30aa5d63d57d96e48788efcf488f3fb7ba05354313a383f15d5c5caca632c87c

Analysis

max time kernel
149s
max time network
26s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19/01/2025, 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

data.exe
Size

5.7MB
MD5

fb25fdd6ff14150c12aadd9ee2d1a132
SHA1

3cfb3536cd95f0b45e3540241b29aaac8195969b
SHA256

30aa5d63d57d96e48788efcf488f3fb7ba05354313a383f15d5c5caca632c87c
SHA512

ffa52a7225aab5c5518d2ec872b20bb81a964b41205308cb72356e8f443b333a89239920989ffe032f5b5009d34ea04c4ffa8944e648633321c9a6685a3d9494
SSDEEP

98304:m2+l27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6Ucz:moOuK6mn9NzgMoYkSIvUcwti7TQlvciE

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2100	data.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates processes with tasklist 1 TTPs 64 IoCs

discovery

Process Discovery

T1057

pid	Process
1944	tasklist.exe
1700	tasklist.exe
2508	tasklist.exe
2508	tasklist.exe
2868	tasklist.exe
2968	tasklist.exe
1120	tasklist.exe
2620	tasklist.exe
2884	tasklist.exe
1900	tasklist.exe
3012	tasklist.exe
3016	tasklist.exe
1036	tasklist.exe
2720	tasklist.exe
1708	tasklist.exe
2592	tasklist.exe
1684	tasklist.exe
272	tasklist.exe
1032	tasklist.exe
1612	tasklist.exe
700	tasklist.exe
2316	tasklist.exe
3020	tasklist.exe
2108	tasklist.exe
2484	tasklist.exe
1344	tasklist.exe
3044	tasklist.exe
2596	tasklist.exe
1680	tasklist.exe
2524	tasklist.exe
2984	tasklist.exe
1632	tasklist.exe
2400	tasklist.exe
2288	tasklist.exe
2392	tasklist.exe
2300	tasklist.exe
1488	tasklist.exe
1620	tasklist.exe
1456	tasklist.exe
2616	tasklist.exe
2968	tasklist.exe
2760	tasklist.exe
2660	tasklist.exe
2140	tasklist.exe
944	tasklist.exe
320	tasklist.exe
2304	tasklist.exe
2556	tasklist.exe
796	tasklist.exe
1676	tasklist.exe
1448	tasklist.exe
1504	tasklist.exe
2592	tasklist.exe
2688	tasklist.exe
2912	tasklist.exe
1272	tasklist.exe
2728	tasklist.exe
1684	tasklist.exe
2920	tasklist.exe
2732	tasklist.exe
2984	tasklist.exe
1932	tasklist.exe
2068	tasklist.exe
2440	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
2112	timeout.exe
1496	timeout.exe
2596	timeout.exe
1116	timeout.exe
3020	timeout.exe
972	timeout.exe
2420	timeout.exe
1720	timeout.exe
940	timeout.exe
2108	timeout.exe
2248	timeout.exe
2984	timeout.exe
3008	timeout.exe
272	timeout.exe
1852	timeout.exe
2272	timeout.exe
1928	timeout.exe
1556	timeout.exe
2520	timeout.exe
1592	timeout.exe
2032	timeout.exe
2080	timeout.exe
2968	timeout.exe
1796	timeout.exe
904	timeout.exe
2704	timeout.exe
668	timeout.exe
2576	timeout.exe
2900	timeout.exe
796	timeout.exe
960	timeout.exe
2272	timeout.exe
1472	timeout.exe
2480	timeout.exe
2364	timeout.exe
2700	timeout.exe
1868	timeout.exe
2252	timeout.exe
1212	timeout.exe
2864	timeout.exe
2124	timeout.exe
1056	timeout.exe
2836	timeout.exe
1732	timeout.exe
2452	timeout.exe
2136	timeout.exe
1472	timeout.exe
1876	timeout.exe
800	timeout.exe
848	timeout.exe
788	timeout.exe
1800	timeout.exe
1564	timeout.exe
2500	timeout.exe
1892	timeout.exe
668	timeout.exe
1844	timeout.exe
2392	timeout.exe
2288	timeout.exe
2172	timeout.exe
2308	timeout.exe
1752	timeout.exe
1272	timeout.exe
1872	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2100	data.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2100	data.exe
Token: SeDebugPrivilege	2760	tasklist.exe
Token: SeDebugPrivilege	2860	tasklist.exe
Token: SeDebugPrivilege	2728	tasklist.exe
Token: SeDebugPrivilege	1344	tasklist.exe
Token: SeDebugPrivilege	2324	tasklist.exe
Token: SeDebugPrivilege	1884	tasklist.exe
Token: SeDebugPrivilege	3044	tasklist.exe
Token: SeDebugPrivilege	1932	tasklist.exe
Token: SeDebugPrivilege	2540	tasklist.exe
Token: SeDebugPrivilege	1964	tasklist.exe
Token: SeDebugPrivilege	1592	tasklist.exe
Token: SeDebugPrivilege	2148	tasklist.exe
Token: SeDebugPrivilege	1488	tasklist.exe
Token: SeDebugPrivilege	2320	tasklist.exe
Token: SeDebugPrivilege	2244	tasklist.exe
Token: SeDebugPrivilege	1120	tasklist.exe
Token: SeDebugPrivilege	272	tasklist.exe
Token: SeDebugPrivilege	2596	tasklist.exe
Token: SeDebugPrivilege	472	tasklist.exe
Token: SeDebugPrivilege	796	tasklist.exe
Token: SeDebugPrivilege	1700	tasklist.exe
Token: SeDebugPrivilege	1684	tasklist.exe
Token: SeDebugPrivilege	2620	tasklist.exe
Token: SeDebugPrivilege	1032	tasklist.exe
Token: SeDebugPrivilege	2184	tasklist.exe
Token: SeDebugPrivilege	1532	tasklist.exe
Token: SeDebugPrivilege	2068	tasklist.exe
Token: SeDebugPrivilege	2196	tasklist.exe
Token: SeDebugPrivilege	2732	tasklist.exe
