a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9

Analysis

max time kernel
60s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
13-12-2024 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe
Size

5.6MB
MD5

1d0701d8fdc16df25fa0249b59aab042
SHA1

6028426f7e0a712a1aeae28d986337aafae26abe
SHA256

a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9
SHA512

f1e2cf861b86af37094192c7d110640c630944cee00542c7133fce703584e4ed08a3dae76c0c1afd30c4890e66d482fcc17c1eeb434ec711586c7ff0130c9e17
SSDEEP

98304:tJRl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6UcA:tWOuK6mn9NzgMoYkSIvUcwti7TQlvciP

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1740	a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates processes with tasklist 1 TTPs 50 IoCs

discovery

Process Discovery

T1057

pid	Process
2776	tasklist.exe
3020	tasklist.exe
2444	tasklist.exe
2140	tasklist.exe
2740	tasklist.exe
2720	tasklist.exe
1036	tasklist.exe
2996	tasklist.exe
2220	tasklist.exe
2840	tasklist.exe
2724	tasklist.exe
2340	tasklist.exe
2268	tasklist.exe
296	tasklist.exe
2524	tasklist.exe
2420	tasklist.exe
432	tasklist.exe
968	tasklist.exe
1184	tasklist.exe
2508	tasklist.exe
2844	tasklist.exe
1328	tasklist.exe
2700	tasklist.exe
2496	tasklist.exe
1640	tasklist.exe
1492	tasklist.exe
2028	tasklist.exe
1324	tasklist.exe
2728	tasklist.exe
2888	tasklist.exe
2252	tasklist.exe
1816	tasklist.exe
2164	tasklist.exe
1704	tasklist.exe
2968	tasklist.exe
1208	tasklist.exe
2736	tasklist.exe
1660	tasklist.exe
112	tasklist.exe
2532	tasklist.exe
2796	tasklist.exe
2848	tasklist.exe
2568	tasklist.exe
2100	tasklist.exe
1512	tasklist.exe
2780	tasklist.exe
940	tasklist.exe
3060	tasklist.exe
2016	tasklist.exe
1736	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 49 IoCs

