a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/12/2024, 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d0701d8fdc16df25fa0249b59aab042.exe
Size

5.6MB
MD5

1d0701d8fdc16df25fa0249b59aab042
SHA1

6028426f7e0a712a1aeae28d986337aafae26abe
SHA256

a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9
SHA512

f1e2cf861b86af37094192c7d110640c630944cee00542c7133fce703584e4ed08a3dae76c0c1afd30c4890e66d482fcc17c1eeb434ec711586c7ff0130c9e17
SSDEEP

98304:tJRl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6UcA:tWOuK6mn9NzgMoYkSIvUcwti7TQlvciP

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2848	1d0701d8fdc16df25fa0249b59aab042.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates processes with tasklist 1 TTPs 64 IoCs

discovery

Process Discovery

T1057

pid	Process
2692	tasklist.exe
664	tasklist.exe
1060	tasklist.exe
3000	tasklist.exe
2876	tasklist.exe
2772	tasklist.exe
824	tasklist.exe
332	tasklist.exe
3024	tasklist.exe
1684	tasklist.exe
2216	tasklist.exe
3008	tasklist.exe
2012	tasklist.exe
2600	tasklist.exe
1448	tasklist.exe
1132	tasklist.exe
1388	tasklist.exe
2804	tasklist.exe
2940	tasklist.exe
2248	tasklist.exe
1564	tasklist.exe
2564	tasklist.exe
2052	tasklist.exe
980	tasklist.exe
3012	tasklist.exe
1936	tasklist.exe
1964	tasklist.exe
3056	tasklist.exe
1880	tasklist.exe
2628	tasklist.exe
2100	tasklist.exe
1032	tasklist.exe
2304	tasklist.exe
2672	tasklist.exe
1960	tasklist.exe
1564	tasklist.exe
1256	tasklist.exe
2412	tasklist.exe
2268	tasklist.exe
2120	tasklist.exe
1164	tasklist.exe
1936	tasklist.exe
3052	tasklist.exe
696	tasklist.exe
2164	tasklist.exe
1704	tasklist.exe
2768	tasklist.exe
296	tasklist.exe
2256	tasklist.exe
1676	tasklist.exe
1408	tasklist.exe
864	tasklist.exe
2076	tasklist.exe
1712	tasklist.exe
884	tasklist.exe
112	tasklist.exe
768	tasklist.exe
1784	tasklist.exe
3036	tasklist.exe
3060	tasklist.exe
2844	tasklist.exe
1632	tasklist.exe
1440	tasklist.exe
2320	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
2940	timeout.exe
2180	timeout.exe
920	timeout.exe
1576	timeout.exe
1020	timeout.exe
2580	timeout.exe
236	timeout.exe
2456	timeout.exe
2112	timeout.exe
652	timeout.exe
1880	timeout.exe
2452	timeout.exe
544	timeout.exe
1876	timeout.exe
2712	timeout.exe
588	timeout.exe
2696	timeout.exe
2212	timeout.exe
2104	timeout.exe
1152	timeout.exe
2004	timeout.exe
620	timeout.exe
2392	timeout.exe
1400	timeout.exe
1168	timeout.exe
2200	timeout.exe
604	timeout.exe
416	timeout.exe
2268	timeout.exe
1692	timeout.exe
2108	timeout.exe
2608	timeout.exe
2648	timeout.exe
2044	timeout.exe
2440	timeout.exe
2616	timeout.exe
996	timeout.exe
2672	timeout.exe
1812	timeout.exe
1308	timeout.exe
2964	timeout.exe
1408	timeout.exe
908	timeout.exe
2716	timeout.exe
1724	timeout.exe
2228	timeout.exe
2764	timeout.exe
788	timeout.exe
2168	timeout.exe
2444	timeout.exe
484	timeout.exe
1872	timeout.exe
2548	timeout.exe
2564	timeout.exe
1060	timeout.exe
2004	timeout.exe
2772	timeout.exe
1092	timeout.exe
2780	timeout.exe
2036	timeout.exe
548	timeout.exe
2408	timeout.exe
2100	timeout.exe
