30aa5d63d57d96e48788efcf488f3fb7ba05354313a383f15d5c5caca632c87c

Analysis

max time kernel
138s
max time network
21s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
19-01-2025 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

data.dat.exe
Size

5.7MB
MD5

fb25fdd6ff14150c12aadd9ee2d1a132
SHA1

3cfb3536cd95f0b45e3540241b29aaac8195969b
SHA256

30aa5d63d57d96e48788efcf488f3fb7ba05354313a383f15d5c5caca632c87c
SHA512

ffa52a7225aab5c5518d2ec872b20bb81a964b41205308cb72356e8f443b333a89239920989ffe032f5b5009d34ea04c4ffa8944e648633321c9a6685a3d9494
SSDEEP

98304:m2+l27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6Ucz:moOuK6mn9NzgMoYkSIvUcwti7TQlvciE

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2508	data.dat.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	raw.githubusercontent.com
6	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates processes with tasklist 1 TTPs 64 IoCs

discovery

Process Discovery

T1057

pid	Process
2404	tasklist.exe
264	tasklist.exe
1552	tasklist.exe
2732	tasklist.exe
1444	tasklist.exe
1216	tasklist.exe
1064	tasklist.exe
2424	tasklist.exe
1856	tasklist.exe
1996	tasklist.exe
1064	tasklist.exe
1100	tasklist.exe
2836	tasklist.exe
2524	tasklist.exe
1720	tasklist.exe
3016	tasklist.exe
2484	tasklist.exe
1960	tasklist.exe
2972	tasklist.exe
1896	tasklist.exe
2348	tasklist.exe
2156	tasklist.exe
2716	tasklist.exe
980	tasklist.exe
2528	tasklist.exe
1988	tasklist.exe
468	tasklist.exe
236	tasklist.exe
1784	tasklist.exe
2192	tasklist.exe
2416	tasklist.exe
1632	tasklist.exe
2572	tasklist.exe
1976	tasklist.exe
1788	tasklist.exe
1520	tasklist.exe
468	tasklist.exe
2568	tasklist.exe
2784	tasklist.exe
2680	tasklist.exe
1248	tasklist.exe
2792	tasklist.exe
2644	tasklist.exe
2876	tasklist.exe
1580	tasklist.exe
892	tasklist.exe
1788	tasklist.exe
2508	tasklist.exe
2492	tasklist.exe
2664	tasklist.exe
1972	tasklist.exe
3020	tasklist.exe
2148	tasklist.exe
3048	tasklist.exe
2236	tasklist.exe
328	tasklist.exe
2680	tasklist.exe
2568	tasklist.exe
2392	tasklist.exe
2208	tasklist.exe
2692	tasklist.exe
3036	tasklist.exe
2324	tasklist.exe
2260	tasklist.exe

