9165705656ffe7608922ff366357e3b98b0e5ece8c6d39780874c7b4bd7b2dd3

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 03:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9165705656ffe7608922ff366357e3b98b0e5ece8c6d39780874c7b4bd7b2dd3.exe
Size

5.6MB
MD5

23b25ce90f70ffa0435db8df6a6764f2
SHA1

72d0c052f26309704f13c090495c3cdea4ed1bf2
SHA256

9165705656ffe7608922ff366357e3b98b0e5ece8c6d39780874c7b4bd7b2dd3
SHA512

b6c81131119b95df9d789329ffd4553c1624f7d9e38c46924ac4838e59ccb59b538646f36d8c80b9361412842f8c0328aa4177e93e72e22c15077669ee9904ec
SSDEEP

98304:tJRl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6Uc:tWOuK6mn9NzgMoYkSIvUcwti7TQlvciE

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1728	9165705656ffe7608922ff366357e3b98b0e5ece8c6d39780874c7b4bd7b2dd3.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates processes with tasklist 1 TTPs 64 IoCs

discovery

Process Discovery

T1057

pid	Process
1136	tasklist.exe
1264	tasklist.exe
1768	tasklist.exe
1744	tasklist.exe
1056	tasklist.exe
2672	tasklist.exe
1292	tasklist.exe
2660	tasklist.exe
2952	tasklist.exe
2076	tasklist.exe
1524	tasklist.exe
2300	tasklist.exe
2228	tasklist.exe
2100	tasklist.exe
2920	tasklist.exe
3008	tasklist.exe
888	tasklist.exe
2204	tasklist.exe
2660	tasklist.exe
2988	tasklist.exe
2052	tasklist.exe
2180	tasklist.exe
1828	tasklist.exe
2764	tasklist.exe
1924	tasklist.exe
2516	tasklist.exe
660	tasklist.exe
1940	tasklist.exe
2804	tasklist.exe
1856	tasklist.exe
2264	tasklist.exe
2952	tasklist.exe
2948	tasklist.exe
1348	tasklist.exe
556	tasklist.exe
2524	tasklist.exe
2492	tasklist.exe
1860	tasklist.exe
2740	tasklist.exe
2376	tasklist.exe
2976	tasklist.exe
1560	tasklist.exe
548	tasklist.exe
2680	tasklist.exe
2768	tasklist.exe
1588	tasklist.exe
1604	tasklist.exe
1576	tasklist.exe
2932	tasklist.exe
2624	tasklist.exe
1720	tasklist.exe
2916	tasklist.exe
2468	tasklist.exe
3032	tasklist.exe
1228	tasklist.exe
2592	tasklist.exe
1740	tasklist.exe
2184	tasklist.exe
1320	tasklist.exe
2200	tasklist.exe
2440	tasklist.exe
1728	tasklist.exe
1288	tasklist.exe
352	tasklist.exe

