9d543df8d1d705870da23de3f9a43f467fe998836fd00d7ffff1ea3c4701e5f9

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-12-2024 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d543df8d1d705870da23de3f9a43f467fe998836fd00d7ffff1ea3c4701e5f9.exe
Size

5.6MB
MD5

55f8e0ef95c316591d64a7bf1bf6ce7b
SHA1

53a4f3375799babd0fcc08190a925b467e7fede7
SHA256

9d543df8d1d705870da23de3f9a43f467fe998836fd00d7ffff1ea3c4701e5f9
SHA512

f9bec2a6ee0ca7050c735d62b6be35d732269085a4f92c5720495ec6171ed40d887276f69da978487f08c48690e66f360fffc66a9d8e7cbb4fed04ebd0666ee0
SSDEEP

98304:aGl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6Uc/:adOuK6mn9NzgMoYkSIvUcwti7TQlvci6

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2444	9d543df8d1d705870da23de3f9a43f467fe998836fd00d7ffff1ea3c4701e5f9.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com

Enumerates processes with tasklist 1 TTPs 64 IoCs

discovery

Process Discovery

T1057

pid	Process
752	tasklist.exe
2236	tasklist.exe
708	tasklist.exe
1556	tasklist.exe
1588	tasklist.exe
536	tasklist.exe
2512	tasklist.exe
1804	tasklist.exe
1952	tasklist.exe
2668	tasklist.exe
2272	tasklist.exe
2836	tasklist.exe
1068	tasklist.exe
1536	tasklist.exe
2428	tasklist.exe
1968	tasklist.exe
916	tasklist.exe
2556	tasklist.exe
2616	tasklist.exe
1952	tasklist.exe
2632	tasklist.exe
2456	tasklist.exe
1224	tasklist.exe
1956	tasklist.exe
2776	tasklist.exe
2072	tasklist.exe
2604	tasklist.exe
2104	tasklist.exe
1180	tasklist.exe
2288	tasklist.exe
1692	tasklist.exe
1420	tasklist.exe
1300	tasklist.exe
2084	tasklist.exe
564	tasklist.exe
576	tasklist.exe
2264	tasklist.exe
2260	tasklist.exe
2380	tasklist.exe
1108	tasklist.exe
496	tasklist.exe
772	tasklist.exe
1516	tasklist.exe
2980	tasklist.exe
448	tasklist.exe
2780	tasklist.exe
2144	tasklist.exe
2392	tasklist.exe
2792	tasklist.exe
2068	tasklist.exe
1752	tasklist.exe
2496	tasklist.exe
2300	tasklist.exe
1612	tasklist.exe
2756	tasklist.exe
1744	tasklist.exe
1668	tasklist.exe
1396	tasklist.exe
1916	tasklist.exe
1940	tasklist.exe
1868	tasklist.exe
1088	tasklist.exe
1628	tasklist.exe
1612	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
1904	timeout.exe
1944	timeout.exe
1468	timeout.exe
2520	timeout.exe
564	timeout.exe
1668	timeout.exe
3044	timeout.exe
840	timeout.exe
2344	timeout.exe
1136	timeout.exe
2000	timeout.exe
1736	timeout.exe
296	timeout.exe
1124	timeout.exe
3036	timeout.exe
2836	timeout.exe
1808	timeout.exe
1360	timeout.exe
2772	timeout.exe
1204	timeout.exe
2952	timeout.exe
2432	timeout.exe
1472	timeout.exe
284	timeout.exe
2372	timeout.exe
1144	timeout.exe
2616	timeout.exe
1860	timeout.exe
2788	timeout.exe
2260	timeout.exe
1564	timeout.exe
2360	timeout.exe
2420	timeout.exe
2508	timeout.exe
2004	timeout.exe
2852	timeout.exe
2824	timeout.exe
2996	timeout.exe
556	timeout.exe
3008	timeout.exe
2268	timeout.exe
1748	timeout.exe
2356	timeout.exe
880	timeout.exe
1580	timeout.exe
692	timeout.exe
1928	timeout.exe
2312	timeout.exe
3020	timeout.exe
2988	timeout.exe
1604	timeout.exe
2924	timeout.exe
1092	timeout.exe
1680	timeout.exe
2284	timeout.exe
1716	timeout.exe
1360	timeout.exe
2168	timeout.exe
1612	timeout.exe
2164	timeout.exe
2076	timeout.exe
800	timeout.exe
2188	timeout.exe
