30aa5d63d57d96e48788efcf488f3fb7ba05354313a383f15d5c5caca632c87c

Analysis

max time kernel
150s
max time network
33s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19-01-2025 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

data.dat.exe
Size

5.7MB
MD5

fb25fdd6ff14150c12aadd9ee2d1a132
SHA1

3cfb3536cd95f0b45e3540241b29aaac8195969b
SHA256

30aa5d63d57d96e48788efcf488f3fb7ba05354313a383f15d5c5caca632c87c
SHA512

ffa52a7225aab5c5518d2ec872b20bb81a964b41205308cb72356e8f443b333a89239920989ffe032f5b5009d34ea04c4ffa8944e648633321c9a6685a3d9494
SSDEEP

98304:m2+l27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6Ucz:moOuK6mn9NzgMoYkSIvUcwti7TQlvciE

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2100	data.dat.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates processes with tasklist 1 TTPs 64 IoCs

discovery

Process Discovery

T1057

pid	Process
1916	tasklist.exe
272	tasklist.exe
2068	tasklist.exe
1564	tasklist.exe
1664	tasklist.exe
2644	tasklist.exe
1448	tasklist.exe
1892	tasklist.exe
644	tasklist.exe
2780	tasklist.exe
1716	tasklist.exe
1752	tasklist.exe
2844	tasklist.exe
1592	tasklist.exe
2728	tasklist.exe
2896	tasklist.exe
3056	tasklist.exe
772	tasklist.exe
1796	tasklist.exe
2956	tasklist.exe
2148	tasklist.exe
2708	tasklist.exe
2324	tasklist.exe
432	tasklist.exe
856	tasklist.exe
2468	tasklist.exe
2292	tasklist.exe
1800	tasklist.exe
3040	tasklist.exe
640	tasklist.exe
2504	tasklist.exe
1732	tasklist.exe
2216	tasklist.exe
2488	tasklist.exe
1788	tasklist.exe
1036	tasklist.exe
1948	tasklist.exe
764	tasklist.exe
2616	tasklist.exe
3000	tasklist.exe
644	tasklist.exe
1520	tasklist.exe
2264	tasklist.exe
2520	tasklist.exe
1144	tasklist.exe
2900	tasklist.exe
1348	tasklist.exe
2440	tasklist.exe
1716	tasklist.exe
556	tasklist.exe
112	tasklist.exe
1796	tasklist.exe
2216	tasklist.exe
796	tasklist.exe
2496	tasklist.exe
2452	tasklist.exe
112	tasklist.exe
904	tasklist.exe
1504	tasklist.exe
1128	tasklist.exe
2196	tasklist.exe
2468	tasklist.exe
1120	tasklist.exe
1960	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
2820	timeout.exe
1616	timeout.exe
2628	timeout.exe
1728	timeout.exe
788	timeout.exe
2944	timeout.exe
1912	timeout.exe
1964	timeout.exe
1648	timeout.exe
1748	timeout.exe
2296	timeout.exe
2524	timeout.exe
2256	timeout.exe
2704	timeout.exe
2064	timeout.exe
1840	timeout.exe
2476	timeout.exe
744	timeout.exe
1872	timeout.exe
1484	timeout.exe
2788	timeout.exe
2672	timeout.exe
912	timeout.exe
2588	timeout.exe
1028	timeout.exe
2792	timeout.exe
600	timeout.exe
1612	timeout.exe
2952	timeout.exe
892	timeout.exe
3008	timeout.exe
2364	timeout.exe
1256	timeout.exe
2916	timeout.exe
976	timeout.exe
928	timeout.exe
668	timeout.exe
1876	timeout.exe
2580	timeout.exe
1584	timeout.exe
1456	timeout.exe
1556	timeout.exe
2152	timeout.exe
1336	timeout.exe
1980	timeout.exe
1776	timeout.exe
1272	timeout.exe
800	timeout.exe
2112	timeout.exe
2700	timeout.exe
2148	timeout.exe
2144	timeout.exe
800	timeout.exe
1128	timeout.exe
2888	timeout.exe
3036	timeout.exe
2424	timeout.exe
1736	timeout.exe
2516	timeout.exe
1904	timeout.exe
2508	timeout.exe
556	timeout.exe
2484	timeout.exe
1224	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2100	data.dat.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2100	data.dat.exe
Token: SeDebugPrivilege	2780	tasklist.exe
Token: SeDebugPrivilege	2468	tasklist.exe
Token: SeDebugPrivilege	1796	tasklist.exe
Token: SeDebugPrivilege	3040	tasklist.exe
Token: SeDebugPrivilege	3044	tasklist.exe
Token: SeDebugPrivilege	1900	tasklist.exe
Token: SeDebugPrivilege	2216	tasklist.exe
Token: SeDebugPrivilege	1964	tasklist.exe
Token: SeDebugPrivilege	1592	tasklist.exe
Token: SeDebugPrivilege	2148	tasklist.exe
Token: SeDebugPrivilege	1488	tasklist.exe
Token: SeDebugPrivilege	2120	tasklist.exe
Token: SeDebugPrivilege	2244	tasklist.exe
Token: SeDebugPrivilege	1120	tasklist.exe
Token: SeDebugPrivilege	272	tasklist.exe
Token: SeDebugPrivilege	2596	tasklist.exe
Token: SeDebugPrivilege	1788	tasklist.exe
Token: SeDebugPrivilege	796	tasklist.exe
Token: SeDebugPrivilege	1664	tasklist.exe
Token: SeDebugPrivilege	1960	tasklist.exe
Token: SeDebugPrivilege	2588	tasklist.exe
Token: SeDebugPrivilege	2664	tasklist.exe
Token: SeDebugPrivilege	1036	tasklist.exe
Token: SeDebugPrivilege	1528	tasklist.exe
Token: SeDebugPrivilege	1236	tasklist.exe
Token: SeDebugPrivilege	1920	tasklist.exe
Token: SeDebugPrivilege	2576	tasklist.exe
Token: SeDebugPrivilege	2952	tasklist.exe
Token: SeDebugPrivilege	2292	tasklist.exe
Token: SeDebugPrivilege	1476	tasklist.exe
