246be4970b93f526c742ff8f7f9030b292294480f79df9a8f1bd9626df459e63

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

246be4970b93f526c742ff8f7f9030b292294480f79df9a8f1bd9626df459e63.exe
Size

5.6MB
MD5

9131ecd24f80c67f05d3a145e24251dd
SHA1

52bde2feddadd2c5dfdad19a5303e78dd7b660d8
SHA256

246be4970b93f526c742ff8f7f9030b292294480f79df9a8f1bd9626df459e63
SHA512

a49b6b6303210b5cb9a5f0ffe39f38c83027562c165abf50b823d45de978eadbfa319cbec4425089ea30be8e49796665c52207d799cb56467f76facecdc9b753
SSDEEP

98304:tJRl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6UcM:tWOuK6mn9NzgMoYkSIvUcwti7TQlvciD

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2284	246be4970b93f526c742ff8f7f9030b292294480f79df9a8f1bd9626df459e63.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates processes with tasklist 1 TTPs 64 IoCs

discovery

Process Discovery

T1057

pid	Process
648	tasklist.exe
1004	tasklist.exe
2424	tasklist.exe
2804	tasklist.exe
600	tasklist.exe
572	tasklist.exe
2064	tasklist.exe
2000	tasklist.exe
1440	tasklist.exe
1296	tasklist.exe
584	tasklist.exe
1656	tasklist.exe
1960	tasklist.exe
772	tasklist.exe
2056	tasklist.exe
556	tasklist.exe
1648	tasklist.exe
2600	tasklist.exe
2444	tasklist.exe
1700	tasklist.exe
1156	tasklist.exe
2936	tasklist.exe
1612	tasklist.exe
280	tasklist.exe
1528	tasklist.exe
1996	tasklist.exe
2588	tasklist.exe
2756	tasklist.exe
2856	tasklist.exe
1604	tasklist.exe
2468	tasklist.exe
1536	tasklist.exe
1072	tasklist.exe
2620	tasklist.exe
1516	tasklist.exe
704	tasklist.exe
2708	tasklist.exe
1208	tasklist.exe
2004	tasklist.exe
1824	tasklist.exe
2260	tasklist.exe
2864	tasklist.exe
2456	tasklist.exe
2964	tasklist.exe
2532	tasklist.exe
2688	tasklist.exe
2740	tasklist.exe
1992	tasklist.exe
1656	tasklist.exe
1528	tasklist.exe
2996	tasklist.exe
2112	tasklist.exe
1140	tasklist.exe
3040	tasklist.exe
1572	tasklist.exe
2140	tasklist.exe
1536	tasklist.exe
2028	tasklist.exe
2680	tasklist.exe
1632	tasklist.exe
1020	tasklist.exe
1756	tasklist.exe
2960	tasklist.exe
556	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
1036	timeout.exe
1564	timeout.exe
2208	timeout.exe
2924	timeout.exe
2628	timeout.exe
2444	timeout.exe
2672	timeout.exe
2812	timeout.exe
1800	timeout.exe
1776	timeout.exe
1328	timeout.exe
2380	timeout.exe
2548	timeout.exe
1812	timeout.exe
2088	timeout.exe
2320	timeout.exe
2836	timeout.exe
1248	timeout.exe
1036	timeout.exe
640	timeout.exe
1400	timeout.exe
2076	timeout.exe
560	timeout.exe
1204	timeout.exe
2380	timeout.exe
1764	timeout.exe
2140	timeout.exe
1520	timeout.exe
2932	timeout.exe
2776	timeout.exe
1992	timeout.exe
1500	timeout.exe
2740	timeout.exe
444	timeout.exe
904	timeout.exe
2852	timeout.exe
1332	timeout.exe
2884	timeout.exe
2428	timeout.exe
408	timeout.exe
1500	timeout.exe
2320	timeout.exe
2604	timeout.exe
1628	timeout.exe
2572	timeout.exe
824	timeout.exe
3044	timeout.exe
2008	timeout.exe
2328	timeout.exe
1636	timeout.exe
2124	timeout.exe
1252	timeout.exe
1812	timeout.exe
2832	timeout.exe
2240	timeout.exe
2376	timeout.exe
2708	timeout.exe
720	timeout.exe
2832	timeout.exe
664	timeout.exe
2004	timeout.exe
1828	timeout.exe
2572	timeout.exe