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
2904	timeout.exe
1800	timeout.exe
2648	timeout.exe
1940	timeout.exe
2004	timeout.exe
1788	timeout.exe
1448	timeout.exe
2804	timeout.exe
2344	timeout.exe
2636	timeout.exe
548	timeout.exe
2612	timeout.exe
1604	timeout.exe
1228	timeout.exe
2368	timeout.exe
2400	timeout.exe
1520	timeout.exe
2932	timeout.exe
2052	timeout.exe
2592	timeout.exe
3016	timeout.exe
1928	timeout.exe
2572	timeout.exe
2468	timeout.exe
888	timeout.exe
1800	timeout.exe
1728	timeout.exe
2792	timeout.exe
2204	timeout.exe
2128	timeout.exe
1524	timeout.exe
2620	timeout.exe
2496	timeout.exe
2780	timeout.exe
1704	timeout.exe
1296	timeout.exe
2176	timeout.exe
1816	timeout.exe
2992	timeout.exe
1984	timeout.exe
956	timeout.exe
2896	timeout.exe
2508	timeout.exe
936	timeout.exe
1924	timeout.exe
2004	timeout.exe
1916	timeout.exe
2656	timeout.exe
1672	timeout.exe
2300	timeout.exe
3044	timeout.exe
1196	timeout.exe
1000	timeout.exe
1712	timeout.exe
2472	timeout.exe
2112	timeout.exe
348	timeout.exe
2652	timeout.exe
880	timeout.exe
2724	timeout.exe
2452	timeout.exe
3028	timeout.exe
524	timeout.exe
2736	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1728	9165705656ffe7608922ff366357e3b98b0e5ece8c6d39780874c7b4bd7b2dd3.exe
1728	9165705656ffe7608922ff366357e3b98b0e5ece8c6d39780874c7b4bd7b2dd3.exe
1728	9165705656ffe7608922ff366357e3b98b0e5ece8c6d39780874c7b4bd7b2dd3.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1728	9165705656ffe7608922ff366357e3b98b0e5ece8c6d39780874c7b4bd7b2dd3.exe
Token: SeDebugPrivilege	2804	tasklist.exe
Token: SeDebugPrivilege	2792	tasklist.exe
Token: SeDebugPrivilege	2660	tasklist.exe
Token: SeDebugPrivilege	2652	tasklist.exe
Token: SeDebugPrivilege	2052	tasklist.exe
Token: SeDebugPrivilege	2592	tasklist.exe
Token: SeDebugPrivilege	1136	tasklist.exe
Token: SeDebugPrivilege	2132	tasklist.exe
Token: SeDebugPrivilege	2844	tasklist.exe
Token: SeDebugPrivilege	1720	tasklist.exe
Token: SeDebugPrivilege	1264	tasklist.exe
Token: SeDebugPrivilege	1560	tasklist.exe
Token: SeDebugPrivilege	352	tasklist.exe
Token: SeDebugPrivilege	2180	tasklist.exe
Token: SeDebugPrivilege	2248	tasklist.exe
Token: SeDebugPrivilege	1288	tasklist.exe
Token: SeDebugPrivilege	3008	tasklist.exe
Token: SeDebugPrivilege	1344	tasklist.exe
Token: SeDebugPrivilege	2008	tasklist.exe
Token: SeDebugPrivilege	1828	tasklist.exe
Token: SeDebugPrivilege	1768	tasklist.exe
Token: SeDebugPrivilege	2492	tasklist.exe
Token: SeDebugPrivilege	1744	tasklist.exe
Token: SeDebugPrivilege	2264	tasklist.exe
Token: SeDebugPrivilege	1860	tasklist.exe
Token: SeDebugPrivilege	1740	tasklist.exe
Token: SeDebugPrivilege	1804	tasklist.exe
Token: SeDebugPrivilege	2740	tasklist.exe
Token: SeDebugPrivilege	2376	tasklist.exe
Token: SeDebugPrivilege	2916	tasklist.exe
Token: SeDebugPrivilege	2184	tasklist.exe
Token: SeDebugPrivilege	2764	tasklist.exe
Token: SeDebugPrivilege	2624	tasklist.exe
Token: SeDebugPrivilege	2920	tasklist.exe
Token: SeDebugPrivilege	1320	tasklist.exe
Token: SeDebugPrivilege	1056	tasklist.exe
Token: SeDebugPrivilege	2064	tasklist.exe
Token: SeDebugPrivilege	2672	tasklist.exe
Token: SeDebugPrivilege	2952	tasklist.exe
Token: SeDebugPrivilege	1292	tasklist.exe
Token: SeDebugPrivilege	1956	tasklist.exe
Token: SeDebugPrivilege	2200	tasklist.exe
Token: SeDebugPrivilege	2572	tasklist.exe
Token: SeDebugPrivilege	2076	tasklist.exe
Token: SeDebugPrivilege	1524	tasklist.exe
Token: SeDebugPrivilege	548	tasklist.exe
Token: SeDebugPrivilege	844	tasklist.exe
Token: SeDebugPrivilege	2472	tasklist.exe
Token: SeDebugPrivilege	2468	tasklist.exe
Token: SeDebugPrivilege	888	tasklist.exe
Token: SeDebugPrivilege	2168	tasklist.exe
Token: SeDebugPrivilege	3032	tasklist.exe
Token: SeDebugPrivilege	2204	tasklist.exe