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
1216	timeout.exe
2264	timeout.exe
1084	timeout.exe
1008	timeout.exe
2136	timeout.exe
872	timeout.exe
2880	timeout.exe
2656	timeout.exe
1068	timeout.exe
2432	timeout.exe
1068	timeout.exe
1992	timeout.exe
2124	timeout.exe
1456	timeout.exe
2420	timeout.exe
2192	timeout.exe
2132	timeout.exe
1608	timeout.exe
3032	timeout.exe
2520	timeout.exe
1572	timeout.exe
2444	timeout.exe
1080	timeout.exe
1440	timeout.exe
2560	timeout.exe
3004	timeout.exe
2144	timeout.exe
1936	timeout.exe
2416	timeout.exe
1512	timeout.exe
1716	timeout.exe
2996	timeout.exe
1912	timeout.exe
2884	timeout.exe
996	timeout.exe
2036	timeout.exe
2708	timeout.exe
2676	timeout.exe
908	timeout.exe
2848	timeout.exe
1592	timeout.exe
2856	timeout.exe
1956	timeout.exe
2608	timeout.exe
1252	timeout.exe
2192	timeout.exe
2668	timeout.exe
2076	timeout.exe
872	timeout.exe
2284	timeout.exe
980	timeout.exe
764	timeout.exe
1456	timeout.exe
2888	timeout.exe
1456	timeout.exe
1964	timeout.exe
1936	timeout.exe
352	timeout.exe
1572	timeout.exe
1712	timeout.exe
2872	timeout.exe
1132	timeout.exe
1080	timeout.exe
3056	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2508	data.dat.exe
2508	data.dat.exe
2508	data.dat.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2508	data.dat.exe
Token: SeDebugPrivilege	2720	tasklist.exe
Token: SeDebugPrivilege	2680	tasklist.exe
Token: SeDebugPrivilege	2568	tasklist.exe
Token: SeDebugPrivilege	1432	tasklist.exe
Token: SeDebugPrivilege	2156	tasklist.exe
Token: SeDebugPrivilege	2928	tasklist.exe
Token: SeDebugPrivilege	1248	tasklist.exe
Token: SeDebugPrivilege	2260	tasklist.exe
Token: SeDebugPrivilege	1064	tasklist.exe
Token: SeDebugPrivilege	236	tasklist.exe
Token: SeDebugPrivilege	1972	tasklist.exe
Token: SeDebugPrivilege	2424	tasklist.exe
Token: SeDebugPrivilege	2212	tasklist.exe
Token: SeDebugPrivilege	2192	tasklist.exe
Token: SeDebugPrivilege	2492	tasklist.exe
Token: SeDebugPrivilege	1936	tasklist.exe
Token: SeDebugPrivilege	400	tasklist.exe
Token: SeDebugPrivilege	1464	tasklist.exe
Token: SeDebugPrivilege	2136	tasklist.exe
Token: SeDebugPrivilege	1700	tasklist.exe
Token: SeDebugPrivilege	2348	tasklist.exe
Token: SeDebugPrivilege	2304	tasklist.exe
Token: SeDebugPrivilege	3020	tasklist.exe
Token: SeDebugPrivilege	1040	tasklist.exe
Token: SeDebugPrivilege	2792	tasklist.exe
Token: SeDebugPrivilege	2716	tasklist.exe
Token: SeDebugPrivilege	1856	tasklist.exe
Token: SeDebugPrivilege	2852	tasklist.exe
Token: SeDebugPrivilege	2820	tasklist.exe
Token: SeDebugPrivilege	2972	tasklist.exe
Token: SeDebugPrivilege	2240	tasklist.exe
Token: SeDebugPrivilege	1996	tasklist.exe
Token: SeDebugPrivilege	2580	tasklist.exe
Token: SeDebugPrivilege	536	tasklist.exe
Token: SeDebugPrivilege	2644	tasklist.exe
Token: SeDebugPrivilege	2664	tasklist.exe
Token: SeDebugPrivilege	940	tasklist.exe
Token: SeDebugPrivilege	2404	tasklist.exe
Token: SeDebugPrivilege	648	tasklist.exe
Token: SeDebugPrivilege	1788	tasklist.exe
Token: SeDebugPrivilege	2236	tasklist.exe
Token: SeDebugPrivilege	2184	tasklist.exe
Token: SeDebugPrivilege	2968	tasklist.exe
Token: SeDebugPrivilege	1596	tasklist.exe
Token: SeDebugPrivilege	1896	tasklist.exe
Token: SeDebugPrivilege	564	tasklist.exe
Token: SeDebugPrivilege	972	tasklist.exe
Token: SeDebugPrivilege	1520	tasklist.exe
Token: SeDebugPrivilege	2936	tasklist.exe
Token: SeDebugPrivilege	980	tasklist.exe
Token: SeDebugPrivilege	2524	tasklist.exe
Token: SeDebugPrivilege	1720	tasklist.exe
Token: SeDebugPrivilege	328	tasklist.exe
Token: SeDebugPrivilege	1544	tasklist.exe
Token: SeDebugPrivilege	2876	tasklist.exe
Token: SeDebugPrivilege	2712	tasklist.exe
Token: SeDebugPrivilege	468	tasklist.exe
Token: SeDebugPrivilege	2216	tasklist.exe
Token: SeDebugPrivilege	2720	tasklist.exe
Token: SeDebugPrivilege	2680	tasklist.exe
Token: SeDebugPrivilege	2568	tasklist.exe
Token: SeDebugPrivilege	1432	tasklist.exe
Token: SeDebugPrivilege	3000	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2628	2508	data.dat.exe	31
PID 2508 wrote to memory of 2628	2508	data.dat.exe	31
PID 2508 wrote to memory of 2628	2508	data.dat.exe	31
PID 2628 wrote to memory of 2656	2628	cmd.exe	33
PID 2628 wrote to memory of 2656	2628	cmd.exe	33
PID 2628 wrote to memory of 2656	2628	cmd.exe	33
PID 2628 wrote to memory of 2720	2628	cmd.exe	34
PID 2628 wrote to memory of 2720	2628	cmd.exe	34
PID 2628 wrote to memory of 2720	2628	cmd.exe	34
PID 2628 wrote to memory of 2608	2628	cmd.exe	35
PID 2628 wrote to memory of 2608	2628	cmd.exe	35
PID 2628 wrote to memory of 2608	2628	cmd.exe	35
PID 2628 wrote to memory of 2668	2628	cmd.exe	36
PID 2628 wrote to memory of 2668	2628	cmd.exe	36
PID 2628 wrote to memory of 2668	2628	cmd.exe	36
PID 2628 wrote to memory of 2680	2628	cmd.exe	37
PID 2628 wrote to memory of 2680	2628	cmd.exe	37
PID 2628 wrote to memory of 2680	2628	cmd.exe	37
PID 2628 wrote to memory of 2728	2628	cmd.exe	38
PID 2628 wrote to memory of 2728	2628	cmd.exe	38
PID 2628 wrote to memory of 2728	2628	cmd.exe	38
PID 2628 wrote to memory of 3056	2628	cmd.exe	39
PID 2628 wrote to memory of 3056	2628	cmd.exe	39
PID 2628 wrote to memory of 3056	2628	cmd.exe	39
PID 2628 wrote to memory of 2568	2628	cmd.exe	40
PID 2628 wrote to memory of 2568	2628	cmd.exe	40
PID 2628 wrote to memory of 2568	2628	cmd.exe	40
PID 2628 wrote to memory of 1900	2628	cmd.exe	41
PID 2628 wrote to memory of 1900	2628	cmd.exe	41
PID 2628 wrote to memory of 1900	2628	cmd.exe	41
PID 2628 wrote to memory of 1456	2628	cmd.exe	42
PID 2628 wrote to memory of 1456	2628	cmd.exe	42
PID 2628 wrote to memory of 1456	2628	cmd.exe	42
PID 2628 wrote to memory of 1432	2628	cmd.exe	43
PID 2628 wrote to memory of 1432	2628	cmd.exe	43
PID 2628 wrote to memory of 1432	2628	cmd.exe	43
PID 2628 wrote to memory of 1984	2628	cmd.exe	44
PID 2628 wrote to memory of 1984	2628	cmd.exe	44
PID 2628 wrote to memory of 1984	2628	cmd.exe	44
PID 2628 wrote to memory of 2996	2628	cmd.exe	45
PID 2628 wrote to memory of 2996	2628	cmd.exe	45
PID 2628 wrote to memory of 2996	2628	cmd.exe	45
PID 2628 wrote to memory of 2156	2628	cmd.exe	46
PID 2628 wrote to memory of 2156	2628	cmd.exe	46
PID 2628 wrote to memory of 2156	2628	cmd.exe	46
PID 2628 wrote to memory of 3000	2628	cmd.exe	47
PID 2628 wrote to memory of 3000	2628	cmd.exe	47
PID 2628 wrote to memory of 3000	2628	cmd.exe	47
PID 2628 wrote to memory of 2856	2628	cmd.exe	48
PID 2628 wrote to memory of 2856	2628	cmd.exe	48
PID 2628 wrote to memory of 2856	2628	cmd.exe	48
PID 2628 wrote to memory of 2928	2628	cmd.exe	49
PID 2628 wrote to memory of 2928	2628	cmd.exe	49
PID 2628 wrote to memory of 2928	2628	cmd.exe	49
PID 2628 wrote to memory of 2952	2628	cmd.exe	50
PID 2628 wrote to memory of 2952	2628	cmd.exe	50
PID 2628 wrote to memory of 2952	2628	cmd.exe	50
PID 2628 wrote to memory of 2372	2628	cmd.exe	51
PID 2628 wrote to memory of 2372	2628	cmd.exe	51
PID 2628 wrote to memory of 2372	2628	cmd.exe	51
PID 2628 wrote to memory of 1248	2628	cmd.exe	52
PID 2628 wrote to memory of 1248	2628	cmd.exe	52
PID 2628 wrote to memory of 1248	2628	cmd.exe	52
PID 2628 wrote to memory of 816	2628	cmd.exe	53

