9165705656ffe7608922ff366357e3b98b0e5ece8c6d39780874c7b4bd7b2dd3

Analysis

max time kernel
150s
max time network
18s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 03:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9165705656ffe7608922ff366357e3b98b0e5ece8c6d39780874c7b4bd7b2dd3.exe
Size

5.6MB
MD5

23b25ce90f70ffa0435db8df6a6764f2
SHA1

72d0c052f26309704f13c090495c3cdea4ed1bf2
SHA256

9165705656ffe7608922ff366357e3b98b0e5ece8c6d39780874c7b4bd7b2dd3
SHA512

b6c81131119b95df9d789329ffd4553c1624f7d9e38c46924ac4838e59ccb59b538646f36d8c80b9361412842f8c0328aa4177e93e72e22c15077669ee9904ec
SSDEEP

98304:tJRl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6Uc:tWOuK6mn9NzgMoYkSIvUcwti7TQlvciE

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2328	9165705656ffe7608922ff366357e3b98b0e5ece8c6d39780874c7b4bd7b2dd3.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates processes with tasklist 1 TTPs 64 IoCs

discovery

Process Discovery

T1057

pid	Process
2512	tasklist.exe
1108	tasklist.exe
1292	tasklist.exe
2324	tasklist.exe
2988	tasklist.exe
2956	tasklist.exe
760	tasklist.exe
1540	tasklist.exe
2840	tasklist.exe
2928	tasklist.exe
2524	tasklist.exe
2984	tasklist.exe
2656	tasklist.exe
2844	tasklist.exe
756	tasklist.exe
2984	tasklist.exe
3008	tasklist.exe
2244	tasklist.exe
2684	tasklist.exe
1580	tasklist.exe
2432	tasklist.exe
2736	tasklist.exe
2156	tasklist.exe
2244	tasklist.exe
2780	tasklist.exe
2856	tasklist.exe
2028	tasklist.exe
2696	tasklist.exe
2604	tasklist.exe
2768	tasklist.exe
1640	tasklist.exe
1312	tasklist.exe
2576	tasklist.exe
800	tasklist.exe
1824	tasklist.exe
1556	tasklist.exe
2460	tasklist.exe
980	tasklist.exe
696	tasklist.exe
2148	tasklist.exe
2760	tasklist.exe
2992	tasklist.exe
2712	tasklist.exe
2332	tasklist.exe
2652	tasklist.exe
2216	tasklist.exe
1032	tasklist.exe
3000	tasklist.exe
1028	tasklist.exe
352	tasklist.exe
2724	tasklist.exe
2920	tasklist.exe
3068	tasklist.exe
2072	tasklist.exe
880	tasklist.exe
2644	tasklist.exe
276	tasklist.exe
1660	tasklist.exe
2912	tasklist.exe
544	tasklist.exe
2248	tasklist.exe
2236	tasklist.exe
1028	tasklist.exe
3064	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
2720	timeout.exe
1652	timeout.exe
3032	timeout.exe
1704	timeout.exe
2716	timeout.exe
2368	timeout.exe
2604	timeout.exe
2064	timeout.exe
2736	timeout.exe
2148	timeout.exe
1968	timeout.exe
2596	timeout.exe
2468	timeout.exe
1704	timeout.exe
2772	timeout.exe
2248	timeout.exe
2348	timeout.exe
2744	timeout.exe
2404	timeout.exe
2572	timeout.exe
2856	timeout.exe
2072	timeout.exe
2160	timeout.exe
1852	timeout.exe
2092	timeout.exe
316	timeout.exe
432	timeout.exe
2288	timeout.exe
2132	timeout.exe
2744	timeout.exe
2844	timeout.exe
2556	timeout.exe
1540	timeout.exe
2452	timeout.exe
1324	timeout.exe
1436	timeout.exe
1432	timeout.exe
2424	timeout.exe
1012	timeout.exe
2364	timeout.exe
3056	timeout.exe
1916	timeout.exe
1576	timeout.exe
1440	timeout.exe
1044	timeout.exe
2276	timeout.exe
908	timeout.exe
1572	timeout.exe
2200	timeout.exe
1760	timeout.exe
2608	timeout.exe
1036	timeout.exe
1748	timeout.exe
1916	timeout.exe
2112	timeout.exe
2316	timeout.exe
2128	timeout.exe
432	timeout.exe