2400	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2284	246be4970b93f526c742ff8f7f9030b292294480f79df9a8f1bd9626df459e63.exe
2284	246be4970b93f526c742ff8f7f9030b292294480f79df9a8f1bd9626df459e63.exe
2284	246be4970b93f526c742ff8f7f9030b292294480f79df9a8f1bd9626df459e63.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2284	246be4970b93f526c742ff8f7f9030b292294480f79df9a8f1bd9626df459e63.exe
Token: SeDebugPrivilege	2708	tasklist.exe
Token: SeDebugPrivilege	2756	tasklist.exe
Token: SeDebugPrivilege	2620	tasklist.exe
Token: SeDebugPrivilege	2980	tasklist.exe
Token: SeDebugPrivilege	332	tasklist.exe
Token: SeDebugPrivilege	572	tasklist.exe
Token: SeDebugPrivilege	2028	tasklist.exe
Token: SeDebugPrivilege	2828	tasklist.exe
Token: SeDebugPrivilege	2864	tasklist.exe
Token: SeDebugPrivilege	324	tasklist.exe
Token: SeDebugPrivilege	548	tasklist.exe
Token: SeDebugPrivilege	1648	tasklist.exe
Token: SeDebugPrivilege	1096	tasklist.exe
Token: SeDebugPrivilege	2968	tasklist.exe
Token: SeDebugPrivilege	1960	tasklist.exe
Token: SeDebugPrivilege	2152	tasklist.exe
Token: SeDebugPrivilege	2912	tasklist.exe
Token: SeDebugPrivilege	3036	tasklist.exe
Token: SeDebugPrivilege	2064	tasklist.exe
Token: SeDebugPrivilege	1140	tasklist.exe
Token: SeDebugPrivilege	2024	tasklist.exe
Token: SeDebugPrivilege	1632	tasklist.exe
Token: SeDebugPrivilege	944	tasklist.exe
Token: SeDebugPrivilege	2256	tasklist.exe
Token: SeDebugPrivilege	2084	tasklist.exe
Token: SeDebugPrivilege	1516	tasklist.exe
Token: SeDebugPrivilege	2060	tasklist.exe
Token: SeDebugPrivilege	2388	tasklist.exe
Token: SeDebugPrivilege	3068	tasklist.exe
Token: SeDebugPrivilege	3040	tasklist.exe
Token: SeDebugPrivilege	2960	tasklist.exe
Token: SeDebugPrivilege	2564	tasklist.exe
Token: SeDebugPrivilege	2456	tasklist.exe
Token: SeDebugPrivilege	556	tasklist.exe
Token: SeDebugPrivilege	704	tasklist.exe
Token: SeDebugPrivilege	280	tasklist.exe
Token: SeDebugPrivilege	552	tasklist.exe
Token: SeDebugPrivilege	2600	tasklist.exe
Token: SeDebugPrivilege	2336	tasklist.exe
Token: SeDebugPrivilege	1808	tasklist.exe
Token: SeDebugPrivilege	1572	tasklist.exe
Token: SeDebugPrivilege	1536	tasklist.exe
Token: SeDebugPrivilege	1872	tasklist.exe
Token: SeDebugPrivilege	2000	tasklist.exe
Token: SeDebugPrivilege	2468	tasklist.exe
Token: SeDebugPrivilege	2596	tasklist.exe
Token: SeDebugPrivilege	772	tasklist.exe
Token: SeDebugPrivilege	1700	tasklist.exe
Token: SeDebugPrivilege	1004	tasklist.exe
Token: SeDebugPrivilege	2136	tasklist.exe
Token: SeDebugPrivilege	2124	tasklist.exe
Token: SeDebugPrivilege	1368	tasklist.exe
Token: SeDebugPrivilege	2056	tasklist.exe
Token: SeDebugPrivilege	1528	tasklist.exe
Token: SeDebugPrivilege	3032	tasklist.exe
Token: SeDebugPrivilege	1512	tasklist.exe
Token: SeDebugPrivilege	2924	tasklist.exe
Token: SeDebugPrivilege	3020	tasklist.exe
Token: SeDebugPrivilege	2628	tasklist.exe
Token: SeDebugPrivilege	2444	tasklist.exe
Token: SeDebugPrivilege	2856	tasklist.exe
Token: SeDebugPrivilege	2500	tasklist.exe
Token: SeDebugPrivilege	2976	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 2624	2284	246be4970b93f526c742ff8f7f9030b292294480f79df9a8f1bd9626df459e63.exe	29
