File name: | Defender.Remover.exe |
Full analysis: | https://app.any.run/tasks/0d46a467-a684-4508-8b37-d0da65f5d7e1 |
Verdict: | Malicious activity |
Threats: | Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. |
Analysis date: | August 12, 2022, 22:12:26 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 9F81F80FB2E104B46EBE891988342D43 |
SHA1: | 41F1DEFEC86E0FDA43CD3FFF377ABE08D9A1F222 |
SHA256: | 91ADA6A0EA3B4C323F6BBE008ECD047911F06C4477824324921A73173C94B84E |
SSDEEP: | 49152:N1OshksfP6Kl9E4puapqAq8RiJzB8XMMiS9gl8v29S:N1OIksaKk4RjqbZB8pT9gGf |
.exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (14.2) |
.exe | | | Win32 Executable (generic) (9.7) |
.exe | | | Generic Win/DOS Executable (4.3) |
.exe | | | DOS Executable Generic (4.3) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2010:11:18 17:27:35+01:00 |
PEType: | PE32 |
LinkerVersion: | 6 |
CodeSize: | 104960 |
InitializedDataSize: | 314368 |
UninitializedDataSize: | - |
EntryPoint: | 0x14b04 |
OSVersion: | 4 |
ImageVersion: | - |
SubsystemVersion: | 4 |
Subsystem: | Windows GUI |
FileVersionNumber: | 10.1.0.0 |
ProductVersionNumber: | 10.1.0.0 |
FileFlagsMask: | 0x003f |
FileFlags: | (none) |
FileOS: | Windows NT 32-bit |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | English (U.S.) |
CharacterSet: | Unicode |
CompanyName: | Gallery Inc |
FileDescription: | Windows Defender Remover Script |
FileVersion: | 10.1 |
InternalName: | defender.mpm |
LegalCopyright: | Gallery Inc |
OriginalFileName: | defender.mpm |
ProductName: | Windows Defender Remover Script |
ProductVersion: | 10.1 |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 18-Nov-2010 16:27:35 |
Detected languages: |
|
CompanyName: | Gallery Inc |
FileDescription: | Windows Defender Remover Script |
FileVersion: | 10.1 |
InternalName: | defender.mpm |
LegalCopyright: | Gallery Inc |
OriginalFilename: | defender.mpm |
ProductName: | Windows Defender Remover Script |
ProductVersion: | 10.1 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000E8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 18-Nov-2010 16:27:35 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x000199EA | 0x00019A00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.60849 |
.rdata | 0x0001B000 | 0x00004494 | 0x00004600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.36802 |
.data | 0x00020000 | 0x00005A48 | 0x00003200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.37054 |
.sxdata | 0x00026000 | 0x00000004 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_INFO, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.0203931 |
.rsrc | 0x00027000 | 0x00042738 | 0x00042800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.10527 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.2986 | 756 | UNKNOWN | English - United States | RT_VERSION |
5 | 1.43775 | 52 | UNKNOWN | English - United States | RT_STRING |
500 | 3.09294 | 184 | UNKNOWN | English - United States | RT_DIALOG |
KERNEL32.dll |
OLEAUT32.dll |
SHELL32.dll |
USER32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3488 | "C:\Users\admin\AppData\Local\Temp\Defender.Remover.exe" | C:\Users\admin\AppData\Local\Temp\Defender.Remover.exe | — | Explorer.EXE |
User: admin Company: Gallery Inc Integrity Level: MEDIUM Description: Windows Defender Remover Script Exit code: 3221226540 Version: 10.1 | ||||
2292 | "C:\Users\admin\AppData\Local\Temp\Defender.Remover.exe" | C:\Users\admin\AppData\Local\Temp\Defender.Remover.exe | Explorer.EXE | |
User: admin Company: Gallery Inc Integrity Level: HIGH Description: Windows Defender Remover Script Exit code: 0 Version: 10.1 | ||||
2764 | C:\Windows\system32\cmd.exe /c .\run.bat | C:\Windows\system32\cmd.exe | — | Defender.Remover.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2976 | OneClickFirewall-1.0.0.2.exe /S | C:\Users\admin\AppData\Local\Temp\7zSDAB5.tmp\OneClickFirewall-1.0.0.2.exe | cmd.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
372 | PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\Users\admin\AppData\Local\Temp\7zSDAB5.tmp\.\exploit_removal.ps1""' -Verb RunAs}" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) | ||||
2512 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\admin\AppData\Local\Temp\7zSDAB5.tmp\.\exploit_removal.ps1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) | ||||
