Edit tour

Windows Analysis Report
DefendUpdate.exe

Overview

General Information

Sample Name:	DefendUpdate.exe
Analysis ID:	829698
MD5:	d9c8a47ef46ec852f3eddad0ea93a799
SHA1:	d8abd4904ce2a225226278556511473c1d0ea406
SHA256:	ae3e61c6db3e5886a7265c46658833259e5342e0f233fd980e9b4243d16f3336
Tags:	exe
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Sample execution stops while process was sleeping (likely an evasion)

Queries the volume information (name, serial number etc) of a device

Program does not show much activity (idle)

Creates a process in suspended mode (likely to inject code)

PE file contains sections with non-standard names

Classification

Process Tree

System is w10x64

DefendUpdate.exe (PID: 6016 cmdline: C:\Users\user\Desktop\DefendUpdate.exe MD5: D9C8A47EF46EC852F3EDDAD0EA93A799)

cmd.exe (PID: 1536 cmdline: C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\user\Desktop\DefendUpdate.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

choice.exe (PID: 6136 cmdline: choice /C Y /N /D Y /T 0 MD5: EA29BC6BCB1EFCE9C9946C3602F3E754)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: DefendUpdate.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: DefendUpdate.exe	ReversingLabs: Detection: 28%
Source: DefendUpdate.exe	Virustotal: Detection: 30%			Perma Link

Source: DefendUpdate.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\js\	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Cache\	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\	Jump to behavior

Source: DefendUpdate.exe, 00000000.00000002.250506545.00000000010D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: flate: internal error: frame_goaway_has_streamframe_headers_pad_shortframe_rststream_bad_lengarbage collection scangcDrain phase incorrecthttp2: handler panickedhttp: request too largehttps://www.youtube.comindex out of range [%x]interrupted system callinvalid PrintableStringinvalid URI for requestinvalid UUID length: %dinvalid escape sequenceinvalid m->lockedInt = invalid response code: invalid scalar encodingjson: cannot unmarshal left over markroot jobsmakechan: bad alignmentmalformed HTTP responsemissing 0xff00 sequencemissing port in addressmissing protocol schememissing type in runfinqmultipart: NextPart: %vnanotime returning zeronet/http context value net/http: abort Handlernetwork not implementedno application protocolno space left on devicenon-zero reserved fieldoperation not permittedoperation not supportedpanic during preemptoffprocresize: invalid argreflect.Value.Interfacereflect.Value.NumMethodreflect.methodValueCallruntime: internal errorruntime: invalid type runtime: netpoll failedruntime: s.allocCount= s.allocCount > s.nelemsschedule: holding lockssegment length too longshrinkstack at bad timeskipping Question Classspan has no free stackssql: database is closedstack growth after forksyntax error in patternsystem huge page size (text/css; charset=utf-8text/xml; charset=utf-8time: invalid duration tls: invalid PSK bindertoo many pointers (>10)truncated tag or lengthunexpected Huffman codeunexpected address typeunexpected map key typeunknown empty width argunknown error code 0x%xunpacking Question.Nameunpacking Question.Typeunsupported certificatevarint integer overflowwork.nwait > work.nprocx509: invalid key usagex509: malformed UTCTimex509: malformed version() => this.parentElement, equals www.youtube.com (Youtube)
Source: DefendUpdate.exe, 00000000.00000002.250506545.00000000010D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: got CONTINUATION for stream %d; expected stream %dhttp: putIdleConn: CloseIdleConnections was calledhttp: suspiciously long trailer after chunked bodyhttps://www.youtube.com/getAccountSwitcherEndpointmallocgc called with gcphase == _GCmarkterminationnet/http: HTTP/1.x transport connection broken: %vnet/http: Transport failed to read from server: %vnet/http: cannot rewind body after connection lossrecursive call during initialization - linker skewreflect.Value.Slice3: slice of unaddressable arrayruntime: unable to acquire - semaphore out of synctls: invalid signature by the client certificate: tls: invalid signature by the server certificate: tls: received unexpected CertificateStatus messagex509: RSA public exponent is not a positive numberx509: invalid RDNSequence: invalid attribute valuex509: missing ASN.1 contents; use ParseCertificate{ equals www.youtube.com (Youtube)

