34443c63e5b3678dfd5df2e83fb1c70dcad8fbaa658a25bcde512e216e8d4a1c

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/12/2024, 02:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

5.6MB
MD5

3442efc1a403eaeee70cc2a6729ee87b
SHA1

9fcc1af6ba397c0fcfb979af53e2e76c406e6080
SHA256

34443c63e5b3678dfd5df2e83fb1c70dcad8fbaa658a25bcde512e216e8d4a1c
SHA512

869bf4a24dbafe05a43872c6ff0ff437685df6dba97519fc1a58ce96ea2166a01162a77043f4ff52d488301e3d7f34f7c9c71cfa19b4ebad512a626c8ca43dca
SSDEEP

98304:tJRl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6UcG:tWOuK6mn9NzgMoYkSIvUcwti7TQlvcih

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2124	file.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates processes with tasklist 1 TTPs 64 IoCs

discovery

Process Discovery

T1057

pid	Process
2248	tasklist.exe
840	tasklist.exe
1588	tasklist.exe
2868	tasklist.exe
3008	tasklist.exe
2148	tasklist.exe
308	tasklist.exe
2088	tasklist.exe
1628	tasklist.exe
2692	tasklist.exe
2356	tasklist.exe
1444	tasklist.exe
640	tasklist.exe
1516	tasklist.exe
568	tasklist.exe
1484	tasklist.exe
2752	tasklist.exe
2256	tasklist.exe
484	tasklist.exe
2364	tasklist.exe
1424	tasklist.exe
2192	tasklist.exe
2420	tasklist.exe
1704	tasklist.exe
1820	tasklist.exe
2900	tasklist.exe
1984	tasklist.exe
2172	tasklist.exe
2320	tasklist.exe
640	tasklist.exe
2216	tasklist.exe
2172	tasklist.exe
2152	tasklist.exe
2700	tasklist.exe
988	tasklist.exe
2440	tasklist.exe
2636	tasklist.exe
2196	tasklist.exe
1864	tasklist.exe
276	tasklist.exe
1716	tasklist.exe
2680	tasklist.exe
1688	tasklist.exe
2068	tasklist.exe
2760	tasklist.exe
2828	tasklist.exe
2180	tasklist.exe
2924	tasklist.exe
1148	tasklist.exe
1380	tasklist.exe
936	tasklist.exe
2848	tasklist.exe
2256	tasklist.exe
1920	tasklist.exe
2132	tasklist.exe
1968	tasklist.exe
1036	tasklist.exe
2816	tasklist.exe
2092	tasklist.exe
380	tasklist.exe
852	tasklist.exe
1028	tasklist.exe
1676	tasklist.exe
1592	tasklist.exe

