Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DefendUpdate.exe

Overview

General Information

Sample Name:DefendUpdate.exe
Analysis ID:829698
MD5:d9c8a47ef46ec852f3eddad0ea93a799
SHA1:d8abd4904ce2a225226278556511473c1d0ea406
SHA256:ae3e61c6db3e5886a7265c46658833259e5342e0f233fd980e9b4243d16f3336
Tags:exe
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Sample execution stops while process was sleeping (likely an evasion)
Queries the volume information (name, serial number etc) of a device
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)
PE file contains sections with non-standard names

Classification

  • System is w10x64
  • DefendUpdate.exe (PID: 6016 cmdline: C:\Users\user\Desktop\DefendUpdate.exe MD5: D9C8A47EF46EC852F3EDDAD0EA93A799)
    • cmd.exe (PID: 1536 cmdline: C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\user\Desktop\DefendUpdate.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • choice.exe (PID: 6136 cmdline: choice /C Y /N /D Y /T 0 MD5: EA29BC6BCB1EFCE9C9946C3602F3E754)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: DefendUpdate.exeAvira: detected
Source: DefendUpdate.exeReversingLabs: Detection: 28%
Source: DefendUpdate.exeVirustotal: Detection: 30%Perma Link
Source: DefendUpdate.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\js\
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Cache\
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\
Source: DefendUpdate.exe, 00000000.00000002.250506545.00000000010D1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: flate: internal error: frame_goaway_has_streamframe_headers_pad_shortframe_rststream_bad_lengarbage collection scangcDrain phase incorrecthttp2: handler panickedhttp: request too largehttps://www.youtube.comindex out of range [%x]interrupted system callinvalid PrintableStringinvalid URI for requestinvalid UUID length: %dinvalid escape sequenceinvalid m->lockedInt = invalid response code: invalid scalar encodingjson: cannot unmarshal left over markroot jobsmakechan: bad alignmentmalformed HTTP responsemissing 0xff00 sequencemissing port in addressmissing protocol schememissing type in runfinqmultipart: NextPart: %vnanotime returning zeronet/http context value net/http: abort Handlernetwork not implementedno application protocolno space left on devicenon-zero reserved fieldoperation not permittedoperation not supportedpanic during preemptoffprocresize: invalid argreflect.Value.Interfacereflect.Value.NumMethodreflect.methodValueCallruntime: internal errorruntime: invalid type runtime: netpoll failedruntime: s.allocCount= s.allocCount > s.nelemsschedule: holding lockssegment length too longshrinkstack at bad timeskipping Question Classspan has no free stackssql: database is closedstack growth after forksyntax error in patternsystem huge page size (text/css; charset=utf-8text/xml; charset=utf-8time: invalid duration tls: invalid PSK bindertoo many pointers (>10)truncated tag or lengthunexpected Huffman codeunexpected address typeunexpected map key typeunknown empty width argunknown error code 0x%xunpacking Question.Nameunpacking Question.Typeunsupported certificatevarint integer overflowwork.nwait > work.nprocx509: invalid key usagex509: malformed UTCTimex509: malformed version() => this.parentElement, equals www.youtube.com (Youtube)
Source: DefendUpdate.exe, 00000000.00000002.250506545.00000000010D1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: got CONTINUATION for stream %d; expected stream %dhttp: putIdleConn: CloseIdleConnections was calledhttp: suspiciously long trailer after chunked bodyhttps://www.youtube.com/getAccountSwitcherEndpointmallocgc called with gcphase == _GCmarkterminationnet/http: HTTP/1.x transport connection broken: %vnet/http: Transport failed to read from server: %vnet/http: cannot rewind body after connection lossrecursive call during initialization - linker skewreflect.Value.Slice3: slice of unaddressable arrayruntime: unable to acquire - semaphore out of synctls: invalid signature by the client certificate: tls: invalid signature by the server certificate: tls: received unexpected CertificateStatus messagex509: RSA public exponent is not a positive numberx509: invalid RDNSequence: invalid attribute valuex509: missing ASN.1 contents; use ParseCertificate{ equals www.youtube.com (Youtube)
Source: DefendUpdate.exe, 00000000.00000002.250506545.00000000010D1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.bohemiancoding.com/sketch
Source: DefendUpdate.exe, 00000000.00000002.250506545.00000000010D1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://go-rod.github.io/#/compatibility?id=os:
Source: DefendUpdate.exe, 00000000.00000002.250506545.00000000010D1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://go-rod.github.io/#/compatibility?id=osfunction(e)
Source: DefendUpdate.exe, 00000000.00000002.250506545.00000000010D1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://golang.org/pkg/time/#ParseDuration)
Source: DefendUpdate.exe, 00000000.00000002.250506545.00000000010D1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://playwright.azureedge.net/builds/chromium/%d/chromium-linux-arm64.ziptls:
Source: DefendUpdate.exe, 00000000.00000002.250506545.00000000010D1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://registry.npmmirror.com/-/binary/chromium-browser-snapshots/%s/%d/%stls:
Source: DefendUpdate.exe, 00000000.00000002.250506545.00000000010D1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://storage.googleapis.com/chromium-browser-snapshots/%s/%d/%sreflect:
Source: DefendUpdate.exe, 00000000.00000002.250506545.00000000010D1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://studio.youtube.com/reauth
Source: DefendUpdate.exe, 00000000.00000002.250506545.00000000010D1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://studio.youtube.com/youtubei/v1/ars/grst?alt=json&key=net/http:
Source: DefendUpdate.exe, 00000000.00000002.250506545.00000000010D1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://studio.youtube.com/youtubei/v1/security/get_web_reauth_url?alt=json&key=tls:
Source: DefendUpdate.exe, 00000000.00000002.250506545.00000000010D1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.youtube.com/getAccountSwitcherEndpointmallocgc
Source: DefendUpdate.exe, 00000000.00000002.250506545.00000000010D1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.youtube.comindex
Source: DefendUpdate.exe, 00000000.00000002.250506545.00000000010D1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://youtube.com/inconsistent
Source: DefendUpdate.exe, 00000000.00000002.250506545.00000000010D1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://youtube.comif-unmodified-sinceillegal
Source: DefendUpdate.exeReversingLabs: Detection: 28%
Source: DefendUpdate.exeVirustotal: Detection: 30%
Source: C:\Users\user\Desktop\DefendUpdate.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: classification engineClassification label: mal60.spyw.winEXE@6/0@0/0
Source: unknownProcess created: C:\Users\user\Desktop\DefendUpdate.exe C:\Users\user\Desktop\DefendUpdate.exe
Source: C:\Users\user\Desktop\DefendUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\user\Desktop\DefendUpdate.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 0
Source: C:\Users\user\Desktop\DefendUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\user\Desktop\DefendUpdate.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:676:120:WilError_01
Source: DefendUpdate.exe, 00000000.00000002.250506545.0000000001B66000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: DefendUpdate.exe, 00000000.00000002.250506545.0000000001B66000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: DefendUpdate.exe, 00000000.00000002.250506545.0000000001B66000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: DefendUpdate.exe, 00000000.00000002.250506545.0000000001B66000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: DefendUpdate.exe, 00000000.00000002.250506545.0000000001B66000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: DefendUpdate.exe, 00000000.00000002.250506545.0000000001B66000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: DefendUpdate.exe, 00000000.00000002.250506545.0000000001B66000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: DefendUpdate.exeStatic file information: File size 4510208 > 1048576
Source: DefendUpdate.exeStatic PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x44ce00
Source: DefendUpdate.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: DefendUpdate.exeStatic PE information: section name: UPX2
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: C:\Users\user\Desktop\DefendUpdate.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\DefendUpdate.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\choice.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\choice.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: DefendUpdate.exe, 00000000.00000002.256167775.0000023CE217C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\js\
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Cache\
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\DefendUpdate.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\user\Desktop\DefendUpdate.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 0
Source: C:\Users\user\Desktop\DefendUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation

Stealing of Sensitive Information

barindex
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\wasm\index-dir
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\GPUCache
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Maskable
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Maskable
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Platform Notifications
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\c22ad13a-a322-4fd2-af93-38f6ee0e683c
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\wasm
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Maskable
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Cache
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Maskable
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Monochrome
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Monochrome
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Monochrome
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_apdfllckaahabafndbhieahigkjlhalf
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\js
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Monochrome
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Safe Browsing Network
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Local Storage
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_nmmhkkegccagdldgiimedpiccmgmieda
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Monochrome
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Maskable
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Maskable
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Platform Notifications
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\JumpListIconsRecentClosed
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\js\index-dir
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Monochrome
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Local Storage\leveldb
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Session Storage
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_pjkljhegncpnkpknbcohdijeoejaedia
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB
Source: C:\Users\user\Desktop\DefendUpdate.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath Interception11
Process Injection
1
Software Packing
1
OS Credential Dumping
1
Security Software Discovery
Remote Services1
Data from Local System
Exfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts11
Process Injection
LSASS Memory1
File and Directory Discovery
Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information
Security Account Manager11
System Information Discovery
SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 829698 Sample: DefendUpdate.exe Startdate: 19/03/2023 Architecture: WINDOWS Score: 60 16 Antivirus / Scanner detection for submitted sample 2->16 18 Multi AV Scanner detection for submitted file 2->18 7 DefendUpdate.exe 2->7         started        process3 signatures4 20 Tries to harvest and steal browser information (history, passwords, etc) 7->20 10 cmd.exe 1 7->10         started        process5 process6 12 conhost.exe 10->12         started        14 choice.exe 1 10->14         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
DefendUpdate.exe28%ReversingLabsWin64.Trojan.Generic
DefendUpdate.exe30%VirustotalBrowse
DefendUpdate.exe100%AviraHEUR/AGEN.1250720
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
https://go-rod.github.io/#/compatibility?id=os:0%URL Reputationsafe
https://go-rod.github.io/#/compatibility?id=osfunction(e)0%URL Reputationsafe
https://registry.npmmirror.com/-/binary/chromium-browser-snapshots/%s/%d/%stls:0%URL Reputationsafe
https://youtube.comif-unmodified-sinceillegal0%URL Reputationsafe
https://www.youtube.comindex0%URL Reputationsafe
http://www.bohemiancoding.com/sketch0%URL Reputationsafe
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://go-rod.github.io/#/compatibility?id=os:DefendUpdate.exe, 00000000.00000002.250506545.00000000010D1000.00000040.00000001.01000000.00000003.sdmpfalse
  • URL Reputation: safe
unknown
https://go-rod.github.io/#/compatibility?id=osfunction(e)DefendUpdate.exe, 00000000.00000002.250506545.00000000010D1000.00000040.00000001.01000000.00000003.sdmpfalse
  • URL Reputation: safe
unknown
https://studio.youtube.com/youtubei/v1/security/get_web_reauth_url?alt=json&key=tls:DefendUpdate.exe, 00000000.00000002.250506545.00000000010D1000.00000040.00000001.01000000.00000003.sdmpfalse
    high
    https://registry.npmmirror.com/-/binary/chromium-browser-snapshots/%s/%d/%stls:DefendUpdate.exe, 00000000.00000002.250506545.00000000010D1000.00000040.00000001.01000000.00000003.sdmpfalse
    • URL Reputation: safe
    unknown
    https://studio.youtube.com/reauthDefendUpdate.exe, 00000000.00000002.250506545.00000000010D1000.00000040.00000001.01000000.00000003.sdmpfalse
      high
      https://youtube.comif-unmodified-sinceillegalDefendUpdate.exe, 00000000.00000002.250506545.00000000010D1000.00000040.00000001.01000000.00000003.sdmpfalse
      • URL Reputation: safe