evasion

pid	Process
656	timeout.exe
1732	timeout.exe
2392	timeout.exe
536	timeout.exe
1988	timeout.exe
2252	timeout.exe
1808	timeout.exe
2588	timeout.exe
2752	timeout.exe
1996	timeout.exe
2236	timeout.exe
560	timeout.exe
1068	timeout.exe
2408	timeout.exe
888	timeout.exe
1504	timeout.exe
3000	timeout.exe
2844	timeout.exe
2568	timeout.exe
1152	timeout.exe
276	timeout.exe
2936	timeout.exe
2796	timeout.exe
3012	timeout.exe
2272	timeout.exe
2576	timeout.exe
2720	timeout.exe
1772	timeout.exe
2572	timeout.exe
584	timeout.exe
2792	timeout.exe
1096	timeout.exe
1924	timeout.exe
1380	timeout.exe
2436	timeout.exe
1604	timeout.exe
2464	timeout.exe
1980	timeout.exe
908	timeout.exe
2820	timeout.exe
2664	timeout.exe
3028	timeout.exe
1992	timeout.exe
2940	timeout.exe
1788	timeout.exe
2696	timeout.exe
2644	timeout.exe
2160	timeout.exe
1832	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1740	a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe
1740	a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe
1740	a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	1740	a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe
Token: SeDebugPrivilege	2220	tasklist.exe
Token: SeDebugPrivilege	2840	tasklist.exe
Token: SeDebugPrivilege	2700	tasklist.exe
Token: SeDebugPrivilege	2728	tasklist.exe
Token: SeDebugPrivilege	2724	tasklist.exe
Token: SeDebugPrivilege	2496	tasklist.exe
Token: SeDebugPrivilege	2736	tasklist.exe
Token: SeDebugPrivilege	2340	tasklist.exe
Token: SeDebugPrivilege	2780	tasklist.exe
Token: SeDebugPrivilege	1640	tasklist.exe
Token: SeDebugPrivilege	1660	tasklist.exe
Token: SeDebugPrivilege	2776	tasklist.exe
Token: SeDebugPrivilege	3020	tasklist.exe
Token: SeDebugPrivilege	2268	tasklist.exe
Token: SeDebugPrivilege	112	tasklist.exe
Token: SeDebugPrivilege	1492	tasklist.exe
Token: SeDebugPrivilege	1816	tasklist.exe
Token: SeDebugPrivilege	940	tasklist.exe
Token: SeDebugPrivilege	968	tasklist.exe
Token: SeDebugPrivilege	1184	tasklist.exe
Token: SeDebugPrivilege	296	tasklist.exe
Token: SeDebugPrivilege	2164	tasklist.exe
Token: SeDebugPrivilege	3060	tasklist.exe
Token: SeDebugPrivilege	2508	tasklist.exe
Token: SeDebugPrivilege	2524	tasklist.exe
Token: SeDebugPrivilege	2444	tasklist.exe
Token: SeDebugPrivilege	1704	tasklist.exe
Token: SeDebugPrivilege	2140	tasklist.exe
Token: SeDebugPrivilege	2532	tasklist.exe
Token: SeDebugPrivilege	2888	tasklist.exe
Token: SeDebugPrivilege	2796	tasklist.exe
Token: SeDebugPrivilege	2848	tasklist.exe
Token: SeDebugPrivilege	2844	tasklist.exe
Token: SeDebugPrivilege	2740	tasklist.exe
Token: SeDebugPrivilege	2720	tasklist.exe
Token: SeDebugPrivilege	2568	tasklist.exe
Token: SeDebugPrivilege	2028	tasklist.exe
Token: SeDebugPrivilege	1328	tasklist.exe
Token: SeDebugPrivilege	1208	tasklist.exe
Token: SeDebugPrivilege	2996	tasklist.exe
Token: SeDebugPrivilege	2016	tasklist.exe
Token: SeDebugPrivilege	2968	tasklist.exe
Token: SeDebugPrivilege	2420	tasklist.exe
Token: SeDebugPrivilege	2252	tasklist.exe
Token: SeDebugPrivilege	2100	tasklist.exe
Token: SeDebugPrivilege	432	tasklist.exe
Token: SeDebugPrivilege	1512	tasklist.exe
Token: SeDebugPrivilege	1324	tasklist.exe
Token: SeDebugPrivilege	1036	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 1920	1740	a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe	31
PID 1740 wrote to memory of 1920	1740	a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe	31
PID 1740 wrote to memory of 1920	1740	a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe	31
PID 1920 wrote to memory of 584	1920	cmd.exe	33
PID 1920 wrote to memory of 584	1920	cmd.exe	33
PID 1920 wrote to memory of 584	1920	cmd.exe	33
PID 1920 wrote to memory of 2220	1920	cmd.exe	34
PID 1920 wrote to memory of 2220	1920	cmd.exe	34
PID 1920 wrote to memory of 2220	1920	cmd.exe	34
PID 1920 wrote to memory of 2488	1920	cmd.exe	35
PID 1920 wrote to memory of 2488	1920	cmd.exe	35
PID 1920 wrote to memory of 2488	1920	cmd.exe	35
PID 1920 wrote to memory of 2796	1920	cmd.exe	37
PID 1920 wrote to memory of 2796	1920	cmd.exe	37
PID 1920 wrote to memory of 2796	1920	cmd.exe	37
PID 1920 wrote to memory of 2840	1920	cmd.exe	38
PID 1920 wrote to memory of 2840	1920	cmd.exe	38
PID 1920 wrote to memory of 2840	1920	cmd.exe	38
PID 1920 wrote to memory of 2936	1920	cmd.exe	39
PID 1920 wrote to memory of 2936	1920	cmd.exe	39
PID 1920 wrote to memory of 2936	1920	cmd.exe	39
PID 1920 wrote to memory of 3000	1920	cmd.exe	40
PID 1920 wrote to memory of 3000	1920	cmd.exe	40
PID 1920 wrote to memory of 3000	1920	cmd.exe	40
PID 1920 wrote to memory of 2700	1920	cmd.exe	41
PID 1920 wrote to memory of 2700	1920	cmd.exe	41
PID 1920 wrote to memory of 2700	1920	cmd.exe	41
PID 1920 wrote to memory of 1528	1920	cmd.exe	42
PID 1920 wrote to memory of 1528	1920	cmd.exe	42
PID 1920 wrote to memory of 1528	1920	cmd.exe	42
PID 1920 wrote to memory of 2844	1920	cmd.exe	43
PID 1920 wrote to memory of 2844	1920	cmd.exe	43
PID 1920 wrote to memory of 2844	1920	cmd.exe	43
PID 1920 wrote to memory of 2728	1920	cmd.exe	44
PID 1920 wrote to memory of 2728	1920	cmd.exe	44
PID 1920 wrote to memory of 2728	1920	cmd.exe	44
PID 1920 wrote to memory of 2792	1920	cmd.exe	45
PID 1920 wrote to memory of 2792	1920	cmd.exe	45
PID 1920 wrote to memory of 2792	1920	cmd.exe	45
PID 1920 wrote to memory of 2696	1920	cmd.exe	46
PID 1920 wrote to memory of 2696	1920	cmd.exe	46
PID 1920 wrote to memory of 2696	1920	cmd.exe	46
PID 1920 wrote to memory of 2724	1920	cmd.exe	47
PID 1920 wrote to memory of 2724	1920	cmd.exe	47
PID 1920 wrote to memory of 2724	1920	cmd.exe	47
PID 1920 wrote to memory of 2752	1920	cmd.exe	48
PID 1920 wrote to memory of 2752	1920	cmd.exe	48
PID 1920 wrote to memory of 2752	1920	cmd.exe	48
PID 1920 wrote to memory of 2720	1920	cmd.exe	49
PID 1920 wrote to memory of 2720	1920	cmd.exe	49
PID 1920 wrote to memory of 2720	1920	cmd.exe	49
PID 1920 wrote to memory of 2496	1920	cmd.exe	50
PID 1920 wrote to memory of 2496	1920	cmd.exe	50
PID 1920 wrote to memory of 2496	1920	cmd.exe	50
PID 1920 wrote to memory of 1832	1920	cmd.exe	51
PID 1920 wrote to memory of 1832	1920	cmd.exe	51
PID 1920 wrote to memory of 1832	1920	cmd.exe	51
PID 1920 wrote to memory of 2568	1920	cmd.exe	52
PID 1920 wrote to memory of 2568	1920	cmd.exe	52
PID 1920 wrote to memory of 2568	1920	cmd.exe	52
PID 1920 wrote to memory of 2736	1920	cmd.exe	53
PID 1920 wrote to memory of 2736	1920	cmd.exe	53
PID 1920 wrote to memory of 2736	1920	cmd.exe	53
PID 1920 wrote to memory of 2664	1920	cmd.exe	54