PID 2284 wrote to memory of 2624	2284	246be4970b93f526c742ff8f7f9030b292294480f79df9a8f1bd9626df459e63.exe	29
PID 2284 wrote to memory of 2624	2284	246be4970b93f526c742ff8f7f9030b292294480f79df9a8f1bd9626df459e63.exe	29
PID 2624 wrote to memory of 2660	2624	cmd.exe	31
PID 2624 wrote to memory of 2660	2624	cmd.exe	31
PID 2624 wrote to memory of 2660	2624	cmd.exe	31
PID 2624 wrote to memory of 2708	2624	cmd.exe	32
PID 2624 wrote to memory of 2708	2624	cmd.exe	32
PID 2624 wrote to memory of 2708	2624	cmd.exe	32
PID 2624 wrote to memory of 2112	2624	cmd.exe	33
PID 2624 wrote to memory of 2112	2624	cmd.exe	33
PID 2624 wrote to memory of 2112	2624	cmd.exe	33
PID 2624 wrote to memory of 2740	2624	cmd.exe	34
PID 2624 wrote to memory of 2740	2624	cmd.exe	34
PID 2624 wrote to memory of 2740	2624	cmd.exe	34
PID 2624 wrote to memory of 2756	2624	cmd.exe	35
PID 2624 wrote to memory of 2756	2624	cmd.exe	35
PID 2624 wrote to memory of 2756	2624	cmd.exe	35
PID 2624 wrote to memory of 2504	2624	cmd.exe	36
PID 2624 wrote to memory of 2504	2624	cmd.exe	36
PID 2624 wrote to memory of 2504	2624	cmd.exe	36
PID 2624 wrote to memory of 2552	2624	cmd.exe	37
PID 2624 wrote to memory of 2552	2624	cmd.exe	37
PID 2624 wrote to memory of 2552	2624	cmd.exe	37
PID 2624 wrote to memory of 2620	2624	cmd.exe	38
PID 2624 wrote to memory of 2620	2624	cmd.exe	38
PID 2624 wrote to memory of 2620	2624	cmd.exe	38
PID 2624 wrote to memory of 1664	2624	cmd.exe	39
PID 2624 wrote to memory of 1664	2624	cmd.exe	39
PID 2624 wrote to memory of 1664	2624	cmd.exe	39
PID 2624 wrote to memory of 2380	2624	cmd.exe	40
PID 2624 wrote to memory of 2380	2624	cmd.exe	40
PID 2624 wrote to memory of 2380	2624	cmd.exe	40
PID 2624 wrote to memory of 2980	2624	cmd.exe	41
PID 2624 wrote to memory of 2980	2624	cmd.exe	41
PID 2624 wrote to memory of 2980	2624	cmd.exe	41
PID 2624 wrote to memory of 1680	2624	cmd.exe	42
PID 2624 wrote to memory of 1680	2624	cmd.exe	42
PID 2624 wrote to memory of 1680	2624	cmd.exe	42
PID 2624 wrote to memory of 596	2624	cmd.exe	43
PID 2624 wrote to memory of 596	2624	cmd.exe	43
PID 2624 wrote to memory of 596	2624	cmd.exe	43
PID 2624 wrote to memory of 332	2624	cmd.exe	44
PID 2624 wrote to memory of 332	2624	cmd.exe	44
PID 2624 wrote to memory of 332	2624	cmd.exe	44
PID 2624 wrote to memory of 792	2624	cmd.exe	45
PID 2624 wrote to memory of 792	2624	cmd.exe	45
PID 2624 wrote to memory of 792	2624	cmd.exe	45
PID 2624 wrote to memory of 1036	2624	cmd.exe	46
PID 2624 wrote to memory of 1036	2624	cmd.exe	46
PID 2624 wrote to memory of 1036	2624	cmd.exe	46
PID 2624 wrote to memory of 572	2624	cmd.exe	47
PID 2624 wrote to memory of 572	2624	cmd.exe	47
PID 2624 wrote to memory of 572	2624	cmd.exe	47
PID 2624 wrote to memory of 576	2624	cmd.exe	48
PID 2624 wrote to memory of 576	2624	cmd.exe	48
PID 2624 wrote to memory of 576	2624	cmd.exe	48
PID 2624 wrote to memory of 1484	2624	cmd.exe	49
PID 2624 wrote to memory of 1484	2624	cmd.exe	49
PID 2624 wrote to memory of 1484	2624	cmd.exe	49
PID 2624 wrote to memory of 2028	2624	cmd.exe	50
PID 2624 wrote to memory of 2028	2624	cmd.exe	50
PID 2624 wrote to memory of 2028	2624	cmd.exe	50
PID 2624 wrote to memory of 2560	2624	cmd.exe	51

