9d543df8d1d705870da23de3f9a43f467fe998836fd00d7ffff1ea3c4701e5f9

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-12-2024 03:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d543df8d1d705870da23de3f9a43f467fe998836fd00d7ffff1ea3c4701e5f9.exe
Size

5.6MB
MD5

55f8e0ef95c316591d64a7bf1bf6ce7b
SHA1

53a4f3375799babd0fcc08190a925b467e7fede7
SHA256

9d543df8d1d705870da23de3f9a43f467fe998836fd00d7ffff1ea3c4701e5f9
SHA512

f9bec2a6ee0ca7050c735d62b6be35d732269085a4f92c5720495ec6171ed40d887276f69da978487f08c48690e66f360fffc66a9d8e7cbb4fed04ebd0666ee0
SSDEEP

98304:aGl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6Uc/:adOuK6mn9NzgMoYkSIvUcwti7TQlvci6

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2384	9d543df8d1d705870da23de3f9a43f467fe998836fd00d7ffff1ea3c4701e5f9.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com

Enumerates processes with tasklist 1 TTPs 64 IoCs

discovery

Process Discovery

T1057

pid	Process
536	tasklist.exe
2620	tasklist.exe
848	tasklist.exe
2680	tasklist.exe
2428	tasklist.exe
2412	tasklist.exe
1668	tasklist.exe
2440	tasklist.exe
832	tasklist.exe
2820	tasklist.exe
1820	tasklist.exe
2452	tasklist.exe
1948	tasklist.exe
1556	tasklist.exe
2856	tasklist.exe
2948	tasklist.exe
380	tasklist.exe
2928	tasklist.exe
2780	tasklist.exe
612	tasklist.exe
2432	tasklist.exe
2476	tasklist.exe
2592	tasklist.exe
2212	tasklist.exe
304	tasklist.exe
2744	tasklist.exe
2032	tasklist.exe
1964	tasklist.exe
1044	tasklist.exe
1804	tasklist.exe
1768	tasklist.exe
1596	tasklist.exe
1312	tasklist.exe
1932	tasklist.exe
1688	tasklist.exe
1600	tasklist.exe
1308	tasklist.exe
1288	tasklist.exe
2188	tasklist.exe
1360	tasklist.exe
1536	tasklist.exe
3064	tasklist.exe
612	tasklist.exe
2004	tasklist.exe
3016	tasklist.exe
2052	tasklist.exe
2376	tasklist.exe
1752	tasklist.exe
1780	tasklist.exe
1712	tasklist.exe
1684	tasklist.exe
1260	tasklist.exe
2472	tasklist.exe
1980	tasklist.exe
2516	tasklist.exe
2376	tasklist.exe
832	tasklist.exe
2832	tasklist.exe
2660	tasklist.exe
2140	tasklist.exe
1788	tasklist.exe
1088	tasklist.exe
1676	tasklist.exe
2320	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
2916	timeout.exe
2128	timeout.exe
1608	timeout.exe
748	timeout.exe
596	timeout.exe
1508	timeout.exe
2984	timeout.exe
2036	timeout.exe
2140	timeout.exe
2128	timeout.exe
1868	timeout.exe
1088	timeout.exe
2188	timeout.exe
2320	timeout.exe
824	timeout.exe
1716	timeout.exe
1764	timeout.exe
2196	timeout.exe
1864	timeout.exe
756	timeout.exe
556	timeout.exe
596	timeout.exe
2640	timeout.exe
1852	timeout.exe
2232	timeout.exe
2196	timeout.exe
2892	timeout.exe
2752	timeout.exe
1092	timeout.exe
2916	timeout.exe
1832	timeout.exe
1972	timeout.exe
900	timeout.exe
2108	timeout.exe
2792	timeout.exe
2516	timeout.exe
1580	timeout.exe
1548	timeout.exe
1964	timeout.exe
1528	timeout.exe
2704	timeout.exe
3000	timeout.exe
632	timeout.exe
2872	timeout.exe
2220	timeout.exe
3016	timeout.exe
380	timeout.exe
1296	timeout.exe
780	timeout.exe
1136	timeout.exe
3032	timeout.exe
2684	timeout.exe
2188	timeout.exe
1592	timeout.exe
1148	timeout.exe
2492	timeout.exe
620	timeout.exe
484	timeout.exe
2268	timeout.exe
1296	timeout.exe
864	timeout.exe
2896	timeout.exe
1948	timeout.exe