Token: SeDebugPrivilege	2728	tasklist.exe
Token: SeDebugPrivilege	2708	tasklist.exe
Token: SeDebugPrivilege	2324	tasklist.exe
Token: SeDebugPrivilege	1520	tasklist.exe
Token: SeDebugPrivilege	1348	tasklist.exe
Token: SeDebugPrivilege	1576	tasklist.exe
Token: SeDebugPrivilege	556	tasklist.exe
Token: SeDebugPrivilege	1948	tasklist.exe
Token: SeDebugPrivilege	1648	tasklist.exe
Token: SeDebugPrivilege	640	tasklist.exe
Token: SeDebugPrivilege	2496	tasklist.exe
Token: SeDebugPrivilege	1276	tasklist.exe
Token: SeDebugPrivilege	600	tasklist.exe
Token: SeDebugPrivilege	764	tasklist.exe
Token: SeDebugPrivilege	2500	tasklist.exe
Token: SeDebugPrivilege	2592	tasklist.exe
Token: SeDebugPrivilege	772	tasklist.exe
Token: SeDebugPrivilege	2440	tasklist.exe
Token: SeDebugPrivilege	2504	tasklist.exe
Token: SeDebugPrivilege	1020	tasklist.exe
Token: SeDebugPrivilege	2564	tasklist.exe
Token: SeDebugPrivilege	1732	tasklist.exe
Token: SeDebugPrivilege	2648	tasklist.exe
Token: SeDebugPrivilege	1532	tasklist.exe
Token: SeDebugPrivilege	2396	tasklist.exe
Token: SeDebugPrivilege	2068	tasklist.exe
Token: SeDebugPrivilege	1744	tasklist.exe
Token: SeDebugPrivilege	2616	tasklist.exe
Token: SeDebugPrivilege	3000	tasklist.exe
Token: SeDebugPrivilege	2984	tasklist.exe
Token: SeDebugPrivilege	644	tasklist.exe
Token: SeDebugPrivilege	2896	tasklist.exe
Token: SeDebugPrivilege	2388	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2748	2100	data.dat.exe	31
PID 2100 wrote to memory of 2748	2100	data.dat.exe	31
PID 2100 wrote to memory of 2748	2100	data.dat.exe	31
PID 2748 wrote to memory of 2456	2748	cmd.exe	33
PID 2748 wrote to memory of 2456	2748	cmd.exe	33
PID 2748 wrote to memory of 2456	2748	cmd.exe	33
PID 2748 wrote to memory of 2780	2748	cmd.exe	34
PID 2748 wrote to memory of 2780	2748	cmd.exe	34
PID 2748 wrote to memory of 2780	2748	cmd.exe	34
PID 2748 wrote to memory of 2896	2748	cmd.exe	35
PID 2748 wrote to memory of 2896	2748	cmd.exe	35
PID 2748 wrote to memory of 2896	2748	cmd.exe	35
PID 2748 wrote to memory of 2788	2748	cmd.exe	36
PID 2748 wrote to memory of 2788	2748	cmd.exe	36
PID 2748 wrote to memory of 2788	2748	cmd.exe	36
PID 2748 wrote to memory of 2468	2748	cmd.exe	37
PID 2748 wrote to memory of 2468	2748	cmd.exe	37
PID 2748 wrote to memory of 2468	2748	cmd.exe	37
PID 2748 wrote to memory of 2352	2748	cmd.exe	38
PID 2748 wrote to memory of 2352	2748	cmd.exe	38
PID 2748 wrote to memory of 2352	2748	cmd.exe	38
PID 2748 wrote to memory of 1224	2748	cmd.exe	39
PID 2748 wrote to memory of 1224	2748	cmd.exe	39
PID 2748 wrote to memory of 1224	2748	cmd.exe	39
PID 2748 wrote to memory of 1796	2748	cmd.exe	40
PID 2748 wrote to memory of 1796	2748	cmd.exe	40
PID 2748 wrote to memory of 1796	2748	cmd.exe	40
PID 2748 wrote to memory of 2080	2748	cmd.exe	41
PID 2748 wrote to memory of 2080	2748	cmd.exe	41
PID 2748 wrote to memory of 2080	2748	cmd.exe	41
PID 2748 wrote to memory of 3028	2748	cmd.exe	42
PID 2748 wrote to memory of 3028	2748	cmd.exe	42
PID 2748 wrote to memory of 3028	2748	cmd.exe	42
PID 2748 wrote to memory of 3040	2748	cmd.exe	43
PID 2748 wrote to memory of 3040	2748	cmd.exe	43
PID 2748 wrote to memory of 3040	2748	cmd.exe	43
PID 2748 wrote to memory of 1040	2748	cmd.exe	44
PID 2748 wrote to memory of 1040	2748	cmd.exe	44
PID 2748 wrote to memory of 1040	2748	cmd.exe	44
PID 2748 wrote to memory of 800	2748	cmd.exe	45
PID 2748 wrote to memory of 800	2748	cmd.exe	45
PID 2748 wrote to memory of 800	2748	cmd.exe	45
PID 2748 wrote to memory of 3044	2748	cmd.exe	46
PID 2748 wrote to memory of 3044	2748	cmd.exe	46
PID 2748 wrote to memory of 3044	2748	cmd.exe	46
PID 2748 wrote to memory of 3060	2748	cmd.exe	47
PID 2748 wrote to memory of 3060	2748	cmd.exe	47
PID 2748 wrote to memory of 3060	2748	cmd.exe	47
PID 2748 wrote to memory of 1584	2748	cmd.exe	48
PID 2748 wrote to memory of 1584	2748	cmd.exe	48
PID 2748 wrote to memory of 1584	2748	cmd.exe	48
PID 2748 wrote to memory of 1900	2748	cmd.exe	49
PID 2748 wrote to memory of 1900	2748	cmd.exe	49
PID 2748 wrote to memory of 1900	2748	cmd.exe	49
PID 2748 wrote to memory of 1672	2748	cmd.exe	50
PID 2748 wrote to memory of 1672	2748	cmd.exe	50
PID 2748 wrote to memory of 1672	2748	cmd.exe	50
PID 2748 wrote to memory of 2820	2748	cmd.exe	51
PID 2748 wrote to memory of 2820	2748	cmd.exe	51
PID 2748 wrote to memory of 2820	2748	cmd.exe	51
PID 2748 wrote to memory of 2216	2748	cmd.exe	52
PID 2748 wrote to memory of 2216	2748	cmd.exe	52
PID 2748 wrote to memory of 2216	2748	cmd.exe	52
PID 2748 wrote to memory of 2288	2748	cmd.exe	53

