a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-12-2024 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d0701d8fdc16df25fa0249b59aab042.exe
Size

5.6MB
MD5

1d0701d8fdc16df25fa0249b59aab042
SHA1

6028426f7e0a712a1aeae28d986337aafae26abe
SHA256

a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9
SHA512

f1e2cf861b86af37094192c7d110640c630944cee00542c7133fce703584e4ed08a3dae76c0c1afd30c4890e66d482fcc17c1eeb434ec711586c7ff0130c9e17
SSDEEP

98304:tJRl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6UcA:tWOuK6mn9NzgMoYkSIvUcwti7TQlvciP

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2500	1d0701d8fdc16df25fa0249b59aab042.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates processes with tasklist 1 TTPs 64 IoCs

discovery

Process Discovery

T1057

pid	Process
2692	tasklist.exe
2412	tasklist.exe
2244	tasklist.exe
2320	tasklist.exe
1492	tasklist.exe
696	tasklist.exe
3016	tasklist.exe
876	tasklist.exe
1944	tasklist.exe
1844	tasklist.exe
2272	tasklist.exe
1312	tasklist.exe
2472	tasklist.exe
2264	tasklist.exe
2224	tasklist.exe
2248	tasklist.exe
1636	tasklist.exe
2264	tasklist.exe
1668	tasklist.exe
2828	tasklist.exe
1540	tasklist.exe
884	tasklist.exe
1884	tasklist.exe
2580	tasklist.exe
3020	tasklist.exe
1636	tasklist.exe
1644	tasklist.exe
2160	tasklist.exe
2568	tasklist.exe
1812	tasklist.exe
2484	tasklist.exe
2348	tasklist.exe
2304	tasklist.exe
2476	tasklist.exe
2992	tasklist.exe
2648	tasklist.exe
2448	tasklist.exe
952	tasklist.exe
2584	tasklist.exe
2960	tasklist.exe
1608	tasklist.exe
2628	tasklist.exe
2188	tasklist.exe
1564	tasklist.exe
1192	tasklist.exe
2404	tasklist.exe
2476	tasklist.exe
2248	tasklist.exe
2860	tasklist.exe
1948	tasklist.exe
1236	tasklist.exe
1884	tasklist.exe
1600	tasklist.exe
2272	tasklist.exe
2756	tasklist.exe
392	tasklist.exe
1432	tasklist.exe
2220	tasklist.exe
1112	tasklist.exe
1648	tasklist.exe
1860	tasklist.exe
1148	tasklist.exe
1500	tasklist.exe
1836	tasklist.exe