Token: SeDebugPrivilege	1620	tasklist.exe
Token: SeDebugPrivilege	3068	tasklist.exe
Token: SeDebugPrivilege	2920	tasklist.exe
Token: SeDebugPrivilege	2744	tasklist.exe
Token: SeDebugPrivilege	2508	tasklist.exe
Token: SeDebugPrivilege	3032	tasklist.exe
Token: SeDebugPrivilege	1520	tasklist.exe
Token: SeDebugPrivilege	1348	tasklist.exe
Token: SeDebugPrivilege	3016	tasklist.exe
Token: SeDebugPrivilege	1676	tasklist.exe
Token: SeDebugPrivilege	320	tasklist.exe
Token: SeDebugPrivilege	760	tasklist.exe
Token: SeDebugPrivilege	1304	tasklist.exe
Token: SeDebugPrivilege	2172	tasklist.exe
Token: SeDebugPrivilege	1276	tasklist.exe
Token: SeDebugPrivilege	960	tasklist.exe
Token: SeDebugPrivilege	1564	tasklist.exe
Token: SeDebugPrivilege	456	tasklist.exe
Token: SeDebugPrivilege	2592	tasklist.exe
Token: SeDebugPrivilege	2688	tasklist.exe
Token: SeDebugPrivilege	2440	tasklist.exe
Token: SeDebugPrivilege	700	tasklist.exe
Token: SeDebugPrivilege	1960	tasklist.exe
Token: SeDebugPrivilege	2664	tasklist.exe
Token: SeDebugPrivilege	1036	tasklist.exe
Token: SeDebugPrivilege	2308	tasklist.exe
Token: SeDebugPrivilege	2200	tasklist.exe
Token: SeDebugPrivilege	2912	tasklist.exe
Token: SeDebugPrivilege	1456	tasklist.exe
Token: SeDebugPrivilege	2884	tasklist.exe
Token: SeDebugPrivilege	2868	tasklist.exe
Token: SeDebugPrivilege	2988	tasklist.exe
Token: SeDebugPrivilege	2860	tasklist.exe
Token: SeDebugPrivilege	2720	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 644	2100	data.exe	31
PID 2100 wrote to memory of 644	2100	data.exe	31
PID 2100 wrote to memory of 644	2100	data.exe	31
PID 644 wrote to memory of 2992	644	cmd.exe	33
PID 644 wrote to memory of 2992	644	cmd.exe	33
PID 644 wrote to memory of 2992	644	cmd.exe	33
PID 644 wrote to memory of 2760	644	cmd.exe	34
PID 644 wrote to memory of 2760	644	cmd.exe	34
PID 644 wrote to memory of 2760	644	cmd.exe	34
PID 644 wrote to memory of 2980	644	cmd.exe	35
PID 644 wrote to memory of 2980	644	cmd.exe	35
PID 644 wrote to memory of 2980	644	cmd.exe	35
PID 644 wrote to memory of 2748	644	cmd.exe	36
PID 644 wrote to memory of 2748	644	cmd.exe	36
PID 644 wrote to memory of 2748	644	cmd.exe	36
PID 644 wrote to memory of 2860	644	cmd.exe	37
PID 644 wrote to memory of 2860	644	cmd.exe	37
PID 644 wrote to memory of 2860	644	cmd.exe	37
PID 644 wrote to memory of 2888	644	cmd.exe	38
PID 644 wrote to memory of 2888	644	cmd.exe	38
PID 644 wrote to memory of 2888	644	cmd.exe	38
PID 644 wrote to memory of 2956	644	cmd.exe	39
PID 644 wrote to memory of 2956	644	cmd.exe	39
PID 644 wrote to memory of 2956	644	cmd.exe	39
PID 644 wrote to memory of 2728	644	cmd.exe	40
PID 644 wrote to memory of 2728	644	cmd.exe	40
PID 644 wrote to memory of 2728	644	cmd.exe	40
PID 644 wrote to memory of 2736	644	cmd.exe	41
PID 644 wrote to memory of 2736	644	cmd.exe	41
PID 644 wrote to memory of 2736	644	cmd.exe	41
PID 644 wrote to memory of 2352	644	cmd.exe	42
PID 644 wrote to memory of 2352	644	cmd.exe	42
PID 644 wrote to memory of 2352	644	cmd.exe	42
PID 644 wrote to memory of 1344	644	cmd.exe	43
PID 644 wrote to memory of 1344	644	cmd.exe	43
PID 644 wrote to memory of 1344	644	cmd.exe	43
PID 644 wrote to memory of 2704	644	cmd.exe	44
PID 644 wrote to memory of 2704	644	cmd.exe	44
PID 644 wrote to memory of 2704	644	cmd.exe	44
PID 644 wrote to memory of 1752	644	cmd.exe	45
PID 644 wrote to memory of 1752	644	cmd.exe	45
PID 644 wrote to memory of 1752	644	cmd.exe	45
PID 644 wrote to memory of 2324	644	cmd.exe	46
PID 644 wrote to memory of 2324	644	cmd.exe	46
PID 644 wrote to memory of 2324	644	cmd.exe	46
PID 644 wrote to memory of 3036	644	cmd.exe	47
PID 644 wrote to memory of 3036	644	cmd.exe	47
PID 644 wrote to memory of 3036	644	cmd.exe	47
PID 644 wrote to memory of 2272	644	cmd.exe	48
PID 644 wrote to memory of 2272	644	cmd.exe	48
PID 644 wrote to memory of 2272	644	cmd.exe	48
PID 644 wrote to memory of 1884	644	cmd.exe	49
PID 644 wrote to memory of 1884	644	cmd.exe	49
PID 644 wrote to memory of 1884	644	cmd.exe	49
PID 644 wrote to memory of 1316	644	cmd.exe	50
PID 644 wrote to memory of 1316	644	cmd.exe	50
PID 644 wrote to memory of 1316	644	cmd.exe	50
PID 644 wrote to memory of 800	644	cmd.exe	51
PID 644 wrote to memory of 800	644	cmd.exe	51
PID 644 wrote to memory of 800	644	cmd.exe	51
PID 644 wrote to memory of 3044	644	cmd.exe	52
PID 644 wrote to memory of 3044	644	cmd.exe	52
PID 644 wrote to memory of 3044	644	cmd.exe	52
PID 644 wrote to memory of 3060	644	cmd.exe	53

