ceecefcf9cdd5c58e5b934ae568c241986f85df3ba4648dc925fc93b2243cbf8

Analysis

max time kernel
149s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 01:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

plpscripts_freeV2/auto_setup_install.bat
Size

2KB
MD5

bdba7ddafbddca1a9bd0ed4646819426
SHA1

9a69db7ab775800ce12e7c05e0193046b6d9ee04
SHA256

160184eb890d9d25418bba37efb2fabedb93b333de9a1fd291e233e750344a15
SHA512

7d46bc1c8723a43fe0b9a8bce21be3abad96b6bba9558bc564b9e6adfc8eebd5c94bae8839f1d4d46654a15a46398ada29aad33d18fc49efe8468d8841c69898

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://www.python.org/ftp/python/3.10.5/python-3.10.5-amd64.exe

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
8	4656	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1232	python_installer.exe
2840	python_installer.exe

Loads dropped DLL 1 IoCs

pid	Process
2840	python_installer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4656	powershell.exe

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
4336	timeout.exe
4848	timeout.exe
2864	timeout.exe
4552	timeout.exe
5096	timeout.exe
2012	timeout.exe
5064	timeout.exe
3792	timeout.exe
2356	timeout.exe
1768	timeout.exe
1852	timeout.exe
4504	timeout.exe
2012	timeout.exe
1100	timeout.exe
3604	timeout.exe
1904	timeout.exe
1852	timeout.exe
4644	timeout.exe
2016	timeout.exe
4656	timeout.exe
4364	timeout.exe
4808	timeout.exe
556	timeout.exe
368	timeout.exe
4796	timeout.exe
3660	timeout.exe
3564	timeout.exe
3304	timeout.exe
4860	timeout.exe
1196	timeout.exe
4748	timeout.exe
4792	timeout.exe
1396	timeout.exe
1628	timeout.exe
1228	timeout.exe
3180	timeout.exe
3868	timeout.exe
3676	timeout.exe
4072	timeout.exe
556	timeout.exe
4164	timeout.exe
2476	timeout.exe
3628	timeout.exe
1104	timeout.exe
2236	timeout.exe
4536	timeout.exe
2828	timeout.exe
3400	timeout.exe
1336	timeout.exe
1044	timeout.exe
880	timeout.exe
4364	timeout.exe
1064	timeout.exe
2904	timeout.exe
4908	timeout.exe
4796	timeout.exe
3068	timeout.exe
1172	timeout.exe
1604	timeout.exe
1660	timeout.exe
3308	timeout.exe
4828	timeout.exe
3692	timeout.exe
1580	timeout.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