Source: DefendUpdate.exe, 00000000.00000002.250506545.00000000010D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.bohemiancoding.com/sketch
Source: DefendUpdate.exe, 00000000.00000002.250506545.00000000010D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://go-rod.github.io/#/compatibility?id=os:
Source: DefendUpdate.exe, 00000000.00000002.250506545.00000000010D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://go-rod.github.io/#/compatibility?id=osfunction(e)
Source: DefendUpdate.exe, 00000000.00000002.250506545.00000000010D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://golang.org/pkg/time/#ParseDuration)
Source: DefendUpdate.exe, 00000000.00000002.250506545.00000000010D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://playwright.azureedge.net/builds/chromium/%d/chromium-linux-arm64.ziptls:
Source: DefendUpdate.exe, 00000000.00000002.250506545.00000000010D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://registry.npmmirror.com/-/binary/chromium-browser-snapshots/%s/%d/%stls:
Source: DefendUpdate.exe, 00000000.00000002.250506545.00000000010D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://storage.googleapis.com/chromium-browser-snapshots/%s/%d/%sreflect:
Source: DefendUpdate.exe, 00000000.00000002.250506545.00000000010D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://studio.youtube.com/reauth
Source: DefendUpdate.exe, 00000000.00000002.250506545.00000000010D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://studio.youtube.com/youtubei/v1/ars/grst?alt=json&key=net/http:
Source: DefendUpdate.exe, 00000000.00000002.250506545.00000000010D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://studio.youtube.com/youtubei/v1/security/get_web_reauth_url?alt=json&key=tls:
Source: DefendUpdate.exe, 00000000.00000002.250506545.00000000010D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.youtube.com/getAccountSwitcherEndpointmallocgc
Source: DefendUpdate.exe, 00000000.00000002.250506545.00000000010D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.youtube.comindex
Source: DefendUpdate.exe, 00000000.00000002.250506545.00000000010D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://youtube.com/inconsistent
Source: DefendUpdate.exe, 00000000.00000002.250506545.00000000010D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://youtube.comif-unmodified-sinceillegal

Source: DefendUpdate.exe	ReversingLabs: Detection: 28%
Source: DefendUpdate.exe	Virustotal: Detection: 30%

Source: C:\Users\user\Desktop\DefendUpdate.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: classification engine

Classification label: mal60.spyw.winEXE@6/0@0/0

Source: unknown	Process created: C:\Users\user\Desktop\DefendUpdate.exe C:\Users\user\Desktop\DefendUpdate.exe
Source: C:\Users\user\Desktop\DefendUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\user\Desktop\DefendUpdate.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 0
Source: C:\Users\user\Desktop\DefendUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\user\Desktop\DefendUpdate.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 0	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:676:120:WilError_01

Source: DefendUpdate.exe, 00000000.00000002.250506545.0000000001B66000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: DefendUpdate.exe, 00000000.00000002.250506545.0000000001B66000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: DefendUpdate.exe, 00000000.00000002.250506545.0000000001B66000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: DefendUpdate.exe, 00000000.00000002.250506545.0000000001B66000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: DefendUpdate.exe, 00000000.00000002.250506545.0000000001B66000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: DefendUpdate.exe, 00000000.00000002.250506545.0000000001B66000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: DefendUpdate.exe, 00000000.00000002.250506545.0000000001B66000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: DefendUpdate.exe

Static file information: File size 4510208 > 1048576

Source: DefendUpdate.exe

Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x44ce00

Source: DefendUpdate.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: DefendUpdate.exe

Static PE information: section name: UPX2

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\DefendUpdate.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\choice.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\choice.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: DefendUpdate.exe, 00000000.00000002.256167775.0000023CE217C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\js\	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Cache\	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\DefendUpdate.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\user\Desktop\DefendUpdate.exe			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 0			Jump to behavior

Source: C:\Users\user\Desktop\DefendUpdate.exe

Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation

Jump to behavior

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\GPUCache	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Maskable	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Maskable	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Platform Notifications	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\c22ad13a-a322-4fd2-af93-38f6ee0e683c	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\wasm	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Maskable	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Cache	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Maskable	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Monochrome	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Monochrome	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Monochrome	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_apdfllckaahabafndbhieahigkjlhalf	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\js	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Monochrome	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Safe Browsing Network	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Local Storage	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_nmmhkkegccagdldgiimedpiccmgmieda	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Monochrome	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Maskable	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Maskable	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Platform Notifications	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\JumpListIconsRecentClosed	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\js\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Monochrome	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Session Storage	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_pjkljhegncpnkpknbcohdijeoejaedia	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB	Jump to behavior
Source: C:\Users\user\Desktop\DefendUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	11 Process Injection	1 Software Packing	1 OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 Process Injection	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	11 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
DefendUpdate.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DefendUpdate.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Windows Analysis Report
DefendUpdate.exe