2144	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2444	9d543df8d1d705870da23de3f9a43f467fe998836fd00d7ffff1ea3c4701e5f9.exe
2444	9d543df8d1d705870da23de3f9a43f467fe998836fd00d7ffff1ea3c4701e5f9.exe
2444	9d543df8d1d705870da23de3f9a43f467fe998836fd00d7ffff1ea3c4701e5f9.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2444	9d543df8d1d705870da23de3f9a43f467fe998836fd00d7ffff1ea3c4701e5f9.exe
Token: SeDebugPrivilege	1748	tasklist.exe
Token: SeDebugPrivilege	2904	tasklist.exe
Token: SeDebugPrivilege	1396	tasklist.exe
Token: SeDebugPrivilege	2616	tasklist.exe
Token: SeDebugPrivilege	2160	tasklist.exe
Token: SeDebugPrivilege	680	tasklist.exe
Token: SeDebugPrivilege	1464	tasklist.exe
Token: SeDebugPrivilege	1484	tasklist.exe
Token: SeDebugPrivilege	576	tasklist.exe
Token: SeDebugPrivilege	2952	tasklist.exe
Token: SeDebugPrivilege	2008	tasklist.exe
Token: SeDebugPrivilege	2000	tasklist.exe
Token: SeDebugPrivilege	2264	tasklist.exe
Token: SeDebugPrivilege	2068	tasklist.exe
Token: SeDebugPrivilege	1888	tasklist.exe
Token: SeDebugPrivilege	340	tasklist.exe
Token: SeDebugPrivilege	708	tasklist.exe
Token: SeDebugPrivilege	1516	tasklist.exe
Token: SeDebugPrivilege	1088	tasklist.exe
Token: SeDebugPrivilege	1556	tasklist.exe
Token: SeDebugPrivilege	912	tasklist.exe
Token: SeDebugPrivilege	596	tasklist.exe
Token: SeDebugPrivilege	2964	tasklist.exe
Token: SeDebugPrivilege	2064	tasklist.exe
Token: SeDebugPrivilege	2528	tasklist.exe
Token: SeDebugPrivilege	1752	tasklist.exe
Token: SeDebugPrivilege	1588	tasklist.exe
Token: SeDebugPrivilege	2336	tasklist.exe
Token: SeDebugPrivilege	2448	tasklist.exe
Token: SeDebugPrivilege	264	tasklist.exe
Token: SeDebugPrivilege	2776	tasklist.exe
Token: SeDebugPrivilege	2664	tasklist.exe
Token: SeDebugPrivilege	2668	tasklist.exe
Token: SeDebugPrivilege	2932	tasklist.exe
Token: SeDebugPrivilege	1288	tasklist.exe
Token: SeDebugPrivilege	1180	tasklist.exe
Token: SeDebugPrivilege	2992	tasklist.exe
Token: SeDebugPrivilege	1996	tasklist.exe
Token: SeDebugPrivilege	2980	tasklist.exe
Token: SeDebugPrivilege	1744	tasklist.exe
Token: SeDebugPrivilege	2800	tasklist.exe
Token: SeDebugPrivilege	2016	tasklist.exe
Token: SeDebugPrivilege	2264	tasklist.exe
Token: SeDebugPrivilege	1912	tasklist.exe
Token: SeDebugPrivilege	1888	tasklist.exe
Token: SeDebugPrivilege	2496	tasklist.exe
Token: SeDebugPrivilege	3068	tasklist.exe
Token: SeDebugPrivilege	1068	tasklist.exe
Token: SeDebugPrivilege	1696	tasklist.exe
Token: SeDebugPrivilege	2288	tasklist.exe
Token: SeDebugPrivilege	1536	tasklist.exe
Token: SeDebugPrivilege	1900	tasklist.exe
Token: SeDebugPrivilege	1072	tasklist.exe
Token: SeDebugPrivilege	2060	tasklist.exe
Token: SeDebugPrivilege	536	tasklist.exe
Token: SeDebugPrivilege	1692	tasklist.exe
Token: SeDebugPrivilege	2192	tasklist.exe
Token: SeDebugPrivilege	2300	tasklist.exe
Token: SeDebugPrivilege	1628	tasklist.exe
Token: SeDebugPrivilege	2400	tasklist.exe
Token: SeDebugPrivilege	2904	tasklist.exe
Token: SeDebugPrivilege	1396	tasklist.exe
Token: SeDebugPrivilege	2632	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 2564	2444	9d543df8d1d705870da23de3f9a43f467fe998836fd00d7ffff1ea3c4701e5f9.exe	30
