analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Defender.Remover.exe

Full analysis: https://app.any.run/tasks/0d46a467-a684-4508-8b37-d0da65f5d7e1
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: August 12, 2022, 22:12:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
hildacrypt
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

9F81F80FB2E104B46EBE891988342D43

SHA1:

41F1DEFEC86E0FDA43CD3FFF377ABE08D9A1F222

SHA256:

91ADA6A0EA3B4C323F6BBE008ECD047911F06C4477824324921A73173C94B84E

SSDEEP:

49152:N1OshksfP6Kl9E4puapqAq8RiJzB8XMMiS9gl8v29S:N1OIksaKk4RjqbZB8pT9gGf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • OneClickFirewall-1.0.0.2.exe (PID: 2976)
      • melody.exe (PID: 3336)
      • melody.exe (PID: 3916)
      • melody.exe (PID: 2464)
      • melody.exe (PID: 3520)
      • dismhost.exe (PID: 1440)
      • dismhost.exe (PID: 3132)
      • dismhost.exe (PID: 3620)
      • dismhost.exe (PID: 3016)
      • dismhost.exe (PID: 1612)
      • dismhost.exe (PID: 3284)
      • dismhost.exe (PID: 2548)
      • dismhost.exe (PID: 3484)
      • melody.exe (PID: 1860)
      • dismhost.exe (PID: 3800)
      • dismhost.exe (PID: 2816)
      • melody.exe (PID: 1252)
      • melody.exe (PID: 676)
      • melody.exe (PID: 2320)
      • melody.exe (PID: 2460)
      • melody.exe (PID: 280)
      • melody.exe (PID: 3396)
      • melody.exe (PID: 3404)
      • melody.exe (PID: 4060)

    • Drops executable file immediately after starts

      • OneClickFirewall-1.0.0.2.exe (PID: 2976)
      • Defender.Remover.exe (PID: 2292)
      • csc.exe (PID: 1352)
      • dism.exe (PID: 3256)
      • dism.exe (PID: 2564)
      • dism.exe (PID: 3052)
      • dism.exe (PID: 304)
      • dism.exe (PID: 2528)
      • dism.exe (PID: 3124)
      • dism.exe (PID: 3000)
      • dism.exe (PID: 280)
      • dism.exe (PID: 1128)
      • dism.exe (PID: 2488)

    • Disables Windows Defender

      • regedit.exe (PID: 2192)

    • Loads dropped or rewritten executable

      • OneClickFirewall-1.0.0.2.exe (PID: 2976)
      • PkgMgr.exe (PID: 3080)
      • TrustedInstaller.exe (PID: 2160)
      • dismhost.exe (PID: 1440)
      • dism.exe (PID: 3256)
      • PkgMgr.exe (PID: 3028)
      • dism.exe (PID: 2564)
      • dismhost.exe (PID: 3132)
      • PkgMgr.exe (PID: 2844)
      • dism.exe (PID: 3052)
      • dism.exe (PID: 304)
      • dismhost.exe (PID: 3620)
      • PkgMgr.exe (PID: 2332)
      • PkgMgr.exe (PID: 3964)
      • dismhost.exe (PID: 3016)
      • dism.exe (PID: 2528)
      • dismhost.exe (PID: 1612)
      • PkgMgr.exe (PID: 2812)
      • dism.exe (PID: 3124)
      • dismhost.exe (PID: 3284)
      • PkgMgr.exe (PID: 3724)
      • dism.exe (PID: 3000)
      • dismhost.exe (PID: 2548)
      • PkgMgr.exe (PID: 1504)
      • dism.exe (PID: 280)
      • dismhost.exe (PID: 3484)
      • PkgMgr.exe (PID: 1992)
      • dism.exe (PID: 1128)
      • dismhost.exe (PID: 3800)
      • PkgMgr.exe (PID: 3608)
      • dism.exe (PID: 2488)
      • dismhost.exe (PID: 2816)

    • UAC/LUA settings modification

      • regedit.exe (PID: 2976)

    • Changes Security Center notification settings

      • regedit.exe (PID: 672)

    • Starts Visual C# compiler

      • powershell.exe (PID: 2512)

    • HILDACRYPT detected

      • TrustedInstaller.exe (PID: 2160)