2192	timeout.exe
2620	timeout.exe
864	timeout.exe
2104	timeout.exe
2916	timeout.exe
1436	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2328	9165705656ffe7608922ff366357e3b98b0e5ece8c6d39780874c7b4bd7b2dd3.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	9165705656ffe7608922ff366357e3b98b0e5ece8c6d39780874c7b4bd7b2dd3.exe
Token: SeDebugPrivilege	2684	tasklist.exe
Token: SeDebugPrivilege	2656	tasklist.exe
Token: SeDebugPrivilege	2780	tasklist.exe
Token: SeDebugPrivilege	2352	tasklist.exe
Token: SeDebugPrivilege	2928	tasklist.exe
Token: SeDebugPrivilege	2156	tasklist.exe
Token: SeDebugPrivilege	2576	tasklist.exe
Token: SeDebugPrivilege	2496	tasklist.exe
Token: SeDebugPrivilege	2984	tasklist.exe
Token: SeDebugPrivilege	2472	tasklist.exe
Token: SeDebugPrivilege	2760	tasklist.exe
Token: SeDebugPrivilege	2100	tasklist.exe
Token: SeDebugPrivilege	1540	tasklist.exe
Token: SeDebugPrivilege	2456	tasklist.exe
Token: SeDebugPrivilege	2248	tasklist.exe
Token: SeDebugPrivilege	2136	tasklist.exe
Token: SeDebugPrivilege	2236	tasklist.exe
Token: SeDebugPrivilege	2216	tasklist.exe
Token: SeDebugPrivilege	760	tasklist.exe
Token: SeDebugPrivilege	2324	tasklist.exe
Token: SeDebugPrivilege	820	tasklist.exe
Token: SeDebugPrivilege	880	tasklist.exe
Token: SeDebugPrivilege	924	tasklist.exe
Token: SeDebugPrivilege	544	tasklist.exe
Token: SeDebugPrivilege	1368	tasklist.exe
Token: SeDebugPrivilege	2416	tasklist.exe
Token: SeDebugPrivilege	1028	tasklist.exe
Token: SeDebugPrivilege	1584	tasklist.exe
Token: SeDebugPrivilege	2856	tasklist.exe
Token: SeDebugPrivilege	2164	tasklist.exe
Token: SeDebugPrivilege	2840	tasklist.exe
Token: SeDebugPrivilege	2684	tasklist.exe
Token: SeDebugPrivilege	2652	tasklist.exe
Token: SeDebugPrivilege	1084	tasklist.exe
Token: SeDebugPrivilege	1656	tasklist.exe
Token: SeDebugPrivilege	900	tasklist.exe
Token: SeDebugPrivilege	2520	tasklist.exe
Token: SeDebugPrivilege	2028	tasklist.exe
Token: SeDebugPrivilege	1556	tasklist.exe
Token: SeDebugPrivilege	3000	tasklist.exe
Token: SeDebugPrivilege	2696	tasklist.exe
Token: SeDebugPrivilege	2760	tasklist.exe
Token: SeDebugPrivilege	1456	tasklist.exe
Token: SeDebugPrivilege	3064	tasklist.exe
Token: SeDebugPrivilege	2304	tasklist.exe
Token: SeDebugPrivilege	560	tasklist.exe
Token: SeDebugPrivilege	2492	tasklist.exe
Token: SeDebugPrivilege	2236	tasklist.exe
Token: SeDebugPrivilege	584	tasklist.exe
Token: SeDebugPrivilege	1852	tasklist.exe
Token: SeDebugPrivilege	1972	tasklist.exe
Token: SeDebugPrivilege	1764	tasklist.exe
Token: SeDebugPrivilege	880	tasklist.exe
Token: SeDebugPrivilege	924	tasklist.exe
Token: SeDebugPrivilege	2432	tasklist.exe
Token: SeDebugPrivilege	2988	tasklist.exe
Token: SeDebugPrivilege	892	tasklist.exe
Token: SeDebugPrivilege	1028	tasklist.exe
Token: SeDebugPrivilege	1584	tasklist.exe
Token: SeDebugPrivilege	2956	tasklist.exe
Token: SeDebugPrivilege	2072	tasklist.exe
Token: SeDebugPrivilege	2840	tasklist.exe
Token: SeDebugPrivilege	2844	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2952	2328	9165705656ffe7608922ff366357e3b98b0e5ece8c6d39780874c7b4bd7b2dd3.exe	30
PID 2328 wrote to memory of 2952	2328	9165705656ffe7608922ff366357e3b98b0e5ece8c6d39780874c7b4bd7b2dd3.exe	30