pid	Process
4160	tasklist.exe
1192	tasklist.exe
1740	tasklist.exe
4132	tasklist.exe
5088	tasklist.exe
3184	tasklist.exe
5096	tasklist.exe
2536	tasklist.exe
4048	tasklist.exe
3624	tasklist.exe
1160	tasklist.exe
4140	tasklist.exe
4712	tasklist.exe
4148	tasklist.exe
3468	tasklist.exe
4164	tasklist.exe
2080	tasklist.exe
3184	tasklist.exe
4300	tasklist.exe
4336	tasklist.exe
1580	tasklist.exe
672	tasklist.exe
4696	tasklist.exe
4456	tasklist.exe
4816	tasklist.exe
3692	tasklist.exe
556	tasklist.exe
1552	tasklist.exe
880	tasklist.exe
3672	tasklist.exe
5064	tasklist.exe
2204	tasklist.exe
4604	tasklist.exe
1000	tasklist.exe
4352	tasklist.exe
2756	tasklist.exe
4124	tasklist.exe
3080	tasklist.exe
2796	tasklist.exe
5088	tasklist.exe
4976	tasklist.exe
3860	tasklist.exe
4656	tasklist.exe
2784	tasklist.exe
3388	tasklist.exe
4996	tasklist.exe
368	tasklist.exe
4316	tasklist.exe
3228	tasklist.exe
3976	tasklist.exe
4808	tasklist.exe
3628	tasklist.exe
2796	tasklist.exe
2000	tasklist.exe
4536	tasklist.exe
1100	tasklist.exe
3292	tasklist.exe
216	tasklist.exe
4504	tasklist.exe
4260	tasklist.exe
1652	tasklist.exe
3548	tasklist.exe
2128	tasklist.exe
1248	tasklist.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4656	powershell.exe
4656	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	4456	tasklist.exe
Token: SeDebugPrivilege	3860	tasklist.exe
Token: SeDebugPrivilege	5064	tasklist.exe
Token: SeDebugPrivilege	4996	tasklist.exe
Token: SeDebugPrivilege	4132	tasklist.exe
Token: SeDebugPrivilege	4816	tasklist.exe
Token: SeDebugPrivilege	880	tasklist.exe
Token: SeDebugPrivilege	1100	tasklist.exe
Token: SeDebugPrivilege	5088	tasklist.exe
Token: SeDebugPrivilege	3468	tasklist.exe
Token: SeDebugPrivilege	1652	tasklist.exe
Token: SeDebugPrivilege	4976	tasklist.exe
Token: SeDebugPrivilege	4140	tasklist.exe
Token: SeDebugPrivilege	4160	tasklist.exe
Token: SeDebugPrivilege	368	tasklist.exe
Token: SeDebugPrivilege	5088	tasklist.exe
Token: SeDebugPrivilege	2204	tasklist.exe
Token: SeDebugPrivilege	4164	tasklist.exe
Token: SeDebugPrivilege	2080	tasklist.exe
Token: SeDebugPrivilege	3184	tasklist.exe
Token: SeDebugPrivilege	4656	tasklist.exe
Token: SeDebugPrivilege	4808	tasklist.exe
Token: SeDebugPrivilege	3628	tasklist.exe
Token: SeDebugPrivilege	5096	tasklist.exe
Token: SeDebugPrivilege	3548	tasklist.exe
Token: SeDebugPrivilege	2784	tasklist.exe
Token: SeDebugPrivilege	2536	tasklist.exe
Token: SeDebugPrivilege	4316	tasklist.exe
Token: SeDebugPrivilege	3692	tasklist.exe
Token: SeDebugPrivilege	4352	tasklist.exe
Token: SeDebugPrivilege	3228	tasklist.exe
Token: SeDebugPrivilege	4048	tasklist.exe
Token: SeDebugPrivilege	2796	tasklist.exe
Token: SeDebugPrivilege	2128	tasklist.exe
Token: SeDebugPrivilege	1580	tasklist.exe
Token: SeDebugPrivilege	3292	tasklist.exe
Token: SeDebugPrivilege	216	tasklist.exe
Token: SeDebugPrivilege	4712	tasklist.exe
Token: SeDebugPrivilege	1876	tasklist.exe
Token: SeDebugPrivilege	2756	tasklist.exe
Token: SeDebugPrivilege	4700	tasklist.exe
Token: SeDebugPrivilege	4124	tasklist.exe
Token: SeDebugPrivilege	4604	tasklist.exe
Token: SeDebugPrivilege	1248	tasklist.exe
Token: SeDebugPrivilege	672	tasklist.exe
Token: SeDebugPrivilege	4696	tasklist.exe
Token: SeDebugPrivilege	3080	tasklist.exe
Token: SeDebugPrivilege	3624	tasklist.exe
Token: SeDebugPrivilege	3388	tasklist.exe
Token: SeDebugPrivilege	4504	tasklist.exe
Token: SeDebugPrivilege	2000	tasklist.exe
Token: SeDebugPrivilege	4148	tasklist.exe
Token: SeDebugPrivilege	3976	tasklist.exe
Token: SeDebugPrivilege	3576	tasklist.exe
Token: SeDebugPrivilege	4260	tasklist.exe
Token: SeDebugPrivilege	556	tasklist.exe
Token: SeDebugPrivilege	4860	tasklist.exe
Token: SeDebugPrivilege	1192	tasklist.exe
Token: SeDebugPrivilege	4536	tasklist.exe
Token: SeDebugPrivilege	3672	tasklist.exe
Token: SeDebugPrivilege	1552	tasklist.exe
Token: SeDebugPrivilege	1740	tasklist.exe
Token: SeDebugPrivilege	1160	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 920 wrote to memory of 2964	920	cmd.exe	91
PID 920 wrote to memory of 2964	920	cmd.exe	91
PID 920 wrote to memory of 4656	920	cmd.exe	92
PID 920 wrote to memory of 4656	920	cmd.exe	92
PID 920 wrote to memory of 1232	920	cmd.exe	107
PID 920 wrote to memory of 1232	920	cmd.exe	107
PID 920 wrote to memory of 1232	920	cmd.exe	107
PID 920 wrote to memory of 1100	920	cmd.exe	108
PID 920 wrote to memory of 1100	920	cmd.exe	108
PID 1232 wrote to memory of 2840	1232	python_installer.exe	109
PID 1232 wrote to memory of 2840	1232	python_installer.exe	109
PID 1232 wrote to memory of 2840	1232	python_installer.exe	109
PID 920 wrote to memory of 4456	920	cmd.exe	110
PID 920 wrote to memory of 4456	920	cmd.exe	110
PID 920 wrote to memory of 4696	920	cmd.exe	111
PID 920 wrote to memory of 4696	920	cmd.exe	111
PID 920 wrote to memory of 2016	920	cmd.exe	112
PID 920 wrote to memory of 2016	920	cmd.exe	112
PID 920 wrote to memory of 3860	920	cmd.exe	113
PID 920 wrote to memory of 3860	920	cmd.exe	113
PID 920 wrote to memory of 736	920	cmd.exe	114
PID 920 wrote to memory of 736	920	cmd.exe	114
PID 920 wrote to memory of 4164	920	cmd.exe	115
PID 920 wrote to memory of 4164	920	cmd.exe	115
PID 920 wrote to memory of 5064	920	cmd.exe	116
PID 920 wrote to memory of 5064	920	cmd.exe	116
PID 920 wrote to memory of 2080	920	cmd.exe	117
PID 920 wrote to memory of 2080	920	cmd.exe	117
PID 920 wrote to memory of 2012	920	cmd.exe	118
PID 920 wrote to memory of 2012	920	cmd.exe	118
PID 920 wrote to memory of 4996	920	cmd.exe	119
PID 920 wrote to memory of 4996	920	cmd.exe	119
PID 920 wrote to memory of 4072	920	cmd.exe	120
PID 920 wrote to memory of 4072	920	cmd.exe	120
PID 920 wrote to memory of 2236	920	cmd.exe	121
PID 920 wrote to memory of 2236	920	cmd.exe	121
PID 920 wrote to memory of 4132	920	cmd.exe	122
PID 920 wrote to memory of 4132	920	cmd.exe	122
PID 920 wrote to memory of 3680	920	cmd.exe	123
PID 920 wrote to memory of 3680	920	cmd.exe	123
PID 920 wrote to memory of 2864	920	cmd.exe	124
PID 920 wrote to memory of 2864	920	cmd.exe	124
PID 920 wrote to memory of 4816	920	cmd.exe	125
PID 920 wrote to memory of 4816	920	cmd.exe	125
PID 920 wrote to memory of 3228	920	cmd.exe	126
PID 920 wrote to memory of 3228	920	cmd.exe	126
PID 920 wrote to memory of 4336	920	cmd.exe	127
PID 920 wrote to memory of 4336	920	cmd.exe	127
PID 920 wrote to memory of 880	920	cmd.exe	128
PID 920 wrote to memory of 880	920	cmd.exe	128
PID 920 wrote to memory of 3432	920	cmd.exe	129
PID 920 wrote to memory of 3432	920	cmd.exe	129
PID 920 wrote to memory of 4364	920	cmd.exe	130
PID 920 wrote to memory of 4364	920	cmd.exe	130
PID 920 wrote to memory of 1100	920	cmd.exe	131
PID 920 wrote to memory of 1100	920	cmd.exe	131
PID 920 wrote to memory of 556	920	cmd.exe	132
PID 920 wrote to memory of 556	920	cmd.exe	132
PID 920 wrote to memory of 3304	920	cmd.exe	133
PID 920 wrote to memory of 3304	920	cmd.exe	133
PID 920 wrote to memory of 5088	920	cmd.exe	135
PID 920 wrote to memory of 5088	920	cmd.exe	135
PID 920 wrote to memory of 4456	920	cmd.exe	136
PID 920 wrote to memory of 4456	920	cmd.exe	136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\plpscripts_freeV2\auto_setup_install.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:920
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:2964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "(New-Object System.Net.WebClient).DownloadFile('https://www.python.org/ftp/python/3.10.5/python-3.10.5-amd64.exe', 'C:\Users\Admin\AppData\Local\Temp\python_installer.exe')"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4656
- C:\Users\Admin\AppData\Local\Temp\python_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\python_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Windows\Temp\{45F073D3-2263-47D2-9017-C684E4B49770}\.cr\python_installer.exe
    "C:\Windows\Temp\{45F073D3-2263-47D2-9017-C684E4B49770}\.cr\python_installer.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\python_installer.exe" -burn.filehandle.attached=552 -burn.filehandle.self=708
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2840
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1100
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4456
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:4696
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2016
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:3860
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:736
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4164
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:5064
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:2080
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2012
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4996
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:4072
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2236
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4132
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:3680
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2864
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4816
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:3228
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4336
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:880
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:3432
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4364
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1100
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:556
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3304
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:5088
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:4456
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3308
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:3468
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:2756
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4828
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:4700
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4656
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4976
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:3340