Token: SeDebugPrivilege	1924	tasklist.exe
Token: SeDebugPrivilege	880	tasklist.exe
Token: SeDebugPrivilege	1800	tasklist.exe
Token: SeDebugPrivilege	2372	tasklist.exe
Token: SeDebugPrivilege	2300	tasklist.exe
Token: SeDebugPrivilege	2516	tasklist.exe
Token: SeDebugPrivilege	2724	tasklist.exe
Token: SeDebugPrivilege	2804	tasklist.exe
Token: SeDebugPrivilege	2660	tasklist.exe
Token: SeDebugPrivilege	2680	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2728	1728	9165705656ffe7608922ff366357e3b98b0e5ece8c6d39780874c7b4bd7b2dd3.exe	32
PID 1728 wrote to memory of 2728	1728	9165705656ffe7608922ff366357e3b98b0e5ece8c6d39780874c7b4bd7b2dd3.exe	32
PID 1728 wrote to memory of 2728	1728	9165705656ffe7608922ff366357e3b98b0e5ece8c6d39780874c7b4bd7b2dd3.exe	32
PID 2728 wrote to memory of 2912	2728	cmd.exe	34
PID 2728 wrote to memory of 2912	2728	cmd.exe	34
PID 2728 wrote to memory of 2912	2728	cmd.exe	34
PID 2728 wrote to memory of 2804	2728	cmd.exe	35
PID 2728 wrote to memory of 2804	2728	cmd.exe	35
PID 2728 wrote to memory of 2804	2728	cmd.exe	35
PID 2728 wrote to memory of 2756	2728	cmd.exe	36
PID 2728 wrote to memory of 2756	2728	cmd.exe	36
PID 2728 wrote to memory of 2756	2728	cmd.exe	36
PID 2728 wrote to memory of 2612	2728	cmd.exe	37
PID 2728 wrote to memory of 2612	2728	cmd.exe	37
PID 2728 wrote to memory of 2612	2728	cmd.exe	37
PID 2728 wrote to memory of 2792	2728	cmd.exe	38
PID 2728 wrote to memory of 2792	2728	cmd.exe	38
PID 2728 wrote to memory of 2792	2728	cmd.exe	38
PID 2728 wrote to memory of 2692	2728	cmd.exe	39
PID 2728 wrote to memory of 2692	2728	cmd.exe	39
PID 2728 wrote to memory of 2692	2728	cmd.exe	39
PID 2728 wrote to memory of 2736	2728	cmd.exe	40
PID 2728 wrote to memory of 2736	2728	cmd.exe	40
PID 2728 wrote to memory of 2736	2728	cmd.exe	40
PID 2728 wrote to memory of 2660	2728	cmd.exe	41
PID 2728 wrote to memory of 2660	2728	cmd.exe	41
PID 2728 wrote to memory of 2660	2728	cmd.exe	41
PID 2728 wrote to memory of 2712	2728	cmd.exe	42
PID 2728 wrote to memory of 2712	2728	cmd.exe	42
PID 2728 wrote to memory of 2712	2728	cmd.exe	42
PID 2728 wrote to memory of 2620	2728	cmd.exe	43
PID 2728 wrote to memory of 2620	2728	cmd.exe	43
PID 2728 wrote to memory of 2620	2728	cmd.exe	43
PID 2728 wrote to memory of 2652	2728	cmd.exe	44
PID 2728 wrote to memory of 2652	2728	cmd.exe	44
PID 2728 wrote to memory of 2652	2728	cmd.exe	44
PID 2728 wrote to memory of 2676	2728	cmd.exe	45
PID 2728 wrote to memory of 2676	2728	cmd.exe	45
PID 2728 wrote to memory of 2676	2728	cmd.exe	45
PID 2728 wrote to memory of 2648	2728	cmd.exe	46
PID 2728 wrote to memory of 2648	2728	cmd.exe	46
PID 2728 wrote to memory of 2648	2728	cmd.exe	46
PID 2728 wrote to memory of 2052	2728	cmd.exe	47
PID 2728 wrote to memory of 2052	2728	cmd.exe	47
PID 2728 wrote to memory of 2052	2728	cmd.exe	47
PID 2728 wrote to memory of 2772	2728	cmd.exe	48
PID 2728 wrote to memory of 2772	2728	cmd.exe	48
PID 2728 wrote to memory of 2772	2728	cmd.exe	48
PID 2728 wrote to memory of 1980	2728	cmd.exe	49
PID 2728 wrote to memory of 1980	2728	cmd.exe	49
PID 2728 wrote to memory of 1980	2728	cmd.exe	49
PID 2728 wrote to memory of 2592	2728	cmd.exe	50
PID 2728 wrote to memory of 2592	2728	cmd.exe	50
PID 2728 wrote to memory of 2592	2728	cmd.exe	50
PID 2728 wrote to memory of 1520	2728	cmd.exe	51
PID 2728 wrote to memory of 1520	2728	cmd.exe	51
PID 2728 wrote to memory of 1520	2728	cmd.exe	51
PID 2728 wrote to memory of 1476	2728	cmd.exe	52
PID 2728 wrote to memory of 1476	2728	cmd.exe	52
PID 2728 wrote to memory of 1476	2728	cmd.exe	52
PID 2728 wrote to memory of 1136	2728	cmd.exe	53
PID 2728 wrote to memory of 1136	2728	cmd.exe	53
PID 2728 wrote to memory of 1136	2728	cmd.exe	53
PID 2728 wrote to memory of 2940	2728	cmd.exe	54