PID 2328 wrote to memory of 2952	2328	9165705656ffe7608922ff366357e3b98b0e5ece8c6d39780874c7b4bd7b2dd3.exe	30
PID 2952 wrote to memory of 2692	2952	cmd.exe	32
PID 2952 wrote to memory of 2692	2952	cmd.exe	32
PID 2952 wrote to memory of 2692	2952	cmd.exe	32
PID 2952 wrote to memory of 2684	2952	cmd.exe	33
PID 2952 wrote to memory of 2684	2952	cmd.exe	33
PID 2952 wrote to memory of 2684	2952	cmd.exe	33
PID 2952 wrote to memory of 1824	2952	cmd.exe	34
PID 2952 wrote to memory of 1824	2952	cmd.exe	34
PID 2952 wrote to memory of 1824	2952	cmd.exe	34
PID 2952 wrote to memory of 2844	2952	cmd.exe	35
PID 2952 wrote to memory of 2844	2952	cmd.exe	35
PID 2952 wrote to memory of 2844	2952	cmd.exe	35
PID 2952 wrote to memory of 2656	2952	cmd.exe	36
PID 2952 wrote to memory of 2656	2952	cmd.exe	36
PID 2952 wrote to memory of 2656	2952	cmd.exe	36
PID 2952 wrote to memory of 2652	2952	cmd.exe	37
PID 2952 wrote to memory of 2652	2952	cmd.exe	37
PID 2952 wrote to memory of 2652	2952	cmd.exe	37
PID 2952 wrote to memory of 2724	2952	cmd.exe	38
PID 2952 wrote to memory of 2724	2952	cmd.exe	38
PID 2952 wrote to memory of 2724	2952	cmd.exe	38
PID 2952 wrote to memory of 2780	2952	cmd.exe	39
PID 2952 wrote to memory of 2780	2952	cmd.exe	39
PID 2952 wrote to memory of 2780	2952	cmd.exe	39
PID 2952 wrote to memory of 1084	2952	cmd.exe	40
PID 2952 wrote to memory of 1084	2952	cmd.exe	40
PID 2952 wrote to memory of 1084	2952	cmd.exe	40
PID 2952 wrote to memory of 2148	2952	cmd.exe	41
PID 2952 wrote to memory of 2148	2952	cmd.exe	41
PID 2952 wrote to memory of 2148	2952	cmd.exe	41
PID 2952 wrote to memory of 2352	2952	cmd.exe	42
PID 2952 wrote to memory of 2352	2952	cmd.exe	42
PID 2952 wrote to memory of 2352	2952	cmd.exe	42
PID 2952 wrote to memory of 564	2952	cmd.exe	43
PID 2952 wrote to memory of 564	2952	cmd.exe	43
PID 2952 wrote to memory of 564	2952	cmd.exe	43
PID 2952 wrote to memory of 2720	2952	cmd.exe	44
PID 2952 wrote to memory of 2720	2952	cmd.exe	44
PID 2952 wrote to memory of 2720	2952	cmd.exe	44
PID 2952 wrote to memory of 2928	2952	cmd.exe	45
PID 2952 wrote to memory of 2928	2952	cmd.exe	45
PID 2952 wrote to memory of 2928	2952	cmd.exe	45
PID 2952 wrote to memory of 2044	2952	cmd.exe	46
PID 2952 wrote to memory of 2044	2952	cmd.exe	46
PID 2952 wrote to memory of 2044	2952	cmd.exe	46
PID 2952 wrote to memory of 2092	2952	cmd.exe	47
PID 2952 wrote to memory of 2092	2952	cmd.exe	47
PID 2952 wrote to memory of 2092	2952	cmd.exe	47
PID 2952 wrote to memory of 2156	2952	cmd.exe	48
PID 2952 wrote to memory of 2156	2952	cmd.exe	48
PID 2952 wrote to memory of 2156	2952	cmd.exe	48
PID 2952 wrote to memory of 2508	2952	cmd.exe	49
PID 2952 wrote to memory of 2508	2952	cmd.exe	49
PID 2952 wrote to memory of 2508	2952	cmd.exe	49
PID 2952 wrote to memory of 2104	2952	cmd.exe	50
PID 2952 wrote to memory of 2104	2952	cmd.exe	50
PID 2952 wrote to memory of 2104	2952	cmd.exe	50
PID 2952 wrote to memory of 2576	2952	cmd.exe	51
PID 2952 wrote to memory of 2576	2952	cmd.exe	51
PID 2952 wrote to memory of 2576	2952	cmd.exe	51
PID 2952 wrote to memory of 1740	2952	cmd.exe	52