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
2096	timeout.exe
1600	timeout.exe
1948	timeout.exe
1376	timeout.exe
2084	timeout.exe
2956	timeout.exe
1868	timeout.exe
2516	timeout.exe
2908	timeout.exe
2500	timeout.exe
1712	timeout.exe
2396	timeout.exe
2480	timeout.exe
1740	timeout.exe
2988	timeout.exe
1536	timeout.exe
2656	timeout.exe
3020	timeout.exe
344	timeout.exe
3052	timeout.exe
1264	timeout.exe
2856	timeout.exe
2096	timeout.exe
2248	timeout.exe
3028	timeout.exe
1764	timeout.exe
2860	timeout.exe
2520	timeout.exe
2872	timeout.exe
1776	timeout.exe
280	timeout.exe
1700	timeout.exe
2032	timeout.exe
1704	timeout.exe
2040	timeout.exe
852	timeout.exe
1752	timeout.exe
2584	timeout.exe
2844	timeout.exe
2536	timeout.exe
2888	timeout.exe
992	timeout.exe
2796	timeout.exe
1676	timeout.exe
2536	timeout.exe
860	timeout.exe
2332	timeout.exe
2944	timeout.exe
2368	timeout.exe
2344	timeout.exe
444	timeout.exe
2108	timeout.exe
2492	timeout.exe
2676	timeout.exe
2796	timeout.exe
2608	timeout.exe
804	timeout.exe
2616	timeout.exe
1980	timeout.exe
1120	timeout.exe
2452	timeout.exe
2128	timeout.exe
2060	timeout.exe
596	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2124	file.exe
2124	file.exe
2124	file.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2124	file.exe
Token: SeDebugPrivilege	2828	tasklist.exe
Token: SeDebugPrivilege	3008	tasklist.exe
Token: SeDebugPrivilege	276	tasklist.exe
Token: SeDebugPrivilege	2276	tasklist.exe
Token: SeDebugPrivilege	2148	tasklist.exe
Token: SeDebugPrivilege	804	tasklist.exe
Token: SeDebugPrivilege	1744	tasklist.exe
Token: SeDebugPrivilege	1676	tasklist.exe
Token: SeDebugPrivilege	1148	tasklist.exe
Token: SeDebugPrivilege	2848	tasklist.exe
Token: SeDebugPrivilege	540	tasklist.exe
Token: SeDebugPrivilege	2352	tasklist.exe
Token: SeDebugPrivilege	2192	tasklist.exe
Token: SeDebugPrivilege	1156	tasklist.exe
Token: SeDebugPrivilege	2316	tasklist.exe
Token: SeDebugPrivilege	1952	tasklist.exe
Token: SeDebugPrivilege	1348	tasklist.exe
Token: SeDebugPrivilege	1716	tasklist.exe
Token: SeDebugPrivilege	640	tasklist.exe
Token: SeDebugPrivilege	1528	tasklist.exe
Token: SeDebugPrivilege	2164	tasklist.exe
Token: SeDebugPrivilege	1440	tasklist.exe
Token: SeDebugPrivilege	2092	tasklist.exe
Token: SeDebugPrivilege	2112	tasklist.exe
Token: SeDebugPrivilege	2256	tasklist.exe
Token: SeDebugPrivilege	1940	tasklist.exe
Token: SeDebugPrivilege	3048	tasklist.exe
Token: SeDebugPrivilege	1592	tasklist.exe
Token: SeDebugPrivilege	2752	tasklist.exe
Token: SeDebugPrivilege	2680	tasklist.exe
Token: SeDebugPrivilege	2572	tasklist.exe
Token: SeDebugPrivilege	2196	tasklist.exe
Token: SeDebugPrivilege	2892	tasklist.exe
Token: SeDebugPrivilege	2420	tasklist.exe
Token: SeDebugPrivilege	1152	tasklist.exe
Token: SeDebugPrivilege	2308	tasklist.exe
Token: SeDebugPrivilege	1628	tasklist.exe
Token: SeDebugPrivilege	1704	tasklist.exe
Token: SeDebugPrivilege	2760	tasklist.exe
Token: SeDebugPrivilege	2004	tasklist.exe
Token: SeDebugPrivilege	1040	tasklist.exe
Token: SeDebugPrivilege	2172	tasklist.exe
Token: SeDebugPrivilege	2068	tasklist.exe
Token: SeDebugPrivilege	1984	tasklist.exe
Token: SeDebugPrivilege	1076	tasklist.exe
Token: SeDebugPrivilege	1968	tasklist.exe
Token: SeDebugPrivilege	1604	tasklist.exe
Token: SeDebugPrivilege	2432	tasklist.exe
Token: SeDebugPrivilege	2248	tasklist.exe
Token: SeDebugPrivilege	1380	tasklist.exe
Token: SeDebugPrivilege	1036	tasklist.exe
Token: SeDebugPrivilege	2476	tasklist.exe
Token: SeDebugPrivilege	1224	tasklist.exe
Token: SeDebugPrivilege	2132	tasklist.exe