C:\Users\Admin\AppData\Local\Temp\data.dat.exe
"C:\Users\Admin\AppData\Local\Temp\data.dat.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp864F.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp864F.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2456
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2780
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2896
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2788
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2468
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2352
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1224
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1796
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2080
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:3028
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3040
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1040
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:800
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3044
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3060
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1584
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1900
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1672
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2820
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2216
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2288
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1944
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1964
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:396
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1840
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1592
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1688
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2248
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2148
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1908
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2152
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1488
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1052
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2488
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2120
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2296
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1336
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2244
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:856
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:520
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1120
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1880
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1708
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:272
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:684
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:788
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2596
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2064
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1704
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1788
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1428
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2700
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:796
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1924
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1164
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1664
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1312
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2672
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1960
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2032
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:680
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2588
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2620
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2476
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2664
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:896
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1616
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1036
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2176
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1460
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1528
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2300
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:972
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1236
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:756
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1128
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1920
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3012
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1456
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2576
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2616
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2944
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2952
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3000
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:3052
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2292
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2984
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:912
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1476
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:644
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2744
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2728
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2896
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2704
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2708
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2468
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1872
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2324
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1752
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2792
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1520
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3040
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1876
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1348
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3056
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2072
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1576
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1900
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1556
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:556
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2216
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:320
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1948
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2256
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2424
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1648
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2304
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1612
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:640
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:836
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2516
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2496
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1488
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1680
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1276
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2120
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1912
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:600
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:960
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1500
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:764
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1564
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1776
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2500
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1508
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2600
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2592
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2596
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2524
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:772
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1788
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1904
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2440
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:944
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2236
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2504
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2660
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2464
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1020
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1484
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1028
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2564
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2824
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:892
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1732
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1504
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1524
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2648
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1888
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:928
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1532
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1628
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3008
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2396
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1236
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1736
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2068
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1124
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2552
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1744
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1456
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:668
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2616
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2948
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2952
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3000
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3052
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2888
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2984
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1472
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2088
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:644
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2776
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2780
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2896
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1784
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1632
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2388
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1344
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2508
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:1796
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3032
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2916
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:1716
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3064
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2548
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:3056
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2124
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:296
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:2900
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1556
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:556
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:2216
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:848
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1964
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:432
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2424
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1648
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:2264
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2492
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2148
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:2520
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1720
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2232
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:904
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2028
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:976
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:1144
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1976
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:600
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:856
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1500
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2628
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:1564
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1776
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:684
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:2584
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1004
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2432
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:112
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2700
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2484
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:1800
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1700
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1288
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:1608
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2672
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1980
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:2464
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:532
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1484
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:1028
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2476
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2588
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:2644
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2556
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1732
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:1504
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1524
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2648
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:1888
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:880
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:924
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:1528
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1628
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2308
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:1892
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1640
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1256
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:1128
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2624
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2936
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:2196
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2924
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1728
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:2444
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2944
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2580
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:1916
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2960
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1272
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:2452
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:912
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2788
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:644
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2776
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2108
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:2956
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2704
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:3024
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:2468
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2388
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:800
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:1752
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1624
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2364
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:1716
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3064
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2112
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:3056
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2124
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2288
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:2900
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1556
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3036
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:2356
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:396
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2256
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:2844
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2892
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1748
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:432
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1592
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2260
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:2152
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:836
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2144
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:2488
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1304
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2296
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:904
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2028
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:744
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:1144
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1976
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1972
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:856
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1500
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:788
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:1448
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1120
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2064
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    PID:2584
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:456
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:772
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2100"
    3⤵
    - Enumerates processes with tasklist
    PID:112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp864F.tmp.bat