C:\Users\Admin\AppData\Local\Temp\9165705656ffe7608922ff366357e3b98b0e5ece8c6d39780874c7b4bd7b2dd3.exe
"C:\Users\Admin\AppData\Local\Temp\9165705656ffe7608922ff366357e3b98b0e5ece8c6d39780874c7b4bd7b2dd3.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp1EE6.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp1EE6.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2692
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2684
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1824
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2844
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2656
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2652
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2724
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2780
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1084
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2148
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2352
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:564
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2720
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2928
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2044
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2092
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2156
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2508
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2104
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2576
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1740
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1784
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2496
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2512
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2896
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2984
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2972
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:3004
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2472
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2184
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2916
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2760
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1500
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1000
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2100
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1596
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:432
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1540
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:624
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1748
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2456
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2444
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:3068
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2248
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1928
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2288
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2136
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2480
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2208
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2236
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2240
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1692
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2216
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:580
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2632
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:760
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1092
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1432
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2324
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:844
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2356
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:820
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1520
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2620
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:880
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2016
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1292
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:924
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:852
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:264
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:544
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2428
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1032
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1368
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2264
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1440
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2416
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1792
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1968
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1028
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2572
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1580
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1584
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2008
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2992
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2856
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2792
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2556
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2164
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2752
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2596
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2840
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3012
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2828
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2684
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1976
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2660
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2652
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2736
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2368
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1084
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2396
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2132
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1656
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2400
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1044
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:900
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1284
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2424
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2520
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2052
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2468
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2028
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2756
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2316
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1556
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1476
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2892
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3000
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2912
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1916
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2696
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2184
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1436
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2760
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1500
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2728
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1456
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2076
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:352
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3064
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1548
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2112
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2304
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2436
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2604
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:560
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2248
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2488
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2492
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2136
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:316
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2236
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2240
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1012
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:584
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:580
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:3040
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1852
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1636
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2744
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1972
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2308
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1652
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1764
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1724
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2600
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:880
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2016
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:920
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:924
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:852
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1920
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2432
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2404
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:280
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2988
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1368
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1572
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:892
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:692
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1704
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1028
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2572
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1576
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1584
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2008
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2940
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2956
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2856
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2808
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2072
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2752
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2772
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2840
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3012
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2708
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2844
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2680
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2364
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    PID:2736
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2780
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2732
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    PID:2148
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1624
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:908
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    PID:2644
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2928
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2084
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    PID:1284
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2424
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2520
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    PID:2156
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2468
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2028
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    PID:2576
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2316
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1476
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    PID:2892
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1528
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2912
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    PID:2500
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2640
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:276
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    PID:1436
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1168
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1500
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    PID:2728
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:440
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2076
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    PID:352
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2120
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1540
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    PID:1600
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2484
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2080