C:\Users\Admin\AppData\Local\Temp\9165705656ffe7608922ff366357e3b98b0e5ece8c6d39780874c7b4bd7b2dd3.exe
"C:\Users\Admin\AppData\Local\Temp\9165705656ffe7608922ff366357e3b98b0e5ece8c6d39780874c7b4bd7b2dd3.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpD1A1.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpD1A1.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2912
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2804
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2756
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2612
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2792
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2692
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2736
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2660
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2712
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2620
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2652
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2676
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2648
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2052
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2772
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1980
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2592
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1520
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1476
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1136
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2940
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2976
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2132
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:852
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1940
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2844
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2880
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2944
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1720
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2664
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1984
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1264
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1328
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1196
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1560
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1760
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2004
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:352
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2972
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2240
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2180
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2532
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2112
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2248
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2020
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:688
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1288
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:916
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:348
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3008
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3020
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:956
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1344
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1608
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2452
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2008
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1548
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2496
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1828
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1644
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1780
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1768
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1536
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2444
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2492
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3040
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3044
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1744
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1812
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2896
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2264
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1660
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1604
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1860
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1952
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1800
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1740
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2344
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1704
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1804
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2960
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2932
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2740
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2412
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1228
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2376
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2364
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1728
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2916
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3012
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2804
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2184
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1712
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2792
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2764
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2616
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1808
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2624
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2352
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2652
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2920
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1260
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2052
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1320
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1108
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2592
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1056
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:840
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2780
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2064
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1784
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1092
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2672
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2892
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2368
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2952
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1676
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2400
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1292
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1388
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1296
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1956
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2988
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1196
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2200
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2348
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2004
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2572
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2328
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2176
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2076
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:920
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2236
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1524
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2096
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1920
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:548
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:444
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3016
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:844
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2588
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1928
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2472
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2900
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:612
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2468
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2448
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1816
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:888
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1932
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1788
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2168
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:556
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3028
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3032
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2440
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2992
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2204
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:580
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1000
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1924
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3064
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:700
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:880
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1976
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1916
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1800
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1576
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2344
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2372
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2524
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1708
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2300
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2392
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2708
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2516
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2156
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1448
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2724
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3000
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2512
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2804
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3068
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1712
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2660
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2604
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:524
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2680
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2668
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2656
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    PID:2768
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2172
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2636
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    PID:660
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:876
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1520
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    PID:2948
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1056
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1672
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    PID:2976
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1756
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2904
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    PID:1940
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2876
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2508
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    PID:2952
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1676
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1472
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    PID:1388
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1292
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1956
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    PID:2988
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1196
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2128
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    PID:1588
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2004
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2572
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    PID:2228
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2176
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2076
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    PID:2120
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2236
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1524
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    PID:1856
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1920
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:548
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    PID:444
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3016
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:844
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    PID:1348
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1928
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2472
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    PID:992
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:612
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2468
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    PID:2100
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1816
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:888
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    PID:856
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1788
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:936
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    PID:556
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3028
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:3036
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    PID:2440
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2992
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2204
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    PID:2436
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1000
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1924
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    PID:2896
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:700
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:880
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    PID:1604
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1916
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1800
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    PID:1576
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2344
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2360
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    PID:2524
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1708
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2300
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    PID:2932
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2708
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2516
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    PID:1228
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1448
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2724
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1728"
    3⤵
    - Enumerates processes with tasklist
    PID:1728
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD1A1.tmp.bat

Filesize
286B

MD5
1129cde706942b4875ef819ec32d605b

SHA1
0785a789548f8be5c1a012d9f566f500b2e8d891

SHA256
073ea82952698decb5550f78f071d353fdfb1649681b7f72c37a079a28c251fb

SHA512
863a8706199cedcaabe1944d69526ae74e007d120345130fc48ad6c3bee3b3d7613628fc3168a95de3448d4379b7a8156c19b7e08b7abe0cc17152b45498cfd5

Download Submit
\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

Filesize
1.7MB

MD5
65ccd6ecb99899083d43f7c24eb8f869

SHA1
27037a9470cc5ed177c0b6688495f3a51996a023

SHA256
aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

SHA512
533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

Download Submit
memory/1728-0-0x000007FEF57B3000-0x000007FEF57B4000-memory.dmp

Filesize
4KB

Download
memory/1728-1-0x00000000000B0000-0x0000000000652000-memory.dmp

Filesize
5.6MB

Download
memory/1728-6-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

Filesize
9.9MB

Download
memory/1728-10-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

Filesize
9.9MB

Download