1508	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2384	9d543df8d1d705870da23de3f9a43f467fe998836fd00d7ffff1ea3c4701e5f9.exe
2384	9d543df8d1d705870da23de3f9a43f467fe998836fd00d7ffff1ea3c4701e5f9.exe
2384	9d543df8d1d705870da23de3f9a43f467fe998836fd00d7ffff1ea3c4701e5f9.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2384	9d543df8d1d705870da23de3f9a43f467fe998836fd00d7ffff1ea3c4701e5f9.exe
Token: SeDebugPrivilege	2880	tasklist.exe
Token: SeDebugPrivilege	2796	tasklist.exe
Token: SeDebugPrivilege	2832	tasklist.exe
Token: SeDebugPrivilege	2728	tasklist.exe
Token: SeDebugPrivilege	2712	tasklist.exe
Token: SeDebugPrivilege	2284	tasklist.exe
Token: SeDebugPrivilege	1144	tasklist.exe
Token: SeDebugPrivilege	1628	tasklist.exe
Token: SeDebugPrivilege	1684	tasklist.exe
Token: SeDebugPrivilege	1948	tasklist.exe
Token: SeDebugPrivilege	1596	tasklist.exe
Token: SeDebugPrivilege	1612	tasklist.exe
Token: SeDebugPrivilege	1312	tasklist.exe
Token: SeDebugPrivilege	2660	tasklist.exe
Token: SeDebugPrivilege	1240	tasklist.exe
Token: SeDebugPrivilege	1864	tasklist.exe
Token: SeDebugPrivilege	2432	tasklist.exe
Token: SeDebugPrivilege	2004	tasklist.exe
Token: SeDebugPrivilege	992	tasklist.exe
Token: SeDebugPrivilege	1260	tasklist.exe
Token: SeDebugPrivilege	1668	tasklist.exe
Token: SeDebugPrivilege	972	tasklist.exe
Token: SeDebugPrivilege	2440	tasklist.exe
Token: SeDebugPrivilege	2476	tasklist.exe
Token: SeDebugPrivilege	536	tasklist.exe
Token: SeDebugPrivilege	884	tasklist.exe
Token: SeDebugPrivilege	1556	tasklist.exe
Token: SeDebugPrivilege	3032	tasklist.exe
Token: SeDebugPrivilege	2388	tasklist.exe
Token: SeDebugPrivilege	2112	tasklist.exe
Token: SeDebugPrivilege	2744	tasklist.exe
Token: SeDebugPrivilege	2620	tasklist.exe
Token: SeDebugPrivilege	2856	tasklist.exe
Token: SeDebugPrivilege	2592	tasklist.exe
Token: SeDebugPrivilege	3016	tasklist.exe
Token: SeDebugPrivilege	1088	tasklist.exe
Token: SeDebugPrivilege	2024	tasklist.exe
Token: SeDebugPrivilege	848	tasklist.exe
Token: SeDebugPrivilege	1964	tasklist.exe
Token: SeDebugPrivilege	2560	tasklist.exe
Token: SeDebugPrivilege	1848	tasklist.exe
Token: SeDebugPrivilege	1308	tasklist.exe
Token: SeDebugPrivilege	1496	tasklist.exe
Token: SeDebugPrivilege	2688	tasklist.exe
Token: SeDebugPrivilege	2412	tasklist.exe
Token: SeDebugPrivilege	2032	tasklist.exe
Token: SeDebugPrivilege	2472	tasklist.exe
Token: SeDebugPrivilege	1360	tasklist.exe
Token: SeDebugPrivilege	304	tasklist.exe
Token: SeDebugPrivilege	2940	tasklist.exe
Token: SeDebugPrivilege	832	tasklist.exe
Token: SeDebugPrivilege	1600	tasklist.exe
Token: SeDebugPrivilege	2520	tasklist.exe
Token: SeDebugPrivilege	1492	tasklist.exe
Token: SeDebugPrivilege	1032	tasklist.exe
Token: SeDebugPrivilege	3044	tasklist.exe
Token: SeDebugPrivilege	1536	tasklist.exe
Token: SeDebugPrivilege	2376	tasklist.exe
Token: SeDebugPrivilege	3064	tasklist.exe
Token: SeDebugPrivilege	2776	tasklist.exe
Token: SeDebugPrivilege	2820	tasklist.exe
Token: SeDebugPrivilege	2680	tasklist.exe
Token: SeDebugPrivilege	2728	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2380	2384	9d543df8d1d705870da23de3f9a43f467fe998836fd00d7ffff1ea3c4701e5f9.exe	30