C:\Users\Admin\AppData\Local\Temp\data.dat.exe
"C:\Users\Admin\AppData\Local\Temp\data.dat.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpF518.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpF518.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2656
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2720
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2608
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2668
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2680
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2728
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3056
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2568
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1900
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1456
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1432
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1984
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2996
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2156
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3000
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2856
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2928
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2952
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2372
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1248
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:816
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2916
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2260
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:672
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2416
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1064
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:496
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:820
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:236
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1712
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1512
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1972
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2444
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2072
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2424
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2436
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2076
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2212
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1956
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2200
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2192
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1628
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1912
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2492
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:884
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1960
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1936
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2496
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:872
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:400
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:824
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3004
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1464
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1520
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2360
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2136
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2132
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1224
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1700
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1756
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:980
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2348
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1384
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2524
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2304
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1068
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1216
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3020
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:352
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:288
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1040
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1080
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2472
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2792
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1584
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2264
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2716
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2756
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2872
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1856
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2760
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2920
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2852
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2800
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1992
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2820
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2280
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2884
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2972
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2648
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2608
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2240
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2188
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2888
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1996
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:892
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1608
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2580
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2584
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:996
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:536
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2924
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1132
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2644
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2704
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2708
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2664
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1248
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2432
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:940
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2380
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:912
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2404
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1052
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2848
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:648
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1120
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:592
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1788
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2480
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1252
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2236
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2204
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2144
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2184
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2256
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1964
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2968
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2200
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2192
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1596
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1912
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2492
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1896
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1960
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1936
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:564
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:872
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:400
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:972
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3004
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1652
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1520
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2360
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3032
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2936
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1704
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1756
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:980
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2960
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1384
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2524
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2468
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1068
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1720
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1740
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1500
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:328
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2544
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:864
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1544
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1676
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2520
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2876
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2836
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2880
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2712
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2984
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2632
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:468
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2124
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1992
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2216
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1672
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2656
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2720
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2620
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2676
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2680
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3052
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1440
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2568
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1688
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1456
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1432
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2168
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:996
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3000
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2932
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2860
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    PID:3040
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3064
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1572
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    PID:2428
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2916
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2036
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    PID:1632
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:672
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:908
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    PID:1064
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2312
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2848
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    PID:1100
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1092
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1712
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    PID:2392
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2396
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2444
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    PID:2324
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2388
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2144
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    PID:2208
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2384
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1964
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    PID:3008
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1640
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1628
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    PID:1088
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1540
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2492
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    PID:1444
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2864
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1936
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    PID:2488
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2232
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:400
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    PID:2572
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:932
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1464
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    PID:3016
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2344
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1796
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    PID:264
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1520
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1716
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    PID:1748
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2936
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1592
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    PID:1920
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2160
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:764
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    PID:1660
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1888
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:352
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    PID:748
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1264
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1080
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    PID:2528
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1040
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2472
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    PID:1580
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1692
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2288
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    PID:1968
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2840
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2880
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    PID:2828
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2764
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2632
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    PID:2800
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2852
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1992
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    PID:2692
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2740
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2656
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    PID:2624
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2972
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2676
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    PID:3048
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3044
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1440
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    PID:892
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1996
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1456
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    PID:1988
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:828
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:996
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    PID:2148
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3068
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2856
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    PID:1976
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2940
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1572
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    PID:1784
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2180
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2036
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    PID:2260
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:940
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:908
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    PID:2416
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1052
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2420
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    PID:2484
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:648
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1712
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    PID:1788
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1512
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:320
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    PID:2784
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2024
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2560
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    PID:2072
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2296
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1956
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    PID:2184
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1880
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2192
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    PID:2200
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:324
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1084
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    PID:1912
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1800
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1008
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    PID:1960
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1504
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:872
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    PID:2964
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2488
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2284
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    PID:3036
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1436
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2136
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    PID:2352
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2336
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2132
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    PID:2360
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2116
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1756
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    PID:2068
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2120
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1384
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    PID:2088
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2292
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1068
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    PID:1268
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3012
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:1500
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    PID:1216
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1740
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1080
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    PID:2544
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:856
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2520
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    PID:1552
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1576
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2872
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    PID:2836
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2876
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    PID:2920
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    PID:2732
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1548
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2124
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    PID:468
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1416
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2884
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2508"
    3⤵
    - Enumerates processes with tasklist
    PID:2508
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF518.tmp.bat