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    PID:2604
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2180
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2248
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    PID:2460
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2272
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2200
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    PID:848
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2552
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2276
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    PID:1432
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2312
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2744
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    PID:2356
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2324
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:836
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    PID:1008
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:820
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1988
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    PID:1292
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2032
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:620
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    PID:756
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2152
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1484
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    PID:1032
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2432
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1736
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    PID:1440
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2988
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:336
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    PID:2336
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:892
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3032
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    PID:1580
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1028
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2348
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    PID:2992
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1584
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2064
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    PID:2556
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2956
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2296
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    PID:800
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:764
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1808
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    PID:2712
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2848
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1760
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    PID:2824
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2688
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2796
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    PID:2580
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2708
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2844
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    PID:2684
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2364
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2736
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    PID:2724
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2732
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2148
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    PID:1624
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:564
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2400
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    PID:2928
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2800
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2104
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    PID:2332
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:772
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1740
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    PID:2920
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1304
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2220
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    PID:2512
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2996
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2496
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    PID:3000
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2972
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1480
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    PID:2984
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2696
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2128
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    PID:276
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2376
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1168
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    PID:1080
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1104
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:432
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    PID:2100
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1548
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3056
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    PID:1108
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1540
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1600
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    PID:2112
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2080
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2192
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    PID:2244
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2480
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2460
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    PID:532
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1376
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2452
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    PID:696
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:940
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:760
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    PID:2096
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1532
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1516
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    PID:2324
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2020
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2620
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    PID:820
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1988
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1292
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    PID:1224
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:620
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1992
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    PID:2152
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2088
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2404
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    PID:544
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1032
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2564
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    PID:2612
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1440
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1704
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    PID:2416
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1792
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2572
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    PID:1580
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1028
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2608
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    PID:2992
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1584
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2856
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    PID:2944
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2792
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1460
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    PID:1632
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:764
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2072
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    PID:2776
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2712
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2692
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    PID:2772
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2672
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2716
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    PID:1824
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2268
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1324
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    PID:1660
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2684
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:832
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    PID:2132
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2724
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2056
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    PID:2040
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1624
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2508
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    PID:2768
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2252
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2520
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    PID:1640
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2332
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:864
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    PID:3020
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1784
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2756
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    PID:3008
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2512
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2908
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    PID:1312
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3000
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1916
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    PID:2912
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2472
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1436
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    PID:2524
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2760
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1596
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    PID:2836
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1500
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:352
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    PID:980
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2076
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2456
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    PID:3068
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1108
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2160
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    PID:2068
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1928
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2344
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    PID:2244
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2480
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2236
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    PID:2200
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2240
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1852
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    - Enumerates processes with tasklist
    PID:696
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:940
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2036
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    PID:2096
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1532
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1036
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2328"
    3⤵
    PID:836
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1972
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1EE6.tmp.bat

Filesize
286B

MD5
bc87c52b5f0eebc62f94e56579487c68

SHA1
66bf64905806305b139c4b313a80d76762dcda7b

SHA256
9c952bc78cd6b172305eab2afbeb931d3f0e9c9545b5483830fc4b5d3eee1496

SHA512
ae44eed4b66ea5dbbd693969fc3b682727b9946e45074846cd631583d474bfe725fbbc388f3a207c9e72d0aa200f9748505fc4a093c28f7276c71c4fbcd5719d

Download Submit
\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

Filesize
1.7MB

MD5
65ccd6ecb99899083d43f7c24eb8f869

SHA1
27037a9470cc5ed177c0b6688495f3a51996a023

SHA256
aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

SHA512
533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

Download Submit
memory/2328-0-0x000007FEF5AF3000-0x000007FEF5AF4000-memory.dmp

Filesize
4KB

Download
memory/2328-1-0x0000000000280000-0x0000000000822000-memory.dmp

Filesize
5.6MB

Download
memory/2328-6-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download
memory/2328-9-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download