PID 2444 wrote to memory of 2564	2444	9d543df8d1d705870da23de3f9a43f467fe998836fd00d7ffff1ea3c4701e5f9.exe	30
PID 2444 wrote to memory of 2564	2444	9d543df8d1d705870da23de3f9a43f467fe998836fd00d7ffff1ea3c4701e5f9.exe	30
PID 2564 wrote to memory of 264	2564	cmd.exe	32
PID 2564 wrote to memory of 264	2564	cmd.exe	32
PID 2564 wrote to memory of 264	2564	cmd.exe	32
PID 2564 wrote to memory of 1748	2564	cmd.exe	33
PID 2564 wrote to memory of 1748	2564	cmd.exe	33
PID 2564 wrote to memory of 1748	2564	cmd.exe	33
PID 2564 wrote to memory of 2100	2564	cmd.exe	34
PID 2564 wrote to memory of 2100	2564	cmd.exe	34
PID 2564 wrote to memory of 2100	2564	cmd.exe	34
PID 2564 wrote to memory of 2892	2564	cmd.exe	36
PID 2564 wrote to memory of 2892	2564	cmd.exe	36
PID 2564 wrote to memory of 2892	2564	cmd.exe	36
PID 2564 wrote to memory of 2904	2564	cmd.exe	37
PID 2564 wrote to memory of 2904	2564	cmd.exe	37
PID 2564 wrote to memory of 2904	2564	cmd.exe	37
PID 2564 wrote to memory of 2920	2564	cmd.exe	38
PID 2564 wrote to memory of 2920	2564	cmd.exe	38
PID 2564 wrote to memory of 2920	2564	cmd.exe	38
PID 2564 wrote to memory of 2772	2564	cmd.exe	39
PID 2564 wrote to memory of 2772	2564	cmd.exe	39
PID 2564 wrote to memory of 2772	2564	cmd.exe	39
PID 2564 wrote to memory of 1396	2564	cmd.exe	41
PID 2564 wrote to memory of 1396	2564	cmd.exe	41
PID 2564 wrote to memory of 1396	2564	cmd.exe	41
PID 2564 wrote to memory of 2876	2564	cmd.exe	42
PID 2564 wrote to memory of 2876	2564	cmd.exe	42
PID 2564 wrote to memory of 2876	2564	cmd.exe	42
PID 2564 wrote to memory of 2928	2564	cmd.exe	43
PID 2564 wrote to memory of 2928	2564	cmd.exe	43
PID 2564 wrote to memory of 2928	2564	cmd.exe	43
PID 2564 wrote to memory of 2616	2564	cmd.exe	44
PID 2564 wrote to memory of 2616	2564	cmd.exe	44
PID 2564 wrote to memory of 2616	2564	cmd.exe	44
PID 2564 wrote to memory of 2632	2564	cmd.exe	45
PID 2564 wrote to memory of 2632	2564	cmd.exe	45
PID 2564 wrote to memory of 2632	2564	cmd.exe	45
PID 2564 wrote to memory of 2692	2564	cmd.exe	46
PID 2564 wrote to memory of 2692	2564	cmd.exe	46
PID 2564 wrote to memory of 2692	2564	cmd.exe	46
PID 2564 wrote to memory of 2160	2564	cmd.exe	47
PID 2564 wrote to memory of 2160	2564	cmd.exe	47
PID 2564 wrote to memory of 2160	2564	cmd.exe	47
PID 2564 wrote to memory of 1420	2564	cmd.exe	48
PID 2564 wrote to memory of 1420	2564	cmd.exe	48
PID 2564 wrote to memory of 1420	2564	cmd.exe	48
PID 2564 wrote to memory of 1716	2564	cmd.exe	49
PID 2564 wrote to memory of 1716	2564	cmd.exe	49
PID 2564 wrote to memory of 1716	2564	cmd.exe	49
PID 2564 wrote to memory of 680	2564	cmd.exe	50
PID 2564 wrote to memory of 680	2564	cmd.exe	50
PID 2564 wrote to memory of 680	2564	cmd.exe	50
PID 2564 wrote to memory of 560	2564	cmd.exe	51
PID 2564 wrote to memory of 560	2564	cmd.exe	51
PID 2564 wrote to memory of 560	2564	cmd.exe	51
PID 2564 wrote to memory of 2028	2564	cmd.exe	52
PID 2564 wrote to memory of 2028	2564	cmd.exe	52
PID 2564 wrote to memory of 2028	2564	cmd.exe	52
PID 2564 wrote to memory of 1464	2564	cmd.exe	53
PID 2564 wrote to memory of 1464	2564	cmd.exe	53
PID 2564 wrote to memory of 1464	2564	cmd.exe	53
PID 2564 wrote to memory of 1508	2564	cmd.exe	54

