d0d1c39b9750ccb8b7bb70610185e077437f83811553b1a760072eaa395da779

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-12-2024 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe
Size

5.6MB
MD5

1d0701d8fdc16df25fa0249b59aab042
SHA1

6028426f7e0a712a1aeae28d986337aafae26abe
SHA256

a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9
SHA512

f1e2cf861b86af37094192c7d110640c630944cee00542c7133fce703584e4ed08a3dae76c0c1afd30c4890e66d482fcc17c1eeb434ec711586c7ff0130c9e17
SSDEEP

98304:tJRl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6UcA:tWOuK6mn9NzgMoYkSIvUcwti7TQlvciP

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2236	a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates processes with tasklist 1 TTPs 59 IoCs

discovery

Process Discovery

T1057

pid	Process
2016	tasklist.exe
836	tasklist.exe
2072	tasklist.exe
296	tasklist.exe
2540	tasklist.exe
1460	tasklist.exe
276	tasklist.exe
2640	tasklist.exe
2496	tasklist.exe
2156	tasklist.exe
2064	tasklist.exe
1724	tasklist.exe
1964	tasklist.exe
2752	tasklist.exe
2456	tasklist.exe
2204	tasklist.exe
2796	tasklist.exe
1684	tasklist.exe
3004	tasklist.exe
2096	tasklist.exe
2424	tasklist.exe
2236	tasklist.exe
2728	tasklist.exe
2672	tasklist.exe
2980	tasklist.exe
1748	tasklist.exe
2420	tasklist.exe
1628	tasklist.exe
1996	tasklist.exe
1808	tasklist.exe
2596	tasklist.exe
1744	tasklist.exe
564	tasklist.exe
560	tasklist.exe
3048	tasklist.exe
2768	tasklist.exe
1644	tasklist.exe
2388	tasklist.exe
1880	tasklist.exe
1936	tasklist.exe
2152	tasklist.exe
1720	tasklist.exe
1032	tasklist.exe
2164	tasklist.exe
856	tasklist.exe
1376	tasklist.exe
2036	tasklist.exe
2268	tasklist.exe
2052	tasklist.exe
2332	tasklist.exe
576	tasklist.exe
2336	tasklist.exe
2884	tasklist.exe
1672	tasklist.exe
556	tasklist.exe
2992	tasklist.exe
848	tasklist.exe
2872	tasklist.exe
1152	tasklist.exe