2448	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2848	1d0701d8fdc16df25fa0249b59aab042.exe
2848	1d0701d8fdc16df25fa0249b59aab042.exe
2848	1d0701d8fdc16df25fa0249b59aab042.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2848	1d0701d8fdc16df25fa0249b59aab042.exe
Token: SeDebugPrivilege	2692	tasklist.exe
Token: SeDebugPrivilege	2372	tasklist.exe
Token: SeDebugPrivilege	2664	tasklist.exe
Token: SeDebugPrivilege	2600	tasklist.exe
Token: SeDebugPrivilege	3068	tasklist.exe
Token: SeDebugPrivilege	1408	tasklist.exe
Token: SeDebugPrivilege	856	tasklist.exe
Token: SeDebugPrivilege	2796	tasklist.exe
Token: SeDebugPrivilege	2100	tasklist.exe
Token: SeDebugPrivilege	1704	tasklist.exe
Token: SeDebugPrivilege	564	tasklist.exe
Token: SeDebugPrivilege	2940	tasklist.exe
Token: SeDebugPrivilege	2236	tasklist.exe
Token: SeDebugPrivilege	2208	tasklist.exe
Token: SeDebugPrivilege	1936	tasklist.exe
Token: SeDebugPrivilege	3024	tasklist.exe
Token: SeDebugPrivilege	664	tasklist.exe
Token: SeDebugPrivilege	1032	tasklist.exe
Token: SeDebugPrivilege	1040	tasklist.exe
Token: SeDebugPrivilege	560	tasklist.exe
Token: SeDebugPrivilege	1388	tasklist.exe
Token: SeDebugPrivilege	1256	tasklist.exe
Token: SeDebugPrivilege	2468	tasklist.exe
Token: SeDebugPrivilege	2868	tasklist.exe
Token: SeDebugPrivilege	1964	tasklist.exe
Token: SeDebugPrivilege	1164	tasklist.exe
Token: SeDebugPrivilege	2260	tasklist.exe
Token: SeDebugPrivilege	1368	tasklist.exe
Token: SeDebugPrivilege	864	tasklist.exe
Token: SeDebugPrivilege	2768	tasklist.exe
Token: SeDebugPrivilege	2968	tasklist.exe
Token: SeDebugPrivilege	2820	tasklist.exe
Token: SeDebugPrivilege	3064	tasklist.exe
Token: SeDebugPrivilege	1052	tasklist.exe
Token: SeDebugPrivilege	2248	tasklist.exe
Token: SeDebugPrivilege	2912	tasklist.exe
Token: SeDebugPrivilege	2620	tasklist.exe
Token: SeDebugPrivilege	2772	tasklist.exe
Token: SeDebugPrivilege	2904	tasklist.exe
Token: SeDebugPrivilege	1448	tasklist.exe
Token: SeDebugPrivilege	1324	tasklist.exe
Token: SeDebugPrivilege	1564	tasklist.exe
Token: SeDebugPrivilege	1648	tasklist.exe
Token: SeDebugPrivilege	2124	tasklist.exe
Token: SeDebugPrivilege	1132	tasklist.exe
Token: SeDebugPrivilege	972	tasklist.exe
Token: SeDebugPrivilege	2412	tasklist.exe
Token: SeDebugPrivilege	3060	tasklist.exe
Token: SeDebugPrivilege	780	tasklist.exe
Token: SeDebugPrivilege	1544	tasklist.exe
Token: SeDebugPrivilege	1712	tasklist.exe
Token: SeDebugPrivilege	1508	tasklist.exe
Token: SeDebugPrivilege	2284	tasklist.exe
Token: SeDebugPrivilege	824	tasklist.exe
Token: SeDebugPrivilege	884	tasklist.exe
Token: SeDebugPrivilege	332	tasklist.exe
Token: SeDebugPrivilege	484	tasklist.exe
Token: SeDebugPrivilege	2696	tasklist.exe
Token: SeDebugPrivilege	2844	tasklist.exe
Token: SeDebugPrivilege	2564	tasklist.exe
Token: SeDebugPrivilege	652	tasklist.exe
Token: SeDebugPrivilege	2464	tasklist.exe
Token: SeDebugPrivilege	3068	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2856	2848	1d0701d8fdc16df25fa0249b59aab042.exe	31
PID 2848 wrote to memory of 2856	2848	1d0701d8fdc16df25fa0249b59aab042.exe	31