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
1992	timeout.exe
1076	timeout.exe
2052	timeout.exe
2472	timeout.exe
1524	timeout.exe
1420	timeout.exe
2740	timeout.exe
2484	timeout.exe
1868	timeout.exe
904	timeout.exe
2504	timeout.exe
1568	timeout.exe
1600	timeout.exe
1844	timeout.exe
2596	timeout.exe
444	timeout.exe
1984	timeout.exe
1524	timeout.exe
2804	timeout.exe
1516	timeout.exe
2420	timeout.exe
1984	timeout.exe
2056	timeout.exe
300	timeout.exe
2872	timeout.exe
1864	timeout.exe
2708	timeout.exe
2124	timeout.exe
1976	timeout.exe
892	timeout.exe
1396	timeout.exe
2584	timeout.exe
1208	timeout.exe
1100	timeout.exe
840	timeout.exe
1892	timeout.exe
996	timeout.exe
2032	timeout.exe
2040	timeout.exe
1340	timeout.exe
1640	timeout.exe
992	timeout.exe
2864	timeout.exe
1940	timeout.exe
2940	timeout.exe
1356	timeout.exe
1528	timeout.exe
1624	timeout.exe
2596	timeout.exe
1436	timeout.exe
276	timeout.exe
2820	timeout.exe
1768	timeout.exe
564	timeout.exe
2220	timeout.exe
604	timeout.exe
1556	timeout.exe
1160	timeout.exe
2620	timeout.exe
2132	timeout.exe
2196	timeout.exe
2028	timeout.exe
2264	timeout.exe
3012	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2500	1d0701d8fdc16df25fa0249b59aab042.exe
2500	1d0701d8fdc16df25fa0249b59aab042.exe
2500	1d0701d8fdc16df25fa0249b59aab042.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2500	1d0701d8fdc16df25fa0249b59aab042.exe
Token: SeDebugPrivilege	2220	tasklist.exe
Token: SeDebugPrivilege	2860	tasklist.exe
Token: SeDebugPrivilege	2788	tasklist.exe
Token: SeDebugPrivilege	2628	tasklist.exe
Token: SeDebugPrivilege	2644	tasklist.exe
Token: SeDebugPrivilege	3016	tasklist.exe
Token: SeDebugPrivilege	1160	tasklist.exe
Token: SeDebugPrivilege	352	tasklist.exe
Token: SeDebugPrivilege	1988	tasklist.exe
Token: SeDebugPrivilege	1692	tasklist.exe
Token: SeDebugPrivilege	1312	tasklist.exe
Token: SeDebugPrivilege	1196	tasklist.exe
Token: SeDebugPrivilege	2828	tasklist.exe
Token: SeDebugPrivilege	2188	tasklist.exe
Token: SeDebugPrivilege	2256	tasklist.exe
Token: SeDebugPrivilege	916	tasklist.exe
Token: SeDebugPrivilege	1884	tasklist.exe
Token: SeDebugPrivilege	1968	tasklist.exe
Token: SeDebugPrivilege	2292	tasklist.exe
Token: SeDebugPrivilege	1600	tasklist.exe
Token: SeDebugPrivilege	1992	tasklist.exe
Token: SeDebugPrivilege	2412	tasklist.exe
Token: SeDebugPrivilege	2272	tasklist.exe
Token: SeDebugPrivilege	876	tasklist.exe
Token: SeDebugPrivilege	1896	tasklist.exe