  • SUSPICIOUS

    • Checks supported languages

      • powershell.exe (PID: 372)
      • Defender.Remover.exe (PID: 2292)
      • powershell.exe (PID: 2512)
      • OneClickFirewall-1.0.0.2.exe (PID: 2976)
      • cmd.exe (PID: 2764)
      • melody.exe (PID: 3916)
      • melody.exe (PID: 3336)
      • csc.exe (PID: 1352)
      • melody.exe (PID: 2464)
      • cvtres.exe (PID: 2156)
      • melody.exe (PID: 3520)
      • dismhost.exe (PID: 1440)
      • TrustedInstaller.exe (PID: 2160)
      • dismhost.exe (PID: 3132)
      • dismhost.exe (PID: 3620)
      • dismhost.exe (PID: 3016)
      • dismhost.exe (PID: 1612)
      • dismhost.exe (PID: 3284)
      • dismhost.exe (PID: 2548)
      • dismhost.exe (PID: 3484)
      • melody.exe (PID: 1860)
      • dismhost.exe (PID: 3800)
      • dismhost.exe (PID: 2816)
      • melody.exe (PID: 676)
      • melody.exe (PID: 1252)
      • melody.exe (PID: 2460)
      • melody.exe (PID: 280)
      • melody.exe (PID: 2320)
      • melody.exe (PID: 3396)
      • melody.exe (PID: 3404)
      • melody.exe (PID: 4060)

    • Reads the computer name

      • powershell.exe (PID: 372)
      • OneClickFirewall-1.0.0.2.exe (PID: 2976)
      • powershell.exe (PID: 2512)
      • melody.exe (PID: 3336)
      • melody.exe (PID: 3916)
      • melody.exe (PID: 2464)
      • melody.exe (PID: 3520)
      • dismhost.exe (PID: 1440)
      • TrustedInstaller.exe (PID: 2160)
      • dismhost.exe (PID: 3132)
      • dismhost.exe (PID: 3620)
      • dismhost.exe (PID: 3016)
      • dismhost.exe (PID: 1612)
      • dismhost.exe (PID: 3284)
      • dismhost.exe (PID: 2548)
      • melody.exe (PID: 1860)
      • dismhost.exe (PID: 3484)
      • dismhost.exe (PID: 3800)
      • dismhost.exe (PID: 2816)
      • melody.exe (PID: 2320)
      • melody.exe (PID: 280)
      • melody.exe (PID: 1252)
      • melody.exe (PID: 676)
      • melody.exe (PID: 2460)
      • melody.exe (PID: 3396)
      • melody.exe (PID: 3404)
      • melody.exe (PID: 4060)

    • Creates a directory in Program Files

      • OneClickFirewall-1.0.0.2.exe (PID: 2976)

    • Creates files in the program directory

      • OneClickFirewall-1.0.0.2.exe (PID: 2976)

    • Changes default file association

      • OneClickFirewall-1.0.0.2.exe (PID: 2976)
      • regedit.exe (PID: 1044)

    • Executable content was dropped or overwritten

      • OneClickFirewall-1.0.0.2.exe (PID: 2976)
      • Defender.Remover.exe (PID: 2292)
      • csc.exe (PID: 1352)
      • dism.exe (PID: 3256)
      • dism.exe (PID: 2564)
      • dism.exe (PID: 3052)
      • dism.exe (PID: 304)
      • dism.exe (PID: 2528)
      • dism.exe (PID: 3124)
      • dism.exe (PID: 3000)
      • dism.exe (PID: 280)
      • dism.exe (PID: 1128)
      • dism.exe (PID: 2488)

    • Drops a file with a compile date too recent

      • Defender.Remover.exe (PID: 2292)
      • OneClickFirewall-1.0.0.2.exe (PID: 2976)
      • csc.exe (PID: 1352)
      • dism.exe (PID: 3256)
      • dism.exe (PID: 2564)
      • dism.exe (PID: 3052)
      • dism.exe (PID: 304)
      • dism.exe (PID: 2528)
      • dism.exe (PID: 3124)
      • dism.exe (PID: 3000)
      • dism.exe (PID: 280)
      • dism.exe (PID: 1128)
      • dism.exe (PID: 2488)

    • Application launched itself

      • powershell.exe (PID: 372)

    • Creates a software uninstall entry

      • OneClickFirewall-1.0.0.2.exe (PID: 2976)
      • regedit.exe (PID: 2192)