Token: SeDebugPrivilege	1964	tasklist.exe
Token: SeDebugPrivilege	1748	tasklist.exe
Token: SeDebugPrivilege	2692	tasklist.exe
Token: SeDebugPrivilege	2816	tasklist.exe
Token: SeDebugPrivilege	2700	tasklist.exe
Token: SeDebugPrivilege	2788	tasklist.exe
Token: SeDebugPrivilege	2592	tasklist.exe
Token: SeDebugPrivilege	3008	tasklist.exe
Token: SeDebugPrivilege	1096	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2832	2124	file.exe	30
PID 2124 wrote to memory of 2832	2124	file.exe	30
PID 2124 wrote to memory of 2832	2124	file.exe	30
PID 2832 wrote to memory of 2052	2832	cmd.exe	32
PID 2832 wrote to memory of 2052	2832	cmd.exe	32
PID 2832 wrote to memory of 2052	2832	cmd.exe	32
PID 2832 wrote to memory of 2828	2832	cmd.exe	33
PID 2832 wrote to memory of 2828	2832	cmd.exe	33
PID 2832 wrote to memory of 2828	2832	cmd.exe	33
PID 2832 wrote to memory of 2576	2832	cmd.exe	34
PID 2832 wrote to memory of 2576	2832	cmd.exe	34
PID 2832 wrote to memory of 2576	2832	cmd.exe	34
PID 2832 wrote to memory of 2616	2832	cmd.exe	36
PID 2832 wrote to memory of 2616	2832	cmd.exe	36
PID 2832 wrote to memory of 2616	2832	cmd.exe	36
PID 2832 wrote to memory of 3008	2832	cmd.exe	37
PID 2832 wrote to memory of 3008	2832	cmd.exe	37
PID 2832 wrote to memory of 3008	2832	cmd.exe	37
PID 2832 wrote to memory of 2600	2832	cmd.exe	38
PID 2832 wrote to memory of 2600	2832	cmd.exe	38
PID 2832 wrote to memory of 2600	2832	cmd.exe	38
PID 2832 wrote to memory of 3024	2832	cmd.exe	39
PID 2832 wrote to memory of 3024	2832	cmd.exe	39
PID 2832 wrote to memory of 3024	2832	cmd.exe	39
PID 2832 wrote to memory of 276	2832	cmd.exe	40
PID 2832 wrote to memory of 276	2832	cmd.exe	40
PID 2832 wrote to memory of 276	2832	cmd.exe	40
PID 2832 wrote to memory of 576	2832	cmd.exe	41
PID 2832 wrote to memory of 576	2832	cmd.exe	41
PID 2832 wrote to memory of 576	2832	cmd.exe	41
PID 2832 wrote to memory of 3052	2832	cmd.exe	42
PID 2832 wrote to memory of 3052	2832	cmd.exe	42
PID 2832 wrote to memory of 3052	2832	cmd.exe	42
PID 2832 wrote to memory of 2276	2832	cmd.exe	43
PID 2832 wrote to memory of 2276	2832	cmd.exe	43
PID 2832 wrote to memory of 2276	2832	cmd.exe	43
PID 2832 wrote to memory of 2220	2832	cmd.exe	44
PID 2832 wrote to memory of 2220	2832	cmd.exe	44
PID 2832 wrote to memory of 2220	2832	cmd.exe	44
PID 2832 wrote to memory of 2096	2832	cmd.exe	45
PID 2832 wrote to memory of 2096	2832	cmd.exe	45
PID 2832 wrote to memory of 2096	2832	cmd.exe	45
PID 2832 wrote to memory of 2148	2832	cmd.exe	46
PID 2832 wrote to memory of 2148	2832	cmd.exe	46
PID 2832 wrote to memory of 2148	2832	cmd.exe	46
PID 2832 wrote to memory of 2104	2832	cmd.exe	47
PID 2832 wrote to memory of 2104	2832	cmd.exe	47
PID 2832 wrote to memory of 2104	2832	cmd.exe	47
PID 2832 wrote to memory of 1664	2832	cmd.exe	48
PID 2832 wrote to memory of 1664	2832	cmd.exe	48
PID 2832 wrote to memory of 1664	2832	cmd.exe	48
PID 2832 wrote to memory of 804	2832	cmd.exe	49
PID 2832 wrote to memory of 804	2832	cmd.exe	49
PID 2832 wrote to memory of 804	2832	cmd.exe	49
PID 2832 wrote to memory of 620	2832	cmd.exe	50
PID 2832 wrote to memory of 620	2832	cmd.exe	50
PID 2832 wrote to memory of 620	2832	cmd.exe	50
PID 2832 wrote to memory of 2312	2832	cmd.exe	51
PID 2832 wrote to memory of 2312	2832	cmd.exe	51
PID 2832 wrote to memory of 2312	2832	cmd.exe	51
PID 2832 wrote to memory of 1744	2832	cmd.exe	52
PID 2832 wrote to memory of 1744	2832	cmd.exe	52
PID 2832 wrote to memory of 1744	2832	cmd.exe	52
PID 2832 wrote to memory of 2292	2832	cmd.exe	53