PID 2384 wrote to memory of 2380	2384	9d543df8d1d705870da23de3f9a43f467fe998836fd00d7ffff1ea3c4701e5f9.exe	30
PID 2384 wrote to memory of 2380	2384	9d543df8d1d705870da23de3f9a43f467fe998836fd00d7ffff1ea3c4701e5f9.exe	30
PID 2380 wrote to memory of 2208	2380	cmd.exe	32
PID 2380 wrote to memory of 2208	2380	cmd.exe	32
PID 2380 wrote to memory of 2208	2380	cmd.exe	32
PID 2380 wrote to memory of 2880	2380	cmd.exe	33
PID 2380 wrote to memory of 2880	2380	cmd.exe	33
PID 2380 wrote to memory of 2880	2380	cmd.exe	33
PID 2380 wrote to memory of 2156	2380	cmd.exe	34
PID 2380 wrote to memory of 2156	2380	cmd.exe	34
PID 2380 wrote to memory of 2156	2380	cmd.exe	34
PID 2380 wrote to memory of 2792	2380	cmd.exe	36
PID 2380 wrote to memory of 2792	2380	cmd.exe	36
PID 2380 wrote to memory of 2792	2380	cmd.exe	36
PID 2380 wrote to memory of 2796	2380	cmd.exe	37
PID 2380 wrote to memory of 2796	2380	cmd.exe	37
PID 2380 wrote to memory of 2796	2380	cmd.exe	37
PID 2380 wrote to memory of 2824	2380	cmd.exe	38
PID 2380 wrote to memory of 2824	2380	cmd.exe	38
PID 2380 wrote to memory of 2824	2380	cmd.exe	38
PID 2380 wrote to memory of 2928	2380	cmd.exe	39
PID 2380 wrote to memory of 2928	2380	cmd.exe	39
PID 2380 wrote to memory of 2928	2380	cmd.exe	39
PID 2380 wrote to memory of 2832	2380	cmd.exe	40
PID 2380 wrote to memory of 2832	2380	cmd.exe	40
PID 2380 wrote to memory of 2832	2380	cmd.exe	40
PID 2380 wrote to memory of 2680	2380	cmd.exe	41
PID 2380 wrote to memory of 2680	2380	cmd.exe	41
PID 2380 wrote to memory of 2680	2380	cmd.exe	41
PID 2380 wrote to memory of 2856	2380	cmd.exe	42
PID 2380 wrote to memory of 2856	2380	cmd.exe	42
PID 2380 wrote to memory of 2856	2380	cmd.exe	42
PID 2380 wrote to memory of 2728	2380	cmd.exe	43
PID 2380 wrote to memory of 2728	2380	cmd.exe	43
PID 2380 wrote to memory of 2728	2380	cmd.exe	43
PID 2380 wrote to memory of 2640	2380	cmd.exe	44
PID 2380 wrote to memory of 2640	2380	cmd.exe	44
PID 2380 wrote to memory of 2640	2380	cmd.exe	44
PID 2380 wrote to memory of 2592	2380	cmd.exe	45
PID 2380 wrote to memory of 2592	2380	cmd.exe	45
PID 2380 wrote to memory of 2592	2380	cmd.exe	45
PID 2380 wrote to memory of 2712	2380	cmd.exe	47
PID 2380 wrote to memory of 2712	2380	cmd.exe	47
PID 2380 wrote to memory of 2712	2380	cmd.exe	47
PID 2380 wrote to memory of 1832	2380	cmd.exe	48
PID 2380 wrote to memory of 1832	2380	cmd.exe	48
PID 2380 wrote to memory of 1832	2380	cmd.exe	48
PID 2380 wrote to memory of 3016	2380	cmd.exe	49
PID 2380 wrote to memory of 3016	2380	cmd.exe	49
PID 2380 wrote to memory of 3016	2380	cmd.exe	49
PID 2380 wrote to memory of 2284	2380	cmd.exe	50
PID 2380 wrote to memory of 2284	2380	cmd.exe	50
PID 2380 wrote to memory of 2284	2380	cmd.exe	50
PID 2380 wrote to memory of 2536	2380	cmd.exe	51
PID 2380 wrote to memory of 2536	2380	cmd.exe	51
PID 2380 wrote to memory of 2536	2380	cmd.exe	51
PID 2380 wrote to memory of 1088	2380	cmd.exe	52
PID 2380 wrote to memory of 1088	2380	cmd.exe	52
PID 2380 wrote to memory of 1088	2380	cmd.exe	52
PID 2380 wrote to memory of 1144	2380	cmd.exe	53
PID 2380 wrote to memory of 1144	2380	cmd.exe	53
PID 2380 wrote to memory of 1144	2380	cmd.exe	53
PID 2380 wrote to memory of 1336	2380	cmd.exe	54