C:\Users\Admin\AppData\Local\Temp\data.exe
"C:\Users\Admin\AppData\Local\Temp\data.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp3044.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp3044.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:644
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2992
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2760
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2980
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2748
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2860
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2888
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2956
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2728
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2736
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2352
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1344
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2704
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1752
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2324
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3036
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2272
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1884
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1316
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:800
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3044
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3060
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2632
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1932
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:296
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2140
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2540
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:324
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1944
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1964
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:396
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:848
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1592
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1688
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2248
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2148
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1908
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2152
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1488
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1052
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2488
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2320
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2180
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1336
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2244
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:856
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1844
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1120
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1880
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1708
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:272
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:684
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:788
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2596
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2064
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1704
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:472
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1432
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2700
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:796
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1924
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1800
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1700
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1980
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2392
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1684
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:532
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1928
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2620
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1028
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2236
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1032
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1860
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2176
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2184
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1544
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1628
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1532
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1236
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2452
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2068
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2912
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1212
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2196
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1456
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1472
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2732
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:584
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:756
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1620
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2832
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:668
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3068
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2988
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2456
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2920
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2860
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2448
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2744
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2720
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2080
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2508
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1224
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:3040
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3032
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3028
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:3024
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1520
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2792
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1876
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1348
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3056
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2124
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3016
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1900
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2112
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1676
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2340
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1556
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:320
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2356
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2076
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:760
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2304
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1116
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1304
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:836
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2520
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2172
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1552
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1720
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1276
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2316
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2028
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:960
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2280
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1852
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1564
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2628
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2412
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:456
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:272
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2584
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2592
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2596
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2524
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2688
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1788
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:940
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2440
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:796
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2672
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:700
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1700
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:680
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1960
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2588
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1744
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2664
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2620
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2696
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1036
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:896
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2556
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2308
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1692
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1272
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2200
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2568
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1056
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2912
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2624
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2576
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1456
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2284
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2136
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2884
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1892
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2616
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2868
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2960
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3020
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2988
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2836
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2984
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2860
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2788
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2756
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2720
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1796
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:956
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:2708
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2420
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2108
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:1872
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2976
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2968
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:2792
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2544
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2548
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:3056
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1576
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2900
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:1900
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:556
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2288
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:1676
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1496
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1868
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:2256
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2424
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1592
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:2304
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2264
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2148
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:1612
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2520
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2172
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:2516
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1720
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1276
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:2316
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1912
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:960
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:2280
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1852
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1564
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:1976
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2904
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2500
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:1448
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2528
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2600
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:1704
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2064
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2168
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:2524
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1004
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1904
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:1724
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2224
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:796
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:2824
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1980
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2252
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:2400
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2416
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3008
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:1744
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:892
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2620
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:1596
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1460
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:896
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:2556
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:928
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1544
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:1272
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2816
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:972
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:3012
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2876
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1212
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:2444
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2992
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1472
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:2732
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2856
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1892
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:2616
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2748
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:668
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:3020
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2888
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2836
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:2984
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2740
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2788
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:2756
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1344
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1796
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:2508
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2784
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2420
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:2108
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1316
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1872
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:2968
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3064
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2544
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:2548
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1672
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1576
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:3016
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2540
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2112
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:2288
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:432
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1496
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:1944
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1868
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2796
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:1548
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1748
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2424
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:1632
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1592
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1116
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:760
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2148
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1612
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:836
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2172
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:904
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:1680
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1552
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:520
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:2316
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:856
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1440
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:1708
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:880
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2480
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:1976
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2904
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:272
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:456
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1448
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2596
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:2592
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2328
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:472
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:2484
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2700
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1232
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:944
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1800
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1664
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:2392
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2824
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2588
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:1684
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2400
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2032
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:1504
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1736
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1732
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:2660
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2696
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2308
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:2300
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1072
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2452
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:1652
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1920
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2864
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:3012
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2876
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2680
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:2576
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1480
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2100
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:912
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2732
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2832
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:2928
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1656
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2456
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:3020
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2888
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2352
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:2984
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2740
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2704
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:2756
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1344
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2272
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:956
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3036
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2712
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:2108
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1316
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1584
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:2968
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3064
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2364
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:2140
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1348
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3044.tmp.bat