C:\Users\Admin\AppData\Local\Temp\246be4970b93f526c742ff8f7f9030b292294480f79df9a8f1bd9626df459e63.exe
"C:\Users\Admin\AppData\Local\Temp\246be4970b93f526c742ff8f7f9030b292294480f79df9a8f1bd9626df459e63.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp739A.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp739A.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2660
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2708
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2112
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2740
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2756
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2504
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2552
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2620
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1664
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2380
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2980
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1680
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:596
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:332
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:792
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1036
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:572
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:576
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1484
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2028
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2560
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2804
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2828
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2816
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2684
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2864
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1128
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1712
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:324
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2036
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1248
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:548
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1836
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1636
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1648
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1560
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:664
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1096
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1192
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2404
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2968
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1540
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2004
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1960
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1980
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2596
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2152
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2992
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:3052
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2912
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2908
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2320
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3036
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1244
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2208
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2064
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:600
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:444
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1140
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1768
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2124
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2024
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1328
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:964
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1632
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1880
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2268
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:944
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2260
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1528
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2256
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1968
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:3032
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2084
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2884
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:904
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1516
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2772
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2924
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2060
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1620
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:3020
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2388
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2272
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2628
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3068
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2660
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2444
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3040
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2604
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:824
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2960
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2696
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2672
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2564
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2520
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:3000
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2456
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:628
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2576
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:556
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:320
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:604
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:704
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:828
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1036
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:280
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1488
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1116
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:552
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2796
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2812
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2600
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2676
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2588
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2336
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:852
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2852
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1808
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1336
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1672
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1572
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1728
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:640
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1536
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1028
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:796
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1872
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2472
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1080
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2000
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2008
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2236
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2468
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2368
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1972
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2596
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2068
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2992
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:772
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2088
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2916
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1700
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1708
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2204
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1004
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:408
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1828
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2136
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2156
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1252
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2124
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1300
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1328
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1368
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1356
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1332
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2056
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1784
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1556
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1528
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2176
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1968
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3032
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1520
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2884
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1512
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2392
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:892
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2924
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2288
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1620
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3020
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2656
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2272
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2628
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2296
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2660
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2444
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2508
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2604
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2856
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2528
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2836
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2500
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2532
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2572
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2976
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2972
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2380
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    PID:2092
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1296
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1824
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    PID:556
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:320
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1156
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    PID:584
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:896
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1036
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    PID:648
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1660
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2560
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    PID:2028
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:552
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2808
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    PID:2688
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2832
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1932
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    PID:2336
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:852
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2400
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    PID:1656
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1800
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1400
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    PID:1756
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1740
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1764
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    PID:1536
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1028
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2996
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    PID:1872
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2472
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1992
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    PID:1996
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2008
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2076
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    PID:2360