C:\Users\Admin\AppData\Local\Temp\9d543df8d1d705870da23de3f9a43f467fe998836fd00d7ffff1ea3c4701e5f9.exe
"C:\Users\Admin\AppData\Local\Temp\9d543df8d1d705870da23de3f9a43f467fe998836fd00d7ffff1ea3c4701e5f9.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpBCE9.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpBCE9.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2208
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2880
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2156
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2792
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2796
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2824
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2928
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2832
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2680
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2856
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2728
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2640
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2592
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2712
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1832
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3016
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2284
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2536
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1088
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1144
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1336
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2024
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1628
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1552
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:848
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1684
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1852
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1964
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1948
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1764
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2560
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1596
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1528
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1848
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1612
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:496
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1308
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1312
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:556
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:548
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2660
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3012
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2268
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1240
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2172
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:596
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1864
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2980
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2892
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2432
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:448
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2516
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2004
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:828
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1592
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:992
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1876
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2188
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1260
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:756
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1296
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1668
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1340
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1508
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:972
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2104
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2320
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2440
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2344
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2896
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2476
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1828
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1028
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:536
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:888
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1716
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:884
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2232
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1092
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1556
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1568
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2984
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3032
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2364
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2992
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2388
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2988
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2916
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2112
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2240
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2156
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2744
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2788
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2752
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2620
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2616
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:380
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2856
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2764
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2640
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2592
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2868
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1832
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3016
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1780
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2536
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1088
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1272
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1336
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2024
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1040
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1628
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:848
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1772
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1844
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1964
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2424
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1764
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2560
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1868
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1528
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1848
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1920
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:496
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1308
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2780
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:556
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1496
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2100
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:3012
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2688
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2664
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2196
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2412
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2176
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2840
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2032
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1044
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2892
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2472
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2944
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2516
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1360
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:976
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1592
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:304
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1632
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2188
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2940
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1288
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1296
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:832
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1752
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1508
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1600
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2948
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2320
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2520
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2212
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2036
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1492
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:680
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1028
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1032
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1804
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1716
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3044
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1820
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2140
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1536
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1676
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2984
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2376
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2368
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2128
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3064
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1452
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2916
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2776
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2684
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2156
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2820
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2804
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2752
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2680
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2772
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:380
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2728
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2704
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2640
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:2712
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3004
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1832
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:2284
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1736
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1488
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:1100
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1784
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2332
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    PID:2428
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2024
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:632
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:2020
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:848
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1972
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    PID:1980
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1624
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:328
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:1696
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2560
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1612
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:1920
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1996
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2652
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:2780
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2580
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1376
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:2100
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2612
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2656
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:2624
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2192
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2480
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:2176
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2836
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1608
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    PID:1044
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2952
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1148