Filesize
283B

MD5
65eefa24969ca8dd2fa0115bfe002b33

SHA1
a88bb340eaa0daeaf4477b9621f03fb7fa9d9114

SHA256
a921503d02ad3ed91d4dd1d35c624e5312d7083161d39cc975e1d221a642c4d2

SHA512
d69363dceca3a030f260b6406509296b04701f3fbc47948b13e30d26557b8908953acbcb0b028bdce6f06766b1d662133f709157849dff84da37c88da56c4d36

Download Submit
\Users\Admin\AppData\Local\Temp\Costura\05A92EC28EDC5561548638CAA951F864\64\sqlite.interop.dll

Filesize
1.7MB

MD5
65ccd6ecb99899083d43f7c24eb8f869

SHA1
27037a9470cc5ed177c0b6688495f3a51996a023

SHA256
aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

SHA512
533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

Download Submit
memory/2100-0-0x000007FEF6183000-0x000007FEF6184000-memory.dmp

Filesize
4KB

Download
memory/2100-1-0x0000000000AC0000-0x0000000001082000-memory.dmp

Filesize
5.8MB

Download
memory/2100-6-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

Filesize
9.9MB

Download
memory/2100-7-0x000007FEF6183000-0x000007FEF6184000-memory.dmp

Filesize
4KB

Download
memory/2100-8-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

Filesize
9.9MB

Download
memory/2100-12-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

Filesize
9.9MB

Download