Filesize
287B

MD5
a4c994728e56bff03c0608c5e2a21323

SHA1
ff635b4e58696c66b3940f612fff01ae9dc1937e

SHA256
c5b5899a8c5d49f48d4a653c7fe869a4e4bbabcea7b2203e68cb991c676e2df8

SHA512
64db7d960588749a559053c58c35ad719877c92038acfd3430f7cfe3f510b0b5a4b9c76536e935bb34c4f10b67e23d973711a65d9652f15df706fbd141193ca5

Download Submit
\Users\Admin\AppData\Local\Temp\Costura\05A92EC28EDC5561548638CAA951F864\64\sqlite.interop.dll

Filesize
1.7MB

MD5
65ccd6ecb99899083d43f7c24eb8f869

SHA1
27037a9470cc5ed177c0b6688495f3a51996a023

SHA256
aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

SHA512
533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

Download Submit
memory/2100-0-0x000007FEF6183000-0x000007FEF6184000-memory.dmp

Filesize
4KB

Download
memory/2100-1-0x0000000000ED0000-0x0000000001492000-memory.dmp

Filesize
5.8MB

Download
memory/2100-6-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

Filesize
9.9MB

Download
memory/2100-7-0x000007FEF6183000-0x000007FEF6184000-memory.dmp

Filesize
4KB

Download
memory/2100-8-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

Filesize
9.9MB

Download
memory/2100-12-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

Filesize
9.9MB

Download