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:2944
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1584
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1796
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:976
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1256
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1720
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    PID:612
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1264
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1660
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    PID:1288
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1548
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:900
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    PID:1752
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2200
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2148
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    PID:2948
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1708
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2492
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:2212
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2080
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2324
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    PID:2052
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1036
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:748
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    PID:1804
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1928
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2672
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    PID:1820
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1092
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1560
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    PID:1676
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1760
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3032
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:2376
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2504
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:3056
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:1932
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1452
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1580
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:2776
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2884
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2848
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:2752
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2928
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2772
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    PID:380
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2764
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2704
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:1048
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2996
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3000
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    PID:2592
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2712
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:780
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:1780
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1692
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:824
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:1712
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1100
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1700
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:1856
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2428
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1852
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:1944
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2020
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1948
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:1596
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2028
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2716
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:2252
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2924
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2872
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:1768
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1120
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:940
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:924
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1924
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1136
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:1996
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1588
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:108
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:2780
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2580
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2468
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:2100
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2612
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:596
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:2624
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2192
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2632
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:2840
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2412
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:448
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:2952
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2472
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2576
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    PID:2516
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:776
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1876
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:1592
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2572
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:756
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    PID:2188
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1520
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2304
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:1548
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:832
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:864
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:2200
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3068
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1640
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    PID:2320
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1600
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:324
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:2036
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2520
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2292
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:1028
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:344
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2232
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:1716
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1032
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1568
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    PID:2140
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3044
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:3024
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:2912
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1344
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2128
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    PID:2376
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2504
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2800
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    PID:1932
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1452
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2684
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:2884
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2852
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2552
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    PID:2928
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2844
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2596
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:2756
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2864
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:932
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:1048
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2088
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2220
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:3048
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2484
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:3020
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    PID:1780
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1692
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1784
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    PID:1712
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1100
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:620
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:1484
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2568
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2108
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    PID:1688
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1960
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2424
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:1764
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2116
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:484
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:2252
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2924
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1868
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    PID:1768
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1120
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2816
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    PID:1788
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1612
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2660
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:1588
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1996
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1496
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    PID:2780
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2580
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2172
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    PID:2452
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:548
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2196
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:2192
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2180
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2840
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    PID:2412
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1188
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1864
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:2472
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2944
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1584
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:776
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1876
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1592
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:976
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:756
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2188
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    PID:612
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2304
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1548
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    PID:832
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1752
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1880
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    PID:3068
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2948
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1708
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    PID:1600
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:324
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2036
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2384"
    3⤵
    - Enumerates processes with tasklist
    PID:2212
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2292
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpBCE9.tmp.bat

Filesize
354B

MD5
e5d0ccb4b0ff4868960efc0be88164a6

SHA1
f3b1173ee91948e2ab196b7d20758d86a0cdbbaf

SHA256
e5e453195859214e989509204476ed28e5c4774d80e99938a60b6cab9a48ace7

SHA512
a7768854bb4887b03057bf237b168efd8cfd2c965e4dcda1fdee92ea1794b8a12dccfb432e0a4ded7ce1f93a7a784f5b63b152f8337aec4f885d296ce69532af

Download Submit
\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

Filesize
1.7MB

MD5
65ccd6ecb99899083d43f7c24eb8f869

SHA1
27037a9470cc5ed177c0b6688495f3a51996a023

SHA256
aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

SHA512
533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

Download Submit
memory/2384-0-0x000007FEF5573000-0x000007FEF5574000-memory.dmp

Filesize
4KB

Download
memory/2384-1-0x0000000000DA0000-0x0000000001338000-memory.dmp

Filesize
5.6MB

Download
memory/2384-6-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2384-9-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download