C:\Users\Admin\AppData\Local\Temp\9d543df8d1d705870da23de3f9a43f467fe998836fd00d7ffff1ea3c4701e5f9.exe
"C:\Users\Admin\AppData\Local\Temp\9d543df8d1d705870da23de3f9a43f467fe998836fd00d7ffff1ea3c4701e5f9.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpC7F1.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpC7F1.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:264
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1748
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2100
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2892
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2904
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2920
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2772
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1396
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2876
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2928
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2616
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2632
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2692
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2160
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1420
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1716
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:680
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:560
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2028
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1464
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1508
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3008
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1484
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2972
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1776
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:576
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2840
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2828
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2952
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2824
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2312
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2008
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3016
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1860
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2000
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2488
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1148
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2264
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2256
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2268
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2068
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1940
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2508
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1888
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1868
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2144
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:340
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2816
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1136
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:708
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3056
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1672
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1516
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1224
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:304
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1088
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2128
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:296
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1556
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2364
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1612
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:912
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1368
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1644
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:596
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2232
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2084
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2964
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1524
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1360
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2064
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1156
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1472
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2528
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2056
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1736
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1752
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1872
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2292
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1588
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1580
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2164
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2336
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2560
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1124
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2448
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2320
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:872
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:264
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2712
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2100
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2776
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2948
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3036
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2664
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2796
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2420
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2668
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2652
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2404
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2932
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2116
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1200
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1288
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1028
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3020
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1180
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1108
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2004
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2992
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:692
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2820
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1996
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2872
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2988
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2980
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2944
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1500
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1744
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2856
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1968
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2800
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2656
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1436
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2016
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1864
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2520
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2264
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2256
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2716
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1912
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1936
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2360
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1888
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1868
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1532
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2496
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2816
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:3064
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3068
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2596
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1604
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1068
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:856
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2024
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1696
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1088
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:276
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2288
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1556
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1528
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1536
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1376
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1468
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1900
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3048
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1904
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1072
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2072
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1636
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2060
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2064
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:564
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:536
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1724
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2252
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1692
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2388
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2284
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2192
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1588
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2168
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2300
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2340
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2592
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1628
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2556
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1748
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2400
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2484
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2924
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2904
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2776
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2788
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1396
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2792
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2476
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2632
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2668
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2332
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    PID:1420
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2296
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1092
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    PID:848
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:680
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1668
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    PID:1332
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1180
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2852
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    PID:2472
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1484
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2836
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    PID:1996
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2872
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2824
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    PID:1500
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2832
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1808
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    PID:1964
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1860
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:3000
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    PID:2260
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2172
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2000
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    PID:2380
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1152
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2432
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    PID:1916
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2140
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2356
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    PID:448
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2148
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2408
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    PID:2428
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2272
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1204
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    PID:1300
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:496
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2600
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    PID:1712
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:292