Delays execution with timeout.exe 58 IoCs

evasion

pid	Process
2032	timeout.exe
2208	timeout.exe
952	timeout.exe
1156	timeout.exe
1516	timeout.exe
2068	timeout.exe
1184	timeout.exe
2848	timeout.exe
536	timeout.exe
2116	timeout.exe
2632	timeout.exe
340	timeout.exe
596	timeout.exe
2000	timeout.exe
1864	timeout.exe
1148	timeout.exe
2508	timeout.exe
2824	timeout.exe
1464	timeout.exe
2264	timeout.exe
912	timeout.exe
1476	timeout.exe
2736	timeout.exe
1464	timeout.exe
2196	timeout.exe
904	timeout.exe
1548	timeout.exe
2008	timeout.exe
692	timeout.exe
2116	timeout.exe
1816	timeout.exe
2964	timeout.exe
304	timeout.exe
1912	timeout.exe
2288	timeout.exe
692	timeout.exe
2484	timeout.exe
2856	timeout.exe
2452	timeout.exe
1588	timeout.exe
2148	timeout.exe
2376	timeout.exe
2284	timeout.exe
708	timeout.exe
2836	timeout.exe
1920	timeout.exe
2776	timeout.exe
2624	timeout.exe
2772	timeout.exe
2736	timeout.exe
1956	timeout.exe
1124	timeout.exe
2772	timeout.exe
2408	timeout.exe
2632	timeout.exe
2940	timeout.exe
1616	timeout.exe
2688	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2236	a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe
2236	a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe
2236	a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeDebugPrivilege	2236	a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe
Token: SeDebugPrivilege	2728	tasklist.exe
Token: SeDebugPrivilege	2752	tasklist.exe
Token: SeDebugPrivilege	2796	tasklist.exe
Token: SeDebugPrivilege	2640	tasklist.exe
Token: SeDebugPrivilege	2672	tasklist.exe
Token: SeDebugPrivilege	560	tasklist.exe
Token: SeDebugPrivilege	1684	tasklist.exe
Token: SeDebugPrivilege	2992	tasklist.exe
Token: SeDebugPrivilege	1996	tasklist.exe
Token: SeDebugPrivilege	2980	tasklist.exe
Token: SeDebugPrivilege	1808	tasklist.exe
Token: SeDebugPrivilege	2016	tasklist.exe
Token: SeDebugPrivilege	1880	tasklist.exe
Token: SeDebugPrivilege	1936	tasklist.exe
Token: SeDebugPrivilege	2152	tasklist.exe
Token: SeDebugPrivilege	2496	tasklist.exe
Token: SeDebugPrivilege	2596	tasklist.exe
Token: SeDebugPrivilege	856	tasklist.exe
Token: SeDebugPrivilege	836	tasklist.exe
Token: SeDebugPrivilege	2156	tasklist.exe
Token: SeDebugPrivilege	1376	tasklist.exe
Token: SeDebugPrivilege	3048	tasklist.exe
Token: SeDebugPrivilege	2072	tasklist.exe
Token: SeDebugPrivilege	2064	tasklist.exe
Token: SeDebugPrivilege	1724	tasklist.exe
Token: SeDebugPrivilege	2540	tasklist.exe
Token: SeDebugPrivilege	1720	tasklist.exe
Token: SeDebugPrivilege	1748	tasklist.exe
Token: SeDebugPrivilege	2336	tasklist.exe
Token: SeDebugPrivilege	2768	tasklist.exe
Token: SeDebugPrivilege	2884	tasklist.exe
Token: SeDebugPrivilege	2420	tasklist.exe
Token: SeDebugPrivilege	2052	tasklist.exe
Token: SeDebugPrivilege	2332	tasklist.exe
Token: SeDebugPrivilege	848	tasklist.exe
Token: SeDebugPrivilege	2036	tasklist.exe
Token: SeDebugPrivilege	576	tasklist.exe
Token: SeDebugPrivilege	1628	tasklist.exe
Token: SeDebugPrivilege	2872	tasklist.exe
Token: SeDebugPrivilege	3004	tasklist.exe
Token: SeDebugPrivilege	1744	tasklist.exe
Token: SeDebugPrivilege	1964	tasklist.exe
Token: SeDebugPrivilege	2268	tasklist.exe
Token: SeDebugPrivilege	1152	tasklist.exe
Token: SeDebugPrivilege	2096	tasklist.exe
Token: SeDebugPrivilege	1460	tasklist.exe
Token: SeDebugPrivilege	1672	tasklist.exe
Token: SeDebugPrivilege	2424	tasklist.exe
Token: SeDebugPrivilege	296	tasklist.exe
Token: SeDebugPrivilege	276	tasklist.exe
Token: SeDebugPrivilege	1644	tasklist.exe
Token: SeDebugPrivilege	1032	tasklist.exe
Token: SeDebugPrivilege	556	tasklist.exe
Token: SeDebugPrivilege	2456	tasklist.exe
Token: SeDebugPrivilege	564	tasklist.exe
Token: SeDebugPrivilege	2388	tasklist.exe
Token: SeDebugPrivilege	2164	tasklist.exe
Token: SeDebugPrivilege	2204	tasklist.exe
Token: SeDebugPrivilege	2236	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2100	2236	a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe	31
PID 2236 wrote to memory of 2100	2236	a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe	31
PID 2236 wrote to memory of 2100	2236	a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe	31
PID 2100 wrote to memory of 2724	2100	cmd.exe	33
PID 2100 wrote to memory of 2724	2100	cmd.exe	33
PID 2100 wrote to memory of 2724	2100	cmd.exe	33
PID 2100 wrote to memory of 2728	2100	cmd.exe	34
PID 2100 wrote to memory of 2728	2100	cmd.exe	34
PID 2100 wrote to memory of 2728	2100	cmd.exe	34
PID 2100 wrote to memory of 3040	2100	cmd.exe	35
PID 2100 wrote to memory of 3040	2100	cmd.exe	35
PID 2100 wrote to memory of 3040	2100	cmd.exe	35
PID 2100 wrote to memory of 2772	2100	cmd.exe	37
PID 2100 wrote to memory of 2772	2100	cmd.exe	37
PID 2100 wrote to memory of 2772	2100	cmd.exe	37
PID 2100 wrote to memory of 2752	2100	cmd.exe	38
PID 2100 wrote to memory of 2752	2100	cmd.exe	38
PID 2100 wrote to memory of 2752	2100	cmd.exe	38
PID 2100 wrote to memory of 2968	2100	cmd.exe	39
PID 2100 wrote to memory of 2968	2100	cmd.exe	39
PID 2100 wrote to memory of 2968	2100	cmd.exe	39
PID 2100 wrote to memory of 2736	2100	cmd.exe	40
PID 2100 wrote to memory of 2736	2100	cmd.exe	40
PID 2100 wrote to memory of 2736	2100	cmd.exe	40
PID 2100 wrote to memory of 2796	2100	cmd.exe	41
PID 2100 wrote to memory of 2796	2100	cmd.exe	41
PID 2100 wrote to memory of 2796	2100	cmd.exe	41
PID 2100 wrote to memory of 2664	2100	cmd.exe	42
PID 2100 wrote to memory of 2664	2100	cmd.exe	42
PID 2100 wrote to memory of 2664	2100	cmd.exe	42
PID 2100 wrote to memory of 2632	2100	cmd.exe	43
PID 2100 wrote to memory of 2632	2100	cmd.exe	43
PID 2100 wrote to memory of 2632	2100	cmd.exe	43
PID 2100 wrote to memory of 2640	2100	cmd.exe	44
PID 2100 wrote to memory of 2640	2100	cmd.exe	44
PID 2100 wrote to memory of 2640	2100	cmd.exe	44
PID 2100 wrote to memory of 2668	2100	cmd.exe	45
PID 2100 wrote to memory of 2668	2100	cmd.exe	45
PID 2100 wrote to memory of 2668	2100	cmd.exe	45
PID 2100 wrote to memory of 2116	2100	cmd.exe	46
PID 2100 wrote to memory of 2116	2100	cmd.exe	46
PID 2100 wrote to memory of 2116	2100	cmd.exe	46
PID 2100 wrote to memory of 2672	2100	cmd.exe	47
PID 2100 wrote to memory of 2672	2100	cmd.exe	47
PID 2100 wrote to memory of 2672	2100	cmd.exe	47
PID 2100 wrote to memory of 2296	2100	cmd.exe	48
PID 2100 wrote to memory of 2296	2100	cmd.exe	48
PID 2100 wrote to memory of 2296	2100	cmd.exe	48
PID 2100 wrote to memory of 2624	2100	cmd.exe	49
PID 2100 wrote to memory of 2624	2100	cmd.exe	49
PID 2100 wrote to memory of 2624	2100	cmd.exe	49
PID 2100 wrote to memory of 560	2100	cmd.exe	50
PID 2100 wrote to memory of 560	2100	cmd.exe	50
PID 2100 wrote to memory of 560	2100	cmd.exe	50
PID 2100 wrote to memory of 1288	2100	cmd.exe	51
PID 2100 wrote to memory of 1288	2100	cmd.exe	51
PID 2100 wrote to memory of 1288	2100	cmd.exe	51
PID 2100 wrote to memory of 1464	2100	cmd.exe	52
PID 2100 wrote to memory of 1464	2100	cmd.exe	52
PID 2100 wrote to memory of 1464	2100	cmd.exe	52
PID 2100 wrote to memory of 1684	2100	cmd.exe	53
PID 2100 wrote to memory of 1684	2100	cmd.exe	53
PID 2100 wrote to memory of 1684	2100	cmd.exe	53
PID 2100 wrote to memory of 1332	2100	cmd.exe	54