Filesize
287B

MD5
8899ade39cf03fa32850afacb6ea4419

SHA1
cefec55c90ba6aa405067f751a28faa5f10daf17

SHA256
9144a2c7e4ce44c7595e9ab826b4c157f6b3b3a6caf8a65f2d93a16d2838036c

SHA512
488a9631a2247490a02de03cfe6156c1e986919d38a15bd496411098156c8d8ab5f5e90c022b80358e43fc6b6b539d3ba9973c84a4cf4566a0bab6b6221c1f69

Download Submit
\Users\Admin\AppData\Local\Temp\Costura\05A92EC28EDC5561548638CAA951F864\64\sqlite.interop.dll

Filesize
1.7MB

MD5
65ccd6ecb99899083d43f7c24eb8f869

SHA1
27037a9470cc5ed177c0b6688495f3a51996a023

SHA256
aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

SHA512
533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

Download Submit
memory/2508-0-0x000007FEF63C3000-0x000007FEF63C4000-memory.dmp

Filesize
4KB

Download
memory/2508-1-0x0000000000D10000-0x00000000012D2000-memory.dmp

Filesize
5.8MB

Download
memory/2508-6-0x000007FEF63C0000-0x000007FEF6DAC000-memory.dmp

Filesize
9.9MB

Download
memory/2508-7-0x000007FEF63C3000-0x000007FEF63C4000-memory.dmp

Filesize
4KB

Download
memory/2508-8-0x000007FEF63C0000-0x000007FEF6DAC000-memory.dmp

Filesize
9.9MB

Download
memory/2508-11-0x000007FEF63C0000-0x000007FEF6DAC000-memory.dmp

Filesize
9.9MB

Download