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp2118.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp2118.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2052
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2828
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2576
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2616
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3008
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2600
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:3024
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:276
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:576
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3052
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2276
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2220
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2096
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2148
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2104
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1664
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:804
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:620
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2312
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1744
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2292
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2860
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1676
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1700
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1732
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1148
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1484
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2888
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2848
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:380
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:596
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:540
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:592
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2492
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2352
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2404
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2188
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2192
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2460
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1600
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1156
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2344
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2176
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2316
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:444
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1712
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1952
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1920
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1792
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1348
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:840
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2448
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1716
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1864
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2496
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:640
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2200
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2956
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1528
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2484
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1524
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2164
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:988
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2536
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1440
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:664
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2960
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2092
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2252
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1980
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2112
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2388
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2620
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2256
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2480
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:892
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1940
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1948
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2520
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3048
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1000
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1588
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1592
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2660
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2676
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2752
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2804
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2796
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2680
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2756
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2872
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2572
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2736
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:3004
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2196
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3056
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2988
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2892
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1660
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2396
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2420
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1996
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2772
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1152
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2160
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2060
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2308
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:236
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2608
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1628
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:344
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1424
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1704
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1684
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2768
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2760
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2880
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2888
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2004
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1820
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:596
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1040
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:264
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1768
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2172
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2184
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1800
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2068
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1788
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2328
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1984
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2320
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2456
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1076
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:408
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2168
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1968
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2424
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1868
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1604
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1372
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:860
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2432
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:908
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1972
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2248
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1756
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1536
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1380
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1804
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:848
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1036
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3068
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:3028
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2476
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1796
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2980
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1224
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1784
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:852
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2132
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:688
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:992
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1964
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1008
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1752
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1748
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1400
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1692
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2692
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2372
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2656
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2816
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2792
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2824
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2700
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2784
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2584
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2788
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2712
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2612
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2592
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2776
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:3000
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3008
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2720
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:576
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1096
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3012
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2276
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    PID:2420
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1996
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2104
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    PID:2356
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2732
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:620
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    PID:804
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2044
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2292
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    PID:1580
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:984
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1700
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    PID:1704
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1240
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1480
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    PID:2760
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2880
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1680
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    PID:1820
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1028
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:588
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    PID:264
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2492
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:3064
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    PID:2180
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1800
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2068
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    PID:1444
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2328
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1264
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    PID:2320
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2036
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1712
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    PID:444
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1076
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:624
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    PID:1920
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1952
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2512
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    PID:840
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1604
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1640
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    PID:1864
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2432
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2200
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    PID:640
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1228
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1776
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    PID:2484
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1380
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2516
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    PID:988
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1036
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2964
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    PID:1516
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2476
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:280
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    PID:2092
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2972
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2112
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    PID:2132
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:688
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2480
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    PID:2256
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2236
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2908
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    PID:1940
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1924
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1000
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    PID:3048
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1596
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2660
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    PID:1592
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2708
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2796
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    PID:2804
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2696
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2500
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    PID:2828
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3024
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2572
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    PID:2020
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:276
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:3016
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    PID:2900
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2648
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2360
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    PID:2216
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2148
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2420
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    PID:1648
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:828
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1724
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    PID:308
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:340
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:804
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    PID:2440
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2284
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2844
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    PID:484
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:324
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2856
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    PID:2688
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1312
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2640
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    PID:380
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1708
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2004
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    PID:540
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:592
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1736
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    PID:1040
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2028
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1768
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    PID:2172
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1260
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2084
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    PID:2924
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2444
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2344
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    PID:1788
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1264
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2320
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    PID:2364
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2472
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:444
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    PID:2288
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2304
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2448
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    PID:2152
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1920
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:760
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    PID:936
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:840
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1740
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    PID:908
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1292
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1536
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    PID:568
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2528
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2536
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    PID:1644
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2484
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3028
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    PID:2268
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2164
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1980
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    PID:1360
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1516
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1816
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    PID:916
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1632
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2388
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    PID:852
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1784
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1120
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    PID:992
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2408
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1948
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    PID:2520
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1008
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1848
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    PID:1588
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1940
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2840
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    PID:2656
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2372
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2944
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    PID:2636
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1592
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2452
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    PID:2700
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2136
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3020
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    PID:2884
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2612
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2976
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    PID:3052
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2020
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2096
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    PID:2088
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:576
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2128
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    PID:2772
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2276
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1764
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    PID:2312
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2104
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1376
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    PID:2868
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:620
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:344
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    PID:1424
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2440
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1704
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    PID:1484
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1700
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1676
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    PID:1856
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2688
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2880
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    PID:1688
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:380
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1932
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    PID:1028
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1556
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2032
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    PID:1040
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2028
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1720
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    PID:2192
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1260
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2332
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    PID:2068
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1508
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:928
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    - Enumerates processes with tasklist
    PID:1984
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1788
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2108
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    PID:1712
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1792
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2368
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    PID:2288
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2304
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1044
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    PID:1960
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1968
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1604
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    PID:1092
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1672
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1716
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    PID:908
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1292
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2248
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2124"
    3⤵
    PID:568
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2528
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2118.tmp.bat

Filesize
286B

MD5
6706d1e0856134f26d41492a80a93085

SHA1
81aa5640abaae420d73c6472ebe7286b171f8809

SHA256
6938ba8201743c5839071d43019594b2615f574340995c5759fc207fa0cb1905

SHA512
3001fc5a7fdb35a12bded3be735f23f54baf710b0e66575f381f1446014ec2c20f5da2490dfbbae773b8efdafa745d4ecf4082a04b32e809d11e272e9aca9028

Download Submit
\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

Filesize
1.7MB

MD5
65ccd6ecb99899083d43f7c24eb8f869

SHA1
27037a9470cc5ed177c0b6688495f3a51996a023

SHA256
aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

SHA512
533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

Download Submit
memory/2124-0-0x000007FEF61C3000-0x000007FEF61C4000-memory.dmp

Filesize
4KB

Download
memory/2124-1-0x0000000001140000-0x00000000016E2000-memory.dmp

Filesize
5.6MB

Download
memory/2124-6-0x000007FEF61C0000-0x000007FEF6BAC000-memory.dmp

Filesize
9.9MB

Download
memory/2124-9-0x000007FEF61C0000-0x000007FEF6BAC000-memory.dmp

Filesize
9.9MB

Download