    • Reads the date of Windows installation

      • powershell.exe (PID: 2512)

    • Executed as Windows Service

      • vssvc.exe (PID: 1100)

    • Reads Environment values

      • vssvc.exe (PID: 1100)

    • Creates or modifies windows services

      • TrustedInstaller.exe (PID: 2160)

    • Searches for installed software

      • TrustedInstaller.exe (PID: 2160)

  • INFO

    • Checks Windows Trust Settings

      • powershell.exe (PID: 372)
      • powershell.exe (PID: 2512)

    • Checks supported languages

      • regedit.exe (PID: 2192)
      • regedit.exe (PID: 1204)
      • regedit.exe (PID: 2372)
      • regedit.exe (PID: 1044)
      • regedit.exe (PID: 2932)
      • regedit.exe (PID: 2568)
      • regedit.exe (PID: 672)
      • regedit.exe (PID: 2976)
      • regedit.exe (PID: 3216)
      • makecab.exe (PID: 3264)
      • PkgMgr.exe (PID: 3080)
      • dism.exe (PID: 3256)
      • vssvc.exe (PID: 1100)
      • PkgMgr.exe (PID: 3028)
      • dism.exe (PID: 2564)
      • makecab.exe (PID: 1288)
      • dism.exe (PID: 3052)
      • PkgMgr.exe (PID: 2844)
      • makecab.exe (PID: 1484)
      • PkgMgr.exe (PID: 3964)
      • dism.exe (PID: 304)
      • makecab.exe (PID: 2180)
      • PkgMgr.exe (PID: 2332)
      • dism.exe (PID: 2528)
      • makecab.exe (PID: 404)
      • dism.exe (PID: 3124)
      • PkgMgr.exe (PID: 2812)
      • makecab.exe (PID: 1352)
      • PkgMgr.exe (PID: 3724)
      • dism.exe (PID: 3000)
      • makecab.exe (PID: 1136)
      • PkgMgr.exe (PID: 1504)
      • dism.exe (PID: 280)
      • makecab.exe (PID: 3604)
      • PkgMgr.exe (PID: 1992)
      • dism.exe (PID: 1128)
      • makecab.exe (PID: 2640)
      • PkgMgr.exe (PID: 3608)
      • makecab.exe (PID: 2332)
      • dism.exe (PID: 2488)
      • bcdedit.exe (PID: 1208)
      • timeout.exe (PID: 3916)

    • Reads the computer name

      • dism.exe (PID: 3256)
      • vssvc.exe (PID: 1100)
      • dism.exe (PID: 2564)
      • dism.exe (PID: 3052)
      • dism.exe (PID: 304)
      • dism.exe (PID: 2528)
      • dism.exe (PID: 3124)
      • dism.exe (PID: 3000)
      • dism.exe (PID: 280)
      • dism.exe (PID: 1128)
      • dism.exe (PID: 2488)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:11:18 17:27:35+01:00
PEType: PE32
LinkerVersion: 6
CodeSize: 104960
InitializedDataSize: 314368
UninitializedDataSize: -
EntryPoint: 0x14b04
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 10.1.0.0
ProductVersionNumber: 10.1.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Gallery Inc
FileDescription: Windows Defender Remover Script
FileVersion: 10.1
InternalName: defender.mpm
LegalCopyright: Gallery Inc
OriginalFileName: defender.mpm
ProductName: Windows Defender Remover Script
ProductVersion: 10.1

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 18-Nov-2010 16:27:35
Detected languages:
  • English - United States
CompanyName: Gallery Inc
FileDescription: Windows Defender Remover Script
FileVersion: 10.1
InternalName: defender.mpm
LegalCopyright: Gallery Inc
OriginalFilename: defender.mpm
ProductName: Windows Defender Remover Script
ProductVersion: 10.1

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000E8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 18-Nov-2010 16:27:35
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000199EA
0x00019A00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.60849
.rdata
0x0001B000
0x00004494
0x00004600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.36802
.data
0x00020000
0x00005A48
0x00003200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.37054
.sxdata
0x00026000
0x00000004
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_INFO, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.0203931
.rsrc
0x00027000
0x00042738
0x00042800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.10527

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.2986
756
UNKNOWN
English - United States
RT_VERSION
5
1.43775
52
UNKNOWN
English - United States
RT_STRING
500
3.09294
184
UNKNOWN
English - United States
RT_DIALOG