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1776
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2184
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    PID:2680
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2540
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2052
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    PID:1208
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2088
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1440
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    PID:1700
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1708
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1704
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    PID:1004
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:408
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2140
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    PID:316
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2188
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:700
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    PID:1760
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1032
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1564
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    PID:1368
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1356
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:720
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    PID:2056
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1784
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1320
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    PID:1528
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2176
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2240
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    PID:2252
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1844
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2424
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    PID:904
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2932
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1612
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    PID:2924
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2288
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:560
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    PID:2964
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2272
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2628
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    PID:1072
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2660
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2444
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    PID:2508
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1668
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2856
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    PID:1344
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2876
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1628
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    PID:2740
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2520
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2672
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    PID:812
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2552
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1664
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    PID:1256
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1680
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1240
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    PID:1824
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:332
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:320
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    PID:1156
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:792
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:896
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    PID:1868
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1116
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1500
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    PID:620
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2560
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2028
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    PID:2936
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2700
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2548
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    PID:2808
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1128
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2832
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    PID:1932
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2460
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:852
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    PID:2400
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1836
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1800
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    PID:1560
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1876
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1812
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    PID:1584
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:664
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1804
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    PID:2996
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1988
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2472
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    PID:1992
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1980
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2008
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    PID:2076
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2152
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1776
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    PID:2480
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2912
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2944
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    PID:3036
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1724
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2428
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    PID:1440
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1640
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1708
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    PID:1704
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1768
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:408
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    PID:2140
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2024
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2188
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    PID:1632
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1792
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2376
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    PID:2260
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:568
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1788
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    PID:720
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2896
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1784
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    PID:2096
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2084
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2328
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    PID:1716
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1956
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1520
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    PID:2424
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2060
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2932
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    PID:1612
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2228
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2288
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    PID:2652
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:952
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3044
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    PID:2880
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2272
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2284
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    PID:2608
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2888
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2704
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    PID:2112
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2960
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2708
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    PID:1020
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:108
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2696
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    PID:2532
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2564
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2836
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    PID:2972
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2976
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2572
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    PID:1296
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2576
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2380
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    PID:1604
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:596
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:320
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    PID:584
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1928
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:576
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    PID:648
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1488
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1500
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    PID:2804
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2812
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2776
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    PID:1748
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1496
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2828
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    PID:2588
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2844
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2832
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    PID:2868
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2852
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:852
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    PID:1656
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1672
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1800
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    PID:1756
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1572
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1812
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    PID:1076
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2340
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1204
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    PID:1820
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2968
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2404
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    PID:2236
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1960
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2468
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    PID:2004
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2148
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2540
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    PID:2596
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2908
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2088
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    PID:2916
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1244
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2320
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2284"
    3⤵
    - Enumerates processes with tasklist
    PID:600
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2064
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp739A.tmp.bat

Filesize
362B

MD5
b4f810c9ca1762d81d8eb8707a94c445

SHA1
d7b68073afda35775d6881ad316cf7d730f43403

SHA256
228bcd9f9b02dd57cff19cd59ee6d890e10101c22e2677ae82e705324476e125

SHA512
38bd1089895dadb4734bdbc937a09b61c45bdb75e87e04b456998e2ebb3ed6fea415cf6a50a6d186e3bfb7e9269d089e19fe37a7230978e0936c278114657dbb

Download Submit
\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

Filesize
1.7MB

MD5
65ccd6ecb99899083d43f7c24eb8f869

SHA1
27037a9470cc5ed177c0b6688495f3a51996a023

SHA256
aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

SHA512
533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

Download Submit
memory/2284-0-0x000007FEF5233000-0x000007FEF5234000-memory.dmp

Filesize
4KB

Download
memory/2284-1-0x00000000012A0000-0x0000000001842000-memory.dmp

Filesize
5.6MB

Download
memory/2284-6-0x000007FEF5230000-0x000007FEF5C1C000-memory.dmp

Filesize
9.9MB

Download
memory/2284-10-0x000007FEF5230000-0x000007FEF5C1C000-memory.dmp

Filesize
9.9MB

Download