Analysis
-
max time kernel
149s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
23-05-2024 01:28
General
-
Target
plpscripts_freeV2/auto_setup_install.bat
-
Size
2KB
-
MD5
bdba7ddafbddca1a9bd0ed4646819426
-
SHA1
9a69db7ab775800ce12e7c05e0193046b6d9ee04
-
SHA256
160184eb890d9d25418bba37efb2fabedb93b333de9a1fd291e233e750344a15
-
SHA512
7d46bc1c8723a43fe0b9a8bce21be3abad96b6bba9558bc564b9e6adfc8eebd5c94bae8839f1d4d46654a15a46398ada29aad33d18fc49efe8468d8841c69898
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
https://www.python.org/ftp/python/3.10.5/python-3.10.5-amd64.exe
Signatures
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Delays execution with timeout.exe 64 IoCs
-
Enumerates processes with tasklist 1 TTPs 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\plpscripts_freeV2\auto_setup_install.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "(New-Object System.Net.WebClient).DownloadFile('https://www.python.org/ftp/python/3.10.5/python-3.10.5-amd64.exe', 'C:\Users\Admin\AppData\Local\Temp\python_installer.exe')"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\python_installer.exe"C:\Users\Admin\AppData\Local\Temp\python_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\{45F073D3-2263-47D2-9017-C684E4B49770}\.cr\python_installer.exe"C:\Windows\Temp\{45F073D3-2263-47D2-9017-C684E4B49770}\.cr\python_installer.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\python_installer.exe" -burn.filehandle.attached=552 -burn.filehandle.self=7083⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
-
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\find.exefind /i "python_installer.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=4048 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lti4lrlk.exy.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\python_installer.exeFilesize
27.3MB
MD59a99ae597902b70b1273e88cc8d41abd
SHA1058c5319e77a698b185975084c7be7d25ae021b2
SHA25669165821dad57c6d8d29ec8598933db7c4498f8ef9d477fa13c677fd82567b58
SHA512ad8e63ab10ad324ffc897346d18ee8a91459bbcb4f433103c94177eefe5aa512a996efac4284e8f9fd5c91c1e86bd7594b58eb9ecc235512bd55e9d5355fdc84
-
C:\Windows\Temp\{45F073D3-2263-47D2-9017-C684E4B49770}\.cr\python_installer.exeFilesize
847KB
MD523c2a4873a11487432a5a9f8fae22daf
SHA1b54c2efc8e82da30bb572f1c8b38caaa83fe9f4c
SHA25606534685e5d6290f714396cd31eaea9c5db2db897c81ccebb83c18e2a8f7f500
SHA5128c4f8677be71b6d2d6ac73c94c3d6e2b401b1b849b1298b58f6ef922739477a58fc2ab5b15520ccfb8014a7b877768b04830ef590b4859304246f5e3cca97ce7
-
C:\Windows\Temp\{8D3B3DEF-3D94-4811-88A7-7C7BD93DFDC4}\.ba\PythonBA.dllFilesize
650KB
MD58a0ff08cb1a531501f1ebe6ac7c0bd2b
SHA116a8b02eb8dde520a20a139d9dcb784edf75f2c0
SHA2564b52b37b1c2e5f5d1ab5d6d22c4c4095b63ddf26fb9dec24254deef102daa1fe
SHA512da95551e1e6c9528f503668cc57cb0dd8d220c441d3d3d0ca7d4a59e665dbc00e0f0fc434b880aeea984f3f5b1bc3b5091786231454875e0833965a3a25df8f1
-
C:\Windows\Temp\{8D3B3DEF-3D94-4811-88A7-7C7BD93DFDC4}\.ba\SideBar.pngFilesize
50KB
MD5888eb713a0095756252058c9727e088a
SHA1c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4
SHA25679434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067
SHA5127c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0
-
memory/4656-0-0x00007FFCAD333000-0x00007FFCAD335000-memory.dmpFilesize
8KB
-
memory/4656-10-0x00000175E5550000-0x00000175E5572000-memory.dmpFilesize
136KB
-
memory/4656-11-0x00007FFCAD330000-0x00007FFCADDF1000-memory.dmpFilesize
10.8MB
-
memory/4656-12-0x00007FFCAD330000-0x00007FFCADDF1000-memory.dmpFilesize
10.8MB
-
memory/4656-16-0x00007FFCAD330000-0x00007FFCADDF1000-memory.dmpFilesize
10.8MB
