70a733c2...c7bd

Severity	Category	Operation	Classification
4/5	OS	Modifies Windows automatic backups	-
Deletes Windows volume shadow copies. ... VTI Actions Go to process
4/5	File System	Known malicious file	Trojan
File "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Windows Defender\wdm.exe" is a known malicious file. ... VTI Actions Go to file details Go to function call
2/5	Network	Attempts to connect to unavailable TCP servers	-
Every TCP connection attempt failed. ... VTI Actions Go to function call
2/5	File System	Known suspicious file	Trojan
File "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\setup.exe" is a known suspicious file. ... VTI Actions Go to file details Go to function call
File "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Windows Defender\uninst.exe" is a known suspicious file. ... VTI Actions Go to file details Go to function call
1/5	Process	Creates process with hidden window	-
The process "taskkill /F /IM sql /T" starts with hidden window. ... VTI Actions Go to function call
The process "taskkill /f /im mysqld.exe" starts with hidden window. ... VTI Actions Go to function call
The process "taskkill /f /im sqlwriter.exe" starts with hidden window. ... VTI Actions Go to function call
The process "taskkill /f /im sqlserver.exe" starts with hidden window. ... VTI Actions Go to function call
The process "taskkill /f /im sqlservr.exe" starts with hidden window. ... VTI Actions Go to function call
The process "taskkill /f /im SQLyog.exe" starts with hidden window. ... VTI Actions Go to function call
The process "taskkill /f /im httpd.exe" starts with hidden window. ... VTI Actions Go to function call
The process "taskkill /f /im ApacheMonitor.exe" starts with hidden window. ... VTI Actions Go to function call
The process "taskkill /f /im mysqld-nt.exe" starts with hidden window. ... VTI Actions Go to function call
The process "taskkill /f /im sqlceip.exe" starts with hidden window. ... VTI Actions Go to function call
The process "taskkill /f /im sqlbrowser.exe" starts with hidden window. ... VTI Actions Go to function call
The process "taskkill /f /im FileZillaServer.exe" starts with hidden window. ... VTI Actions Go to function call
The process "taskkill /F /IM chrome.exe /T" starts with hidden window. ... VTI Actions Go to function call
The process "taskkill /F /IM ie.exe /T" starts with hidden window. ... VTI Actions Go to function call
The process "taskkill /F /IM firefox.exe /T" starts with hidden window. ... VTI Actions Go to function call
The process "taskkill /F /IM opera.exe /T" starts with hidden window. ... VTI Actions Go to function call
The process "taskkill /F /IM safari.exe /T" starts with hidden window. ... VTI Actions Go to function call
The process "taskkill /F /IM taskmgr.exe /T" starts with hidden window. ... VTI Actions Go to function call
The process "taskkill /F /IM 1c /T" starts with hidden window. ... VTI Actions Go to function call
The process "taskkill /F /IM excel.exe /T" starts with hidden window. ... VTI Actions Go to function call
The process "taskkill /F /IM mspub.exe /T" starts with hidden window. ... VTI Actions Go to function call
The process "taskkill /F /IM winword.exe /T" starts with hidden window. ... VTI Actions Go to function call
The process "taskkill /F /IM powerpnt.exe /T" starts with hidden window. ... VTI Actions Go to function call
The process "taskkill /F /IM notepad.exe /T" starts with hidden window. ... VTI Actions Go to function call
The process "taskkill /f /im Microsoft.Exchange.*" starts with hidden window. ... VTI Actions Go to function call
The process "taskkill /f /im MSExchange*" starts with hidden window. ... VTI Actions Go to function call
The process "vssadmin.exe delete shadows /all /quiet" starts with hidden window. ... VTI Actions Go to function call
The process "wmic shadowcopy delete" starts with hidden window. ... VTI Actions Go to function call
The process "bcdedit /set {default} bootstatuspolicy ignoreallfailures" starts with hidden window. ... VTI Actions Go to function call
The process "bcdedit /set {default} recoveryenabled no" starts with hidden window. ... VTI Actions Go to function call
The process "wbadmin delete catalog -quiet" starts with hidden window. ... VTI Actions Go to function call
The process "wbadmin delete systemstatebackup -deleteOldest" starts with hidden window. ... VTI Actions Go to function call
The process "schtasks /Create /SC MINUTE /TN "Windows Defender Monitor" /TR "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Windows Defender\wdm.exe"" starts with hidden window. ... VTI Actions Go to function call
The process ""C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Windows Defender\wdm.exe"" starts with hidden window. ... VTI Actions Go to function call
1/5	Persistence	Installs system startup script or application	-
Adds "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Windows Defender\wdm.exe" to Windows startup via registry. ... VTI Actions Go to function call
1/5	Anti Analysis	Resolves APIs dynamically	-
Resolves an unusually high number of APIs. ... VTI Actions Go to function call
1/5	Process	Creates system object	-
Creates mutex with name "WindowsDefenderMonitorMutex". ... VTI Actions Go to function call
1/5	Network	Connects to remote host	-
Outgoing TCP connection to host "89.144.25.156:80". ... VTI Actions Go to function call
1/5	PE	Drops PE file	Dropper
Drops file "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Windows Defender\uninst.exe". ... VTI Actions Go to file details Go to function call
Drops file "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Windows Defender\wdm.exe". ... VTI Actions Go to file details Go to function call
Drops file "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Windows Defender\msvcr120.dll". ... VTI Actions Go to file details Go to function call
Drops file "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Windows Defender\libcrypto-1_1.dll". ... VTI Actions Go to file details Go to function call
Drops file "C:\Users\5P5NRG~1\AppData\Local\Temp\nsi8F36.tmp\InstallOptions.dll". ... VTI Actions Go to file details Go to function call
Drops file "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Windows Defender\libssl-1_1.dll". ... VTI Actions Go to file details Go to function call
1/5	PE	Executes dropped PE file	-
Executes dropped file "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Windows Defender\wdm.exe". ... VTI Actions Go to file details Go to function call

Notifications (2/2)

Before

After