Imports

KERNEL32.dll
OLEAUT32.dll
SHELL32.dll
USER32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
74
Malicious processes
47
Suspicious processes
4

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start defender.remover.exe no specs defender.remover.exe cmd.exe no specs oneclickfirewall-1.0.0.2.exe powershell.exe no specs powershell.exe no specs regedit.exe no specs regedit.exe no specs regedit.exe no specs regedit.exe no specs regedit.exe no specs regedit.exe no specs regedit.exe no specs regedit.exe no specs regedit.exe no specs melody.exe no specs melody.exe no specs csc.exe melody.exe no specs melody.exe no specs cvtres.exe no specs pkgmgr.exe no specs makecab.exe no specs dism.exe dismhost.exe vssvc.exe no specs #HILDACRYPT trustedinstaller.exe no specs pkgmgr.exe no specs makecab.exe no specs dism.exe dismhost.exe pkgmgr.exe no specs dism.exe makecab.exe no specs dismhost.exe pkgmgr.exe no specs makecab.exe no specs dism.exe dismhost.exe pkgmgr.exe no specs makecab.exe no specs dism.exe dismhost.exe pkgmgr.exe no specs dism.exe makecab.exe no specs dismhost.exe pkgmgr.exe no specs dism.exe makecab.exe no specs dismhost.exe pkgmgr.exe no specs dism.exe makecab.exe no specs dismhost.exe melody.exe no specs pkgmgr.exe no specs dism.exe makecab.exe no specs dismhost.exe pkgmgr.exe no specs dism.exe makecab.exe no specs dismhost.exe melody.exe no specs melody.exe no specs melody.exe no specs melody.exe no specs melody.exe no specs melody.exe no specs melody.exe no specs melody.exe no specs bcdedit.exe no specs timeout.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3488"C:\Users\admin\AppData\Local\Temp\Defender.Remover.exe" C:\Users\admin\AppData\Local\Temp\Defender.Remover.exeExplorer.EXE
User:
admin
Company:
Gallery Inc
Integrity Level:
MEDIUM
Description:
Windows Defender Remover Script
Exit code:
3221226540
Version:
10.1
2292"C:\Users\admin\AppData\Local\Temp\Defender.Remover.exe" C:\Users\admin\AppData\Local\Temp\Defender.Remover.exe
Explorer.EXE
User:
admin
Company:
Gallery Inc
Integrity Level:
HIGH
Description:
Windows Defender Remover Script
Exit code:
0
Version:
10.1
2764C:\Windows\system32\cmd.exe /c .\run.batC:\Windows\system32\cmd.exeDefender.Remover.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2976OneClickFirewall-1.0.0.2.exe /SC:\Users\admin\AppData\Local\Temp\7zSDAB5.tmp\OneClickFirewall-1.0.0.2.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
372PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\Users\admin\AppData\Local\Temp\7zSDAB5.tmp\.\exploit_removal.ps1""' -Verb RunAs}"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
2512"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\admin\AppData\Local\Temp\7zSDAB5.tmp\.\exploit_removal.ps1 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
2192regedit.exe /s "registry\Antivirus.reg"C:\Windows\regedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Editor
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2372regedit.exe /s "registry\Defender Anti-Phishing.reg"C:\Windows\regedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Editor
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1204regedit.exe /s "registry\Exploit Guard.reg"C:\Windows\regedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Editor
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1044regedit.exe /s "registry\Firewall Contextual Menu Implementation.reg"C:\Windows\regedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Editor
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
15 066
Read events
12 963
Write events
0
Delete events
0