2192 | regedit.exe /s "registry\Antivirus.reg" | C:\Windows\regedit.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Editor Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2372 | regedit.exe /s "registry\Defender Anti-Phishing.reg" | C:\Windows\regedit.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Editor Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1204 | regedit.exe /s "registry\Exploit Guard.reg" | C:\Windows\regedit.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Editor Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1044 | regedit.exe /s "registry\Firewall Contextual Menu Implementation.reg" | C:\Windows\regedit.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Editor Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2292 | Defender.Remover.exe | C:\Users\admin\AppData\Local\Temp\7zSDAB5.tmp\registry\Defender Anti-Phishing.reg | text | |
MD5:537628C875ADD5296634C8BD184354C6 | SHA256:127AF9137304AAA691229E70DA147F02883D04CE6B051CC0DB872551AE9C4E70 | |||
2292 | Defender.Remover.exe | C:\Users\admin\AppData\Local\Temp\7zSDAB5.tmp\registry\Firewall Contextual Menu Implementation.reg | text | |
MD5:877F4C7BD3FF0F15E9632A71027F3C86 | SHA256:B949C86DB0568F1B03C79FB29D1F9B2E3DF39F26A942046FCED8E7E404070FEF | |||
2292 | Defender.Remover.exe | C:\Users\admin\AppData\Local\Temp\7zSDAB5.tmp\disabler\Antivirus_d.reg | text | |
MD5:A7E0E352E69E3207CD98F195E49900AD | SHA256:FABB20A97C6CA3161F30276C435B953EA79F9A870D1C686FD378ADEB4B1AAACF | |||
2292 | Defender.Remover.exe | C:\Users\admin\AppData\Local\Temp\7zSDAB5.tmp\exploit_removal.ps1 | text | |
MD5:CB77D2CC55AE2A4D1BB91F88F5B3ECC4 | SHA256:293B7BD7559E9A34750A6E4EE04F5BC11957236554F18D140D62BB4EA101920B | |||
2292 | Defender.Remover.exe | C:\Users\admin\AppData\Local\Temp\7zSDAB5.tmp\disabler\SmartScreen.reg | text | |
MD5:BF3BFB0596360D4E2CE33CA0C9CC38CD | SHA256:4B9E4A72B29650BB4D3EC46FC2C195E65E2FC1BE1EF86BB3648F61CFD3F3AE3E | |||
2292 | Defender.Remover.exe | C:\Users\admin\AppData\Local\Temp\7zSDAB5.tmp\registry\Security Health.reg | text | |
MD5:AEB6A4A7F3D9862533C2007C7CD3CE4A | SHA256:625A6A0C19CA4287E8CFA88F116FC701A9EAC59E1235CEE4D22B71ADD5DACDF3 | |||
2292 | Defender.Remover.exe | C:\Users\admin\AppData\Local\Temp\7zSDAB5.tmp\registry\Virtualization.reg | text | |
MD5:88015E790D6A363D40182B17864CDC40 | SHA256:DE9F4AAF69061DD397AD40A0225AAACF632EBAB926F82E702DA7987AC7287E68 | |||
2292 | Defender.Remover.exe | C:\Users\admin\AppData\Local\Temp\7zSDAB5.tmp\disabler\Defender Anti-Phishing_e.reg | text | |
MD5:5EE3754C04570C5B55A64DA4C1394FF9 | SHA256:2E181929276CA1C8FA169F84C4F413D9A7573FA38815854C9C0AF8789D39EB10 | |||
2292 | Defender.Remover.exe | C:\Users\admin\AppData\Local\Temp\7zSDAB5.tmp\registry\SmartScreen.reg | text | |
MD5:BF3BFB0596360D4E2CE33CA0C9CC38CD | SHA256:4B9E4A72B29650BB4D3EC46FC2C195E65E2FC1BE1EF86BB3648F61CFD3F3AE3E | |||
2292 | Defender.Remover.exe | C:\Users\admin\AppData\Local\Temp\7zSDAB5.tmp\disabler\Windows Security Center_e.reg | text | |
MD5:E26144961435049BD0FF17F14B698361 | SHA256:B169A7DE6CF745FF32234CD28ADF43C6F51AF994A6E195EEE8179C61D4719E21 |
Process | Message |
---|---|
dism.exe | PID=3256 Instantiating the Provider Store. - CDISMImageSession::get_ProviderStore |
dism.exe | PID=3256 Initializing a provider store for the LOCAL session type. - CDISMProviderStore::Final_OnConnect |
dism.exe | PID=3256 Attempting to initialize the logger from the Image Session. - CDISMProviderStore::Final_OnConnect |
dism.exe | PID=3256 Provider has not previously been encountered. Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider |
dism.exe | PID=3256 Loading Provider from location C:\Windows\System32\Dism\LogProvider.dll - CDISMProviderStore::Internal_GetProvider |
dism.exe | PID=3256 Connecting to the provider located at C:\Windows\System32\Dism\LogProvider.dll. - CDISMProviderStore::Internal_LoadProvider |
dism.exe | PID=3256 Getting Provider OSServices - CDISMProviderStore::GetProvider |
dism.exe | PID=3256 The requested provider was not found in the Provider Store. - CDISMProviderStore::Internal_GetProvider(hr:0x80004005) |
dism.exe | PID=3256 Failed to get an OSServices provider. Must be running in local store. Falling back to checking alongside the log provider for wdscore.dll. - CDISMLogger::FindWdsCore(hr:0x80004005) |
dismhost.exe | PID=1440 Encountered a loaded provider DISMLogger. - CDISMProviderStore::Internal_DisconnectProvider |