C:\Users\Admin\AppData\Local\Temp\a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe
"C:\Users\Admin\AppData\Local\Temp\a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpF824.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpF824.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:584
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2220
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2488
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2796
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2840
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2936
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3000
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2700
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1528
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2844
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2728
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2792
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2696
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2724
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2752
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2720
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2496
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1832
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2568
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2736
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2664
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2644
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2340
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1964
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1152
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2780
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1656
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1772
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1640
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1128
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1924
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1660
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1484
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1988
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2776
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2288
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3012
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3020
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1312
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2252
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2268
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2248
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1808
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:112
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2464
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1380
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1492
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1876
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2588
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1816
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3032
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:656
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:940
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1516
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1068
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:968
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2328
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1732
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1184
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1968
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:908
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:296
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1432
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2436
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2164
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1100
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2272
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3060
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1892
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2160
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2508
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1016
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2572
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2524
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1724
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2392
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2444
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2492
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1604
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1704
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2604
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:536
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2140
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2756
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2408
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2532
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2084
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:584
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2888
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2876
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2820
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2796
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3036
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2936
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2848
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2852
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:888
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2844
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2672
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2792
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2740
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2120
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2752
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2720
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1144
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1832
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2568
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3024
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2664
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2028
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2108
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1504
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1328
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1456
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2576
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1208
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2332
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1096
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2996
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1636
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1996
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2016
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2988
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1992
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2968
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:836
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2940
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2420
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:612
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3028
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2252
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2132
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2236
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2100
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1344
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2464
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:432
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2440
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:560
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1512
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1352
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1980
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1324
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1284
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1788
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1036
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:236
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:276
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1740"
    3⤵
    - Enumerates processes with tasklist
    PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF824.tmp.bat

Filesize
286B

MD5
c60f206c6688c2b0a9f8d1aa38a8b5fa

SHA1
17e9c5082a9e250f03a2229c4acafee158a0d53a

SHA256
9adf3d84af079a931135774b3e1cb4db5031df0ecd15a8479738e95aaf0a41a4

SHA512
b1bb2a4e38544603cd86f52039175997b778af7c41431f69029fcd0ef818fe3785deea1f0c0c4a2c0c7f55de6064a3637390325255dffe3879f24d2b87042482

Download Submit
\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

Filesize
1.7MB

MD5
65ccd6ecb99899083d43f7c24eb8f869

SHA1
27037a9470cc5ed177c0b6688495f3a51996a023

SHA256
aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

SHA512
533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

Download Submit
memory/1740-0-0x000007FEF5DD3000-0x000007FEF5DD4000-memory.dmp

Filesize
4KB

Download
memory/1740-1-0x0000000000290000-0x0000000000832000-memory.dmp

Filesize
5.6MB

Download
memory/1740-6-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/1740-7-0x000007FEF5DD3000-0x000007FEF5DD4000-memory.dmp

Filesize
4KB

Download
memory/1740-10-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download