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2476
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4140
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:1516
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4364
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4160
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:672
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4860
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:368
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:5028
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1196
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:5088
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:2944
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4552
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2204
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:1072
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4796
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4164
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:3624
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4748
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2080
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:2012
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3692
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:3184
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:2236
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3604
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4656
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:1604
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3068
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4808
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:4816
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1904
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:3628
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:4576
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2356
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:5096
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:3652
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4792
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:3548
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:3292
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1172
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2784
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:5008
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1064
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2536
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:4128
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4504
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4316
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:4748
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:5064
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:3692
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:4148
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  PID:4716
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4352
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:1228
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1604
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:3228
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:804
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4808
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4048
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:4112
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3628
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:1768
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:556
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2128
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:1252
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:5096
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1580
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:2120
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:368
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:3292
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:3564
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4848
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:216
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:3080
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4536
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4712
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:4608
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2828
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1876
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:1732
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4796
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2756
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:3688
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3660
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4700
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:4132
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  PID:4548
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4124
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:3184
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1852
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4604
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:4716
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1104
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1248
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:3420
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1768
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:672
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:5096
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1580
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4696
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:3548
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3564
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:3080
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:2144
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1396
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:3624
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:4128
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1628
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:3388
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:1708
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3792
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4504
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:1740
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2904
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2000
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:1596
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3400
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4148
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:4672
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1852
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:3976
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:3312
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1228
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3576
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:2404
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1336
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4260
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:3516
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  PID:4976
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:556
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:4884
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3180
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4860
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:4792
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1660
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1192
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:2028
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  PID:3292
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4536
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:116
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3868
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:3672
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:2464
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3676
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1552
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:3688
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4072
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1740
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:4892
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2012
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1160
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:5064
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1044
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  PID:3184
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:3468
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:880
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  PID:4300
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:3976
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4908
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  PID:2796
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:2404
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4644
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  PID:4336
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:4260
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  PID:180
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  PID:1000
- C:\Windows\system32\find.exe
  find /i "python_installer.exe"
  2⤵
  PID:4976
- C:\Windows\system32\timeout.exe
  timeout /t 2 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=4048 /prefetch:8
1⤵
PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lti4lrlk.exy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\python_installer.exe