PID 2848 wrote to memory of 2856	2848	1d0701d8fdc16df25fa0249b59aab042.exe	31
PID 2856 wrote to memory of 2000	2856	cmd.exe	33
PID 2856 wrote to memory of 2000	2856	cmd.exe	33
PID 2856 wrote to memory of 2000	2856	cmd.exe	33
PID 2856 wrote to memory of 2692	2856	cmd.exe	34
PID 2856 wrote to memory of 2692	2856	cmd.exe	34
PID 2856 wrote to memory of 2692	2856	cmd.exe	34
PID 2856 wrote to memory of 2680	2856	cmd.exe	35
PID 2856 wrote to memory of 2680	2856	cmd.exe	35
PID 2856 wrote to memory of 2680	2856	cmd.exe	35
PID 2856 wrote to memory of 2764	2856	cmd.exe	37
PID 2856 wrote to memory of 2764	2856	cmd.exe	37
PID 2856 wrote to memory of 2764	2856	cmd.exe	37
PID 2856 wrote to memory of 2372	2856	cmd.exe	38
PID 2856 wrote to memory of 2372	2856	cmd.exe	38
PID 2856 wrote to memory of 2372	2856	cmd.exe	38
PID 2856 wrote to memory of 2744	2856	cmd.exe	39
PID 2856 wrote to memory of 2744	2856	cmd.exe	39
PID 2856 wrote to memory of 2744	2856	cmd.exe	39
PID 2856 wrote to memory of 2584	2856	cmd.exe	40
PID 2856 wrote to memory of 2584	2856	cmd.exe	40
PID 2856 wrote to memory of 2584	2856	cmd.exe	40
PID 2856 wrote to memory of 2664	2856	cmd.exe	41
PID 2856 wrote to memory of 2664	2856	cmd.exe	41
PID 2856 wrote to memory of 2664	2856	cmd.exe	41
PID 2856 wrote to memory of 1304	2856	cmd.exe	42
PID 2856 wrote to memory of 1304	2856	cmd.exe	42
PID 2856 wrote to memory of 1304	2856	cmd.exe	42
PID 2856 wrote to memory of 2580	2856	cmd.exe	43
PID 2856 wrote to memory of 2580	2856	cmd.exe	43
PID 2856 wrote to memory of 2580	2856	cmd.exe	43
PID 2856 wrote to memory of 2600	2856	cmd.exe	44
PID 2856 wrote to memory of 2600	2856	cmd.exe	44
PID 2856 wrote to memory of 2600	2856	cmd.exe	44
PID 2856 wrote to memory of 2624	2856	cmd.exe	45
PID 2856 wrote to memory of 2624	2856	cmd.exe	45
PID 2856 wrote to memory of 2624	2856	cmd.exe	45
PID 2856 wrote to memory of 2004	2856	cmd.exe	46
PID 2856 wrote to memory of 2004	2856	cmd.exe	46
PID 2856 wrote to memory of 2004	2856	cmd.exe	46
PID 2856 wrote to memory of 3068	2856	cmd.exe	47
PID 2856 wrote to memory of 3068	2856	cmd.exe	47
PID 2856 wrote to memory of 3068	2856	cmd.exe	47
PID 2856 wrote to memory of 2248	2856	cmd.exe	48
PID 2856 wrote to memory of 2248	2856	cmd.exe	48
PID 2856 wrote to memory of 2248	2856	cmd.exe	48
PID 2856 wrote to memory of 788	2856	cmd.exe	49
PID 2856 wrote to memory of 788	2856	cmd.exe	49
PID 2856 wrote to memory of 788	2856	cmd.exe	49
PID 2856 wrote to memory of 1408	2856	cmd.exe	50
PID 2856 wrote to memory of 1408	2856	cmd.exe	50
PID 2856 wrote to memory of 1408	2856	cmd.exe	50
PID 2856 wrote to memory of 2784	2856	cmd.exe	51
PID 2856 wrote to memory of 2784	2856	cmd.exe	51
PID 2856 wrote to memory of 2784	2856	cmd.exe	51
PID 2856 wrote to memory of 2044	2856	cmd.exe	52
PID 2856 wrote to memory of 2044	2856	cmd.exe	52
PID 2856 wrote to memory of 2044	2856	cmd.exe	52
PID 2856 wrote to memory of 856	2856	cmd.exe	53
PID 2856 wrote to memory of 856	2856	cmd.exe	53
PID 2856 wrote to memory of 856	2856	cmd.exe	53
PID 2856 wrote to memory of 2308	2856	cmd.exe	54