C:\Users\Admin\AppData\Local\Temp\a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe
"C:\Users\Admin\AppData\Local\Temp\a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpD662.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpD662.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2724
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2728
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3040
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2772
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2752
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2968
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2736
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2796
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2664
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2632
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2640
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2668
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2116
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2672
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2296
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2624
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:560
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1288
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1464
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1684
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1332
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:692
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2992
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1640
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2688
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1996
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2604
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2824
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2980
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2988
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2856
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1808
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2680
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2000
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2016
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1436
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2264
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1880
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2520
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1912
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1936
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2368
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2408
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2152
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2356
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:340
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2496
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:996
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:708
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2596
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2504
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1516
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:856
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1292
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1816
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:836
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1696
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2288
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2156
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1876
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:912
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1376
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1680
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:596
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3048
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3060
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2964
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2072
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2076
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2032
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2064
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:284
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:536
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1724
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:772
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2452
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2540
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2412
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1588
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1720
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1584
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2196
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1748
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1044
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2208
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2336
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2960
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2776
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2768
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2780
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2772
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2884
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2880
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2736
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2420
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2928
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2632
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2052
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2692
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2116
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2332
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2404
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2940
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:848
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:840
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1464
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2036
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3008
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:692
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:576
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2352
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2848
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1628
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2568
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2836
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2872
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1996
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2008
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3004
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2980
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1864
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1744
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:768
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1148
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1964
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1328
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2068
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2268
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1880
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2508
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1152
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1936
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2148
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2096
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2360
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1184
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1460
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2496
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1920
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1672
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2596
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:304
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2424
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:856
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1956
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:296
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2024
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:904
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:276
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1660
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:952
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1644
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1376
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2376
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1032
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3048
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1156
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:556
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1072
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1616
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2456
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2588
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1476
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:564
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1692
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1548
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2388
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2548
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1124
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2164
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2448
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2284
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2204
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2400
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2484
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2236"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2236
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD662.tmp.bat

Filesize
286B

MD5
c126e7a26d0759dbd8823f92555d08f6

SHA1
fb0f3073c8e4145f1579506653d9e41b02d4bd8d

SHA256
6be256eec6cbc55923dc3d93c55235e0a9988487e0ac456b922810b2025a7202

SHA512
424725ecdde69cdbe5814b8e0dc96139ce314304ef24566b6cf56fd663852829e016f82549d87ebc10e3217548502ca676a7f53e277495483b552a666cac0b8f

Download Submit
\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

Filesize
1.7MB

MD5
65ccd6ecb99899083d43f7c24eb8f869

SHA1
27037a9470cc5ed177c0b6688495f3a51996a023

SHA256
aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

SHA512
533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

Download Submit
memory/2236-0-0x000007FEF5493000-0x000007FEF5494000-memory.dmp

Filesize
4KB

Download
memory/2236-1-0x0000000000E70000-0x0000000001412000-memory.dmp

Filesize
5.6MB

Download
memory/2236-6-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2236-9-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download