Token: SeDebugPrivilege	1404	tasklist.exe
Token: SeDebugPrivilege	2504	tasklist.exe
Token: SeDebugPrivilege	2224	tasklist.exe
Token: SeDebugPrivilege	2528	tasklist.exe
Token: SeDebugPrivilege	2016	tasklist.exe
Token: SeDebugPrivilege	2804	tasklist.exe
Token: SeDebugPrivilege	2264	tasklist.exe
Token: SeDebugPrivilege	2584	tasklist.exe
Token: SeDebugPrivilege	3020	tasklist.exe
Token: SeDebugPrivilege	1844	tasklist.exe
Token: SeDebugPrivilege	1540	tasklist.exe
Token: SeDebugPrivilege	2484	tasklist.exe
Token: SeDebugPrivilege	1636	tasklist.exe
Token: SeDebugPrivilege	1668	tasklist.exe
Token: SeDebugPrivilege	1700	tasklist.exe
Token: SeDebugPrivilege	1352	tasklist.exe
Token: SeDebugPrivilege	1196	tasklist.exe
Token: SeDebugPrivilege	2828	tasklist.exe
Token: SeDebugPrivilege	2472	tasklist.exe
Token: SeDebugPrivilege	660	tasklist.exe
Token: SeDebugPrivilege	1112	tasklist.exe
Token: SeDebugPrivilege	1216	tasklist.exe
Token: SeDebugPrivilege	1204	tasklist.exe
Token: SeDebugPrivilege	1564	tasklist.exe
Token: SeDebugPrivilege	1816	tasklist.exe
Token: SeDebugPrivilege	1644	tasklist.exe
Token: SeDebugPrivilege	904	tasklist.exe
Token: SeDebugPrivilege	1556	tasklist.exe
Token: SeDebugPrivilege	1412	tasklist.exe
Token: SeDebugPrivilege	1944	tasklist.exe
Token: SeDebugPrivilege	1588	tasklist.exe
Token: SeDebugPrivilege	2664	tasklist.exe
Token: SeDebugPrivilege	2248	tasklist.exe
Token: SeDebugPrivilege	2320	tasklist.exe
Token: SeDebugPrivilege	2860	tasklist.exe
Token: SeDebugPrivilege	2264	tasklist.exe
Token: SeDebugPrivilege	2692	tasklist.exe
Token: SeDebugPrivilege	3020	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 1980	2500	1d0701d8fdc16df25fa0249b59aab042.exe	31
PID 2500 wrote to memory of 1980	2500	1d0701d8fdc16df25fa0249b59aab042.exe	31
PID 2500 wrote to memory of 1980	2500	1d0701d8fdc16df25fa0249b59aab042.exe	31
PID 1980 wrote to memory of 3008	1980	cmd.exe	33
PID 1980 wrote to memory of 3008	1980	cmd.exe	33
PID 1980 wrote to memory of 3008	1980	cmd.exe	33
PID 1980 wrote to memory of 2220	1980	cmd.exe	34
PID 1980 wrote to memory of 2220	1980	cmd.exe	34
PID 1980 wrote to memory of 2220	1980	cmd.exe	34
PID 1980 wrote to memory of 2672	1980	cmd.exe	35
PID 1980 wrote to memory of 2672	1980	cmd.exe	35
PID 1980 wrote to memory of 2672	1980	cmd.exe	35
PID 1980 wrote to memory of 2820	1980	cmd.exe	37
PID 1980 wrote to memory of 2820	1980	cmd.exe	37
PID 1980 wrote to memory of 2820	1980	cmd.exe	37