C:\Users\Admin\AppData\Local\Temp\1d0701d8fdc16df25fa0249b59aab042.exe
"C:\Users\Admin\AppData\Local\Temp\1d0701d8fdc16df25fa0249b59aab042.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpEFEA.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpEFEA.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2000
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2692
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2680
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2764
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2372
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2744
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2584
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2664
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1304
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2580
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2600
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2624
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2004
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3068
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2248
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:788
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1408
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2784
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2044
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:856
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2308
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2028
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2796
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2888
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:620
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2100
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2804
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1836
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1704
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1448
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1516
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:564
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1640
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2168
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2940
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2920
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2392
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2236
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1648
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2268
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2208
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2124
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:548
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1936
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:448
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1692
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3024
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:972
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1308
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:664
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2412
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1972
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1032
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3060
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:908
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1040
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:780
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1664
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:560
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1788
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:236
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1388
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1712
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2964
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1256
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1508
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:544
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2468
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2284
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:588
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2868
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:824
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1876
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1964
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1760
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1152
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1164
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:768
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2456
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2260
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2356
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2408
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1368
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2660
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1148
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:864
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2320
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2832
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2768
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2680
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2844
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2968
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2744
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2564
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2820
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2664
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:652
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3064
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2616
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2464
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1052
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2004
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:3068
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2248
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:788
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1408
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2912
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2044
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2020
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2620
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2452
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1632
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2772
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:620
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2100
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2904
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1836
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1704
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1448
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1516
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:564
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1324
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2168
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2940
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1564
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2064
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2648
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1648
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2228
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2108
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2124
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:940
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:416
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1132
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3052
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:3044
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:972
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1344
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1880
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2412
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1004
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1060
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3060
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:904
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1740
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:780
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3000
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2440
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1544
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2740
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1996
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1712
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3004
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2444
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1508
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1948
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2068
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2284
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1492
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2180
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:824
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1864
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1604
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:884
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1396
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1568
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    PID:768
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1596
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2260
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:332
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1192
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2448
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:484
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2816
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:864
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2696
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2808
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:572
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2844
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2560
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2744
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2564
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2580
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2664
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:652
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2136
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2616
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2464
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:628
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2004
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3068
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2792
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:788
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    PID:1408
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1252
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2608
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    PID:2308
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2880
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2452
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    PID:1632
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2860
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1168
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    PID:1552
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1208
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2804
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    PID:3056
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2944
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1312
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    PID:1240
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1444
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2648
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    PID:2052
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3048
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2108
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    PID:1952
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1900
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:416
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    PID:1084
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1636
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1092
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    PID:2296
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1308
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1872
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    PID:980
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1608
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2488