Modification events

No data
Executable files
321
Suspicious files
22
Text files
53
Unknown types
21

Dropped files

PID
Process
Filename
Type
2292Defender.Remover.exeC:\Users\admin\AppData\Local\Temp\7zSDAB5.tmp\registry\Defender Anti-Phishing.regtext
MD5:537628C875ADD5296634C8BD184354C6
SHA256:127AF9137304AAA691229E70DA147F02883D04CE6B051CC0DB872551AE9C4E70
2292Defender.Remover.exeC:\Users\admin\AppData\Local\Temp\7zSDAB5.tmp\registry\Firewall Contextual Menu Implementation.regtext
MD5:877F4C7BD3FF0F15E9632A71027F3C86
SHA256:B949C86DB0568F1B03C79FB29D1F9B2E3DF39F26A942046FCED8E7E404070FEF
2292Defender.Remover.exeC:\Users\admin\AppData\Local\Temp\7zSDAB5.tmp\disabler\Antivirus_d.regtext
MD5:A7E0E352E69E3207CD98F195E49900AD
SHA256:FABB20A97C6CA3161F30276C435B953EA79F9A870D1C686FD378ADEB4B1AAACF
2292Defender.Remover.exeC:\Users\admin\AppData\Local\Temp\7zSDAB5.tmp\exploit_removal.ps1text
MD5:CB77D2CC55AE2A4D1BB91F88F5B3ECC4
SHA256:293B7BD7559E9A34750A6E4EE04F5BC11957236554F18D140D62BB4EA101920B
2292Defender.Remover.exeC:\Users\admin\AppData\Local\Temp\7zSDAB5.tmp\disabler\SmartScreen.regtext
MD5:BF3BFB0596360D4E2CE33CA0C9CC38CD
SHA256:4B9E4A72B29650BB4D3EC46FC2C195E65E2FC1BE1EF86BB3648F61CFD3F3AE3E
2292Defender.Remover.exeC:\Users\admin\AppData\Local\Temp\7zSDAB5.tmp\registry\Security Health.regtext
MD5:AEB6A4A7F3D9862533C2007C7CD3CE4A
SHA256:625A6A0C19CA4287E8CFA88F116FC701A9EAC59E1235CEE4D22B71ADD5DACDF3
2292Defender.Remover.exeC:\Users\admin\AppData\Local\Temp\7zSDAB5.tmp\registry\Virtualization.regtext
MD5:88015E790D6A363D40182B17864CDC40
SHA256:DE9F4AAF69061DD397AD40A0225AAACF632EBAB926F82E702DA7987AC7287E68
2292Defender.Remover.exeC:\Users\admin\AppData\Local\Temp\7zSDAB5.tmp\disabler\Defender Anti-Phishing_e.regtext
MD5:5EE3754C04570C5B55A64DA4C1394FF9
SHA256:2E181929276CA1C8FA169F84C4F413D9A7573FA38815854C9C0AF8789D39EB10
2292Defender.Remover.exeC:\Users\admin\AppData\Local\Temp\7zSDAB5.tmp\registry\SmartScreen.regtext
MD5:BF3BFB0596360D4E2CE33CA0C9CC38CD
SHA256:4B9E4A72B29650BB4D3EC46FC2C195E65E2FC1BE1EF86BB3648F61CFD3F3AE3E
2292Defender.Remover.exeC:\Users\admin\AppData\Local\Temp\7zSDAB5.tmp\disabler\Windows Security Center_e.regtext
MD5:E26144961435049BD0FF17F14B698361
SHA256:B169A7DE6CF745FF32234CD28ADF43C6F51AF994A6E195EEE8179C61D4719E21
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
Process
Message
dism.exe
PID=3256 Instantiating the Provider Store. - CDISMImageSession::get_ProviderStore
dism.exe
PID=3256 Initializing a provider store for the LOCAL session type. - CDISMProviderStore::Final_OnConnect
dism.exe
PID=3256 Attempting to initialize the logger from the Image Session. - CDISMProviderStore::Final_OnConnect
dism.exe
PID=3256 Provider has not previously been encountered. Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
dism.exe
PID=3256 Loading Provider from location C:\Windows\System32\Dism\LogProvider.dll - CDISMProviderStore::Internal_GetProvider
dism.exe
PID=3256 Connecting to the provider located at C:\Windows\System32\Dism\LogProvider.dll. - CDISMProviderStore::Internal_LoadProvider
dism.exe
PID=3256 Getting Provider OSServices - CDISMProviderStore::GetProvider
dism.exe
PID=3256 The requested provider was not found in the Provider Store. - CDISMProviderStore::Internal_GetProvider(hr:0x80004005)
dism.exe
PID=3256 Failed to get an OSServices provider. Must be running in local store. Falling back to checking alongside the log provider for wdscore.dll. - CDISMLogger::FindWdsCore(hr:0x80004005)
dismhost.exe
PID=1440 Encountered a loaded provider DISMLogger. - CDISMProviderStore::Internal_DisconnectProvider
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Defender.Remover.exe