007FEF58FC000-memory.dmp

Filesize
9.9MB

Download
memory/2464-9-0x000007FEF4F10000-0x000007FEF58FC000-memory.dmp

Filesize
9.9MB

Download