Filesize
27.3MB

MD5
9a99ae597902b70b1273e88cc8d41abd

SHA1
058c5319e77a698b185975084c7be7d25ae021b2

SHA256
69165821dad57c6d8d29ec8598933db7c4498f8ef9d477fa13c677fd82567b58

SHA512
ad8e63ab10ad324ffc897346d18ee8a91459bbcb4f433103c94177eefe5aa512a996efac4284e8f9fd5c91c1e86bd7594b58eb9ecc235512bd55e9d5355fdc84

Download Submit
C:\Windows\Temp\{45F073D3-2263-47D2-9017-C684E4B49770}\.cr\python_installer.exe

Filesize
847KB

MD5
23c2a4873a11487432a5a9f8fae22daf

SHA1
b54c2efc8e82da30bb572f1c8b38caaa83fe9f4c

SHA256
06534685e5d6290f714396cd31eaea9c5db2db897c81ccebb83c18e2a8f7f500

SHA512
8c4f8677be71b6d2d6ac73c94c3d6e2b401b1b849b1298b58f6ef922739477a58fc2ab5b15520ccfb8014a7b877768b04830ef590b4859304246f5e3cca97ce7

Download Submit
C:\Windows\Temp\{8D3B3DEF-3D94-4811-88A7-7C7BD93DFDC4}\.ba\PythonBA.dll

Filesize
650KB

MD5
8a0ff08cb1a531501f1ebe6ac7c0bd2b

SHA1
16a8b02eb8dde520a20a139d9dcb784edf75f2c0

SHA256
4b52b37b1c2e5f5d1ab5d6d22c4c4095b63ddf26fb9dec24254deef102daa1fe

SHA512
da95551e1e6c9528f503668cc57cb0dd8d220c441d3d3d0ca7d4a59e665dbc00e0f0fc434b880aeea984f3f5b1bc3b5091786231454875e0833965a3a25df8f1

Download Submit
C:\Windows\Temp\{8D3B3DEF-3D94-4811-88A7-7C7BD93DFDC4}\.ba\SideBar.png

Filesize
50KB

MD5
888eb713a0095756252058c9727e088a

SHA1
c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4

SHA256
79434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067

SHA512
7c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0

Download Submit
memory/4656-0-0x00007FFCAD333000-0x00007FFCAD335000-memory.dmp

Filesize
8KB

Download
memory/4656-10-0x00000175E5550000-0x00000175E5572000-memory.dmp

Filesize
136KB

Download
memory/4656-11-0x00007FFCAD330000-0x00007FFCADDF1000-memory.dmp

Filesize
10.8MB

Download
memory/4656-12-0x00007FFCAD330000-0x00007FFCADDF1000-memory.dmp

Filesize
10.8MB

Download
memory/4656-16-0x00007FFCAD330000-0x00007FFCADDF1000-memory.dmp

Filesize
10.8MB

Download