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2436
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    PID:236
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2128
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:276
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    PID:1612
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:316
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1680
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    PID:1032
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:916
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:3060
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    PID:2084
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2756
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2076
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    PID:2456
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1784
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:284
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    PID:1688
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:992
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:564
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    PID:2528
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2056
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:880
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    PID:1752
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1872
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1580
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    PID:1260
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2236
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1124
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    PID:1952
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2300
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1944
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    PID:2512
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2448
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2712
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    PID:2780
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2400
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2948
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    PID:2896
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2956
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2420
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    PID:2732
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2664
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2652
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    PID:2640
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2612
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2584
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    PID:2092
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2028
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2160
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    PID:1804
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:352
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:3020
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    PID:848
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2624
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1640
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    PID:1108
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1508
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:692
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    PID:2472
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2352
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2996
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    PID:1996
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2872
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:928
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    PID:2604
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2108
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2212
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    PID:1500
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2464
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2916
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    PID:2888
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1808
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:884
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    PID:1968
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3000
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2260
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    PID:1436
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2000
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2372
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    PID:2180
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2112
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2508
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    PID:1916
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2140
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1460
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    PID:2144
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:996
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:340
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    PID:2104
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2504
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2424
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    PID:496
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:956
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1144
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    PID:1224
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1604
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:836
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    PID:1956
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1552
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2364
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    PID:1612
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1528
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1644
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    PID:916
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1468
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:556
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    PID:2756
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1904
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1360
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    PID:752
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2384
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2032
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    PID:1472
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1732
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2540
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    PID:2528
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1000
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2284
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    PID:2388
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1584
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2192
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    PID:2236
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1380
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2592
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    PID:1952
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2300
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1748
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    PID:2556
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2448
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3044
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    PID:2780
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2400
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2788
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    PID:2776
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2744
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2616
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    PID:2792
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2676
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1908
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    PID:2668
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2612
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:840
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    PID:2092
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2028
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:3008
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    PID:2940
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1804
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2036
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    PID:1668
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:680
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:3004
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    PID:2828
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1108
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2860
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    PID:2836
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1484
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2952
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    PID:2392
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2688
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:928
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    PID:2824
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2856
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2212
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    PID:2968
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2884
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:800
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    PID:1328
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2984
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2188
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    PID:2488
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1728
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1880
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    PID:2256
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1764
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2372
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    PID:1940
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2432
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2344
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    PID:1868
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2716
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2496
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    PID:2816
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2144
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:708
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    PID:2272
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1204
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1516
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    PID:1292
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:496
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1816
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    PID:1088
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1224
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1556
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    PID:1876
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1956
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1564
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    PID:316
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1612
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:596
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    PID:1900
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:916
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1928
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    PID:2072
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2756
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2064
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    PID:772
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:752
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:804
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2444"
    3⤵
    - Enumerates processes with tasklist
    PID:564
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1472
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC7F1.tmp.bat

Filesize
354B

MD5
e505b5d33d86517b69f4d15c2565008c

SHA1
13329e7c4329597bba0d8f14a0ca868c08baaba4

SHA256
d66171bb2239451f238f29c278506e8acc3c64221f0e1c6e4cc52ec2355ce00d

SHA512
dffb92fb6452ff559b50629976a48ec2735cd6659f98e94c347728f0dedb383674040ffe43fcfdbc6d47d9d947d2adac8e383f706da687c707912dadbbb753b9

Download Submit
\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

Filesize
1.7MB

MD5
65ccd6ecb99899083d43f7c24eb8f869

SHA1
27037a9470cc5ed177c0b6688495f3a51996a023

SHA256
aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

SHA512
533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

Download Submit
memory/2444-0-0x000007FEF5493000-0x000007FEF5494000-memory.dmp

Filesize
4KB

Download
memory/2444-1-0x0000000000910000-0x0000000000EA8000-memory.dmp

Filesize
5.6MB

Download
memory/2444-6-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2444-9-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download