PID 1980 wrote to memory of 2860	1980	cmd.exe	38
PID 1980 wrote to memory of 2860	1980	cmd.exe	38
PID 1980 wrote to memory of 2860	1980	cmd.exe	38
PID 1980 wrote to memory of 2864	1980	cmd.exe	39
PID 1980 wrote to memory of 2864	1980	cmd.exe	39
PID 1980 wrote to memory of 2864	1980	cmd.exe	39
PID 1980 wrote to memory of 2940	1980	cmd.exe	40
PID 1980 wrote to memory of 2940	1980	cmd.exe	40
PID 1980 wrote to memory of 2940	1980	cmd.exe	40
PID 1980 wrote to memory of 2788	1980	cmd.exe	41
PID 1980 wrote to memory of 2788	1980	cmd.exe	41
PID 1980 wrote to memory of 2788	1980	cmd.exe	41
PID 1980 wrote to memory of 2712	1980	cmd.exe	42
PID 1980 wrote to memory of 2712	1980	cmd.exe	42
PID 1980 wrote to memory of 2712	1980	cmd.exe	42
PID 1980 wrote to memory of 2740	1980	cmd.exe	43
PID 1980 wrote to memory of 2740	1980	cmd.exe	43
PID 1980 wrote to memory of 2740	1980	cmd.exe	43
PID 1980 wrote to memory of 2628	1980	cmd.exe	44
PID 1980 wrote to memory of 2628	1980	cmd.exe	44
PID 1980 wrote to memory of 2628	1980	cmd.exe	44
PID 1980 wrote to memory of 2636	1980	cmd.exe	45
PID 1980 wrote to memory of 2636	1980	cmd.exe	45
PID 1980 wrote to memory of 2636	1980	cmd.exe	45
PID 1980 wrote to memory of 2596	1980	cmd.exe	46
PID 1980 wrote to memory of 2596	1980	cmd.exe	46
PID 1980 wrote to memory of 2596	1980	cmd.exe	46
PID 1980 wrote to memory of 2644	1980	cmd.exe	47
PID 1980 wrote to memory of 2644	1980	cmd.exe	47
PID 1980 wrote to memory of 2644	1980	cmd.exe	47
PID 1980 wrote to memory of 2656	1980	cmd.exe	48
PID 1980 wrote to memory of 2656	1980	cmd.exe	48
PID 1980 wrote to memory of 2656	1980	cmd.exe	48
PID 1980 wrote to memory of 2872	1980	cmd.exe	49
PID 1980 wrote to memory of 2872	1980	cmd.exe	49
PID 1980 wrote to memory of 2872	1980	cmd.exe	49
PID 1980 wrote to memory of 3016	1980	cmd.exe	50
PID 1980 wrote to memory of 3016	1980	cmd.exe	50
PID 1980 wrote to memory of 3016	1980	cmd.exe	50
PID 1980 wrote to memory of 768	1980	cmd.exe	51
PID 1980 wrote to memory of 768	1980	cmd.exe	51
PID 1980 wrote to memory of 768	1980	cmd.exe	51
PID 1980 wrote to memory of 2420	1980	cmd.exe	52
PID 1980 wrote to memory of 2420	1980	cmd.exe	52
PID 1980 wrote to memory of 2420	1980	cmd.exe	52
PID 1980 wrote to memory of 1160	1980	cmd.exe	53
PID 1980 wrote to memory of 1160	1980	cmd.exe	53
PID 1980 wrote to memory of 1160	1980	cmd.exe	53
PID 1980 wrote to memory of 1256	1980	cmd.exe	54