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    PID:944
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3060
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2012
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    PID:1784
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:780
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2212
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    PID:2432
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1544
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1224
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    PID:1684
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1712
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2164
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    PID:2216
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1508
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:996
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    PID:588
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1492
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1976
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    PID:2088
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:824
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2348
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    PID:2304
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1152
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2492
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    PID:1440
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2456
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:920
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    PID:2256
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1368
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:332
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    PID:2356
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2448
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:484
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    PID:2320
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2768
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2696
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    PID:112
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2668
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1724
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    PID:2680
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2156
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2968
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    PID:2872
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2372
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2744
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    PID:1304
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2592
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2544
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    PID:2376
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2600
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2672
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    PID:1052
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1244
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2200
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    PID:1676
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2036
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2876
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    PID:2912
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1852
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2044
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    PID:2496
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1576
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2368
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    PID:2796
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2784
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2772
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    PID:1632
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2888
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2892
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    PID:1960
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1796
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2804
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    PID:2908
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2112
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2716
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    PID:2572
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2576
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2104
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    PID:1564
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1496
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2152
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    PID:2268
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1628
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1936
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    PID:548
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1020
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:3052
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    PID:3024
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1132
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1092
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    PID:1880
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1088
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1872
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    PID:1060
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:852
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1740
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    PID:904
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1680
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2176
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    PID:3000
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:660
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2420
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    PID:2740
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1788
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2444
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    PID:1388
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2964
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2404
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    PID:1948
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2500
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2868
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    PID:2076
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:588
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1964
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    PID:3008
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1876
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1812
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    PID:1760
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2360
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2492
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    PID:936
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1592
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:920
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    PID:2460
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2000
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1148
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    PID:2824
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2852
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2712
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    PID:2692
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:864
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2696
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    PID:288
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2224
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1724
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    PID:2484
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1716
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2780
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    PID:2976
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3016
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2372
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    PID:3028
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2580
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2548
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    PID:2628
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2116
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:3064
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    PID:2672
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2464
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1244
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    PID:2200
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3068
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2036
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    PID:2876
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1252
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1852
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    PID:3012
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2028
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1576
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    PID:2024
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1720
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2308
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    PID:2772
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1836
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2888
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    PID:2892
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2100
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1796
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    PID:2804
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1324
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2112
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    PID:3036
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2776
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2576
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    PID:2120
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2648
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2920
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    PID:2152
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1956
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2228
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    PID:1936
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1488
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1020
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    PID:3052
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1636
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:604
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    PID:1308
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:972
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2204
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    PID:296
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2412
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1400
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    PID:2012
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1536
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1040
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    PID:2212
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1672
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:560
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    PID:696
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1224
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2508
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2848"
    3⤵
    - Enumerates processes with tasklist
    PID:2164
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1992
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpEFEA.tmp.bat

Filesize
286B

MD5
9b397def925b974e028e62472d8e93e0

SHA1
84b69780f269aeebbeadc6a198920c8bfc71e97d

SHA256
1084040a0a46ee288c28c4476c0de769000bd1771899b08cac565fbc8b81c34c

SHA512
840f75717ce21ce1b4c7dce7c929dcb54d46c00fbc3a166f6579e5eb09834245ab990c90bddf75fb42deaf288ff9335fa979cb647e2138e2634922f71ddef023

Download Submit
\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

Filesize
1.7MB

MD5
65ccd6ecb99899083d43f7c24eb8f869

SHA1
27037a9470cc5ed177c0b6688495f3a51996a023

SHA256
aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

SHA512
533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

Download Submit
memory/2848-0-0x000007FEF5BE3000-0x000007FEF5BE4000-memory.dmp

Filesize
4KB

Download
memory/2848-1-0x00000000009E0000-0x0000000000F82000-memory.dmp

Filesize
5.6MB

Download
memory/2848-6-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmp

Filesize
9.9MB

Download
memory/2848-10-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmp

Filesize
9.9MB

Download