C:\Users\Admin\AppData\Local\Temp\1d0701d8fdc16df25fa0249b59aab042.exe
"C:\Users\Admin\AppData\Local\Temp\1d0701d8fdc16df25fa0249b59aab042.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpD23D.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpD23D.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3008
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2220
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2672
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2820
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2860
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2864
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2940
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2788
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2712
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2740
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2628
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2636
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2596
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2644
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2656
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2872
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3016
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:768
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2420
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1160
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1256
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1984
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:352
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1688
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2124
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1988
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1464
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1824
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1692
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:336
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1356
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1312
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2568
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:840
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1196
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1852
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2620
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2828
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2680
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2456
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2188
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2184
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2200
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2256
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1048
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:392
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:916
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1956
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1724
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1884
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1392
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1528
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1968
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1572
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1892
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2292
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2908
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2172
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1600
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2960
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1456
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1992
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1720
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2312
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2412
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2404
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2288
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2272
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3068
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:996
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:876
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3060
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1864
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1896
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1872
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2028
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1404
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2972
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1628
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2504
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2344
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2476
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2224
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2232
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2064
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2528
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1996
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2164
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2016
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:956
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2708
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2804
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2848
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2792
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2264
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2780
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2740
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2584
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2580
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2596
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3020
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3012
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2872
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1844
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2624
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2332
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1540
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1452
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1984
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2484
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1640
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2124
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1636
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:276
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2132
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1668
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2088
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1948
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1700
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2040
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2032
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1352
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1340
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1192
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1196
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1852
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2756
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2828
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2680
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:604
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2472
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2432
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1768
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:660
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2256
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1976
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1112
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1960
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:848
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1216
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2920
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1524
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1204
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2372
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1616
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1564
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2916
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:892
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1816
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1856
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:564
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1644
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1504
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1568
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:904
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:704
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1396
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1556
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2268
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:3052
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1412
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:876
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:880
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1944
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1848
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1480
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    PID:2096
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2296
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1076
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1588
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2504
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2196
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2664
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2056
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2500
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2248
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:328
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2672
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2320
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:592
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2940
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2860
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2804
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2788
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2264
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2780
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2868
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2692
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2580
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2644
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3020
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2384
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:768
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    PID:1844
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1532
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1160
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    PID:884
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1632
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2484
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    PID:1796
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1728
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1436
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    PID:2348
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:828
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1668
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    PID:1880
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1936
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2040
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    PID:2032
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1672
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1340
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    PID:1192
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2992
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1852
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    PID:2756
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2060
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2680
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    PID:604
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2200
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:300
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    PID:392
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2468
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:444
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    PID:2304
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:916
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:684
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    PID:1884
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1392
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1892
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    PID:1968
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1572
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:992
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    PID:2292
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1564
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2900
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    PID:1600
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2960
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2312
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    PID:1648
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1644
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2276
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    PID:2412
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2404
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:996
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    PID:2272
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3068
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1868
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    PID:2324
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1500
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2028
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    PID:2244
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1944
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2068
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    PID:2972
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2300
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1624
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    PID:2476
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1588
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2812
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    PID:1228
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2664
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2164
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    PID:2528
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1996
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2220
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    PID:2320
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:592
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2732
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    PID:1152
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2776
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2804
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    PID:2036
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2788
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2264
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    PID:2160
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2636
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2584
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    PID:2580
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2700
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3012
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    PID:2384
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2000
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2624
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    PID:648
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:944
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1620
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    PID:1860
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1820
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1640
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    PID:1636
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1464
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:276
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    PID:2136
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1808
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2400
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    PID:2088
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:336
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1880
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    PID:1652
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1052
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2032
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    PID:1672
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2852
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2668
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    PID:2752
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1344
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1072
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    PID:2992
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1852
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2756
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    PID:2648
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2680
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:604
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    PID:532
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:300
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1100
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    PID:2468
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1976
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1112
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    PID:916
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1528
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1216
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    PID:1392
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1892
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1968
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    PID:1148
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:992
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2292
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    PID:2172
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2900
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1600
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    PID:2960
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1720
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1992
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    PID:1644
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2944
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:904
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    PID:2404
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2100
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1556
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    PID:3068
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3060
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1412
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    PID:1500
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1260
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1516
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    PID:2244
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1944
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1076
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    PID:2296
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2300
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2504
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    PID:2476
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1588
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2056
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    PID:2224
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:756
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:328
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    PID:2248
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1996
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1096
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    PID:956
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2856
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2864
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    PID:2888
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2848
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2052
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    PID:2592
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2600
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2264
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    PID:2596
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2612
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2584
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    PID:2236
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1708
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:3012
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    PID:1432
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1300
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1844
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    PID:3024
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:928
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1160
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    PID:1492
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:352
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1640
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    PID:1796
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1988
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1208
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    PID:2132
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2140
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1940
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    PID:1948
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1356
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1880
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    PID:2568
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2040
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:3032
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    PID:1236
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2460
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2896
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    PID:1268
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2752
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2456
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    PID:2448
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2992
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2472
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    PID:2184
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2844
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2316
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    PID:2256
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1048
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1292
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    PID:952
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2468
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1524
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    PID:1812
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:916
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1416
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    PID:696
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1252
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:892
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    PID:1836
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1148
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:632
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    PID:1608
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2280
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1420
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    - Enumerates processes with tasklist
    PID:2960
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1720
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2276
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2500"
    3⤵
    PID:2284
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2944
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD23D.tmp.bat

Filesize
286B

MD5
24931933a3529cc70743275fb5bf322b

SHA1
53bf83a0e15fe8c2618cb52137d40f08042f517d

SHA256
995e28be41f7b1f3a44fc5804036535eac4a770b01134e6182f381ae7ed757ae

SHA512
d18a05946f1680398493b72806f22d6cd46e9038f6f26dcaef50d79280fcc56aec22d118563b952d75b3e3e770dff2c8aaea3342fc364c8d1289a074f9d2dd10

Download Submit
\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

Filesize
1.7MB

MD5
65ccd6ecb99899083d43f7c24eb8f869

SHA1
27037a9470cc5ed177c0b6688495f3a51996a023

SHA256
aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

SHA512
533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

Download Submit
memory/2500-0-0x000007FEF5EC3000-0x000007FEF5EC4000-memory.dmp

Filesize
4KB

Download
memory/2500-1-0x00000000010F0000-0x0000000001692000-memory.dmp

Filesize
5.6MB

Download
memory/2500-6-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/2500-9-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download