      unknown
      https://www.youtube.comindexDefendUpdate.exe, 00000000.00000002.250506545.00000000010D1000.00000040.00000001.01000000.00000003.sdmpfalse
      • URL Reputation: safe
      unknown
      http://www.bohemiancoding.com/sketchDefendUpdate.exe, 00000000.00000002.250506545.00000000010D1000.00000040.00000001.01000000.00000003.sdmpfalse
      • URL Reputation: safe
      unknown
      https://www.youtube.com/getAccountSwitcherEndpointmallocgcDefendUpdate.exe, 00000000.00000002.250506545.00000000010D1000.00000040.00000001.01000000.00000003.sdmpfalse
        high
        https://youtube.com/inconsistentDefendUpdate.exe, 00000000.00000002.250506545.00000000010D1000.00000040.00000001.01000000.00000003.sdmpfalse
          high
          https://golang.org/pkg/time/#ParseDuration)DefendUpdate.exe, 00000000.00000002.250506545.00000000010D1000.00000040.00000001.01000000.00000003.sdmpfalse
            high
            https://studio.youtube.com/youtubei/v1/ars/grst?alt=json&key=net/http:DefendUpdate.exe, 00000000.00000002.250506545.00000000010D1000.00000040.00000001.01000000.00000003.sdmpfalse
              high
              No contacted IP infos
              Joe Sandbox Version:37.0.0 Beryl
              Analysis ID:829698
              Start date and time:2023-03-19 00:20:11 +01:00
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 2m 39s
              Hypervisor based Inspection enabled:false
              Report type:light
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:4
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample file name:DefendUpdate.exe
              Detection:MAL
              Classification:mal60.spyw.winEXE@6/0@0/0
              EGA Information:Failed
              HDC Information:Failed
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Stop behavior analysis, all processes terminated
              • Excluded domains from analysis (whitelisted): fs.microsoft.com
              • Not all processes where analyzed, report is missing behavior information
              No simulations
              No context
              No context
              No context
              No context
              No context
              No created / dropped files found
              File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
              Entropy (8bit):7.999924637565079
              TrID:
              • UPX compressed Win32 Executable (30571/9) 65.62%
              • Win64 Executable (generic) (12005/4) 25.77%
              • Generic Win/DOS Executable (2004/3) 4.30%
              • DOS Executable Generic (2002/1) 4.30%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.02%
              File name:DefendUpdate.exe
              File size:4510208
              MD5:d9c8a47ef46ec852f3eddad0ea93a799
              SHA1:d8abd4904ce2a225226278556511473c1d0ea406
              SHA256:ae3e61c6db3e5886a7265c46658833259e5342e0f233fd980e9b4243d16f3336
              SHA512:fc8e15d901ee0050d09222c6dd8009151ca8e3683a6dd121190cde62f7583e8562213d5147abc266e5491ae244823d39c1f3e3a8f497b4ff8d7476a89ee9be27
              SSDEEP:98304:P6FJfC8HbiXNMLpU2MSJ8LIKZl9ll6QXengLduSkE:NauOU2xlsekenwdRkE
              TLSH:A32633750289C829F97377F4A27F0E70530E3A0E95BF7371898B66755890EF86CA6072
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...vp.d..............."..D.........@.........@...........................................`... ............................
              Icon Hash:00828e8e8686b000
              Entrypoint:0x125d040
              Entrypoint Section:UPX1
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Time Stamp:0x64157076 [Sat Mar 18 08:04:06 2023 UTC]
              TLS Callbacks:0x125dbed
              CLR (.Net) Version:
              OS Version Major:6
              OS Version Minor:1
              File Version Major:6
              File Version Minor:1
              Subsystem Version Major:6
              Subsystem Version Minor:1
              Import Hash:9aebf3da4677af9275c461261e5abde3
              Instruction
              push ebx
              push esi
              push edi
              push ebp
              dec eax
              lea esi, dword ptr [FFBB3FDAh]
              dec eax
              lea edi, dword ptr [esi-00A10025h]
              dec eax
              lea eax, dword ptr [edi+00E2EC5Ch]
              push dword ptr [eax]
              mov dword ptr [eax], 81304EFEh
              push eax
              push edi
              mov eax, 00E5B5C4h
              push eax
              dec eax
              mov ecx, esp
              dec eax
              mov edx, edi
              dec eax
              mov edi, esi
              mov esi, 0044C017h
              push ebp
              dec eax
              mov ebp, esp
              inc esp
              mov ecx, dword ptr [ecx]
              dec ecx
              mov eax, edx
              dec eax
              mov edx, esi
              dec eax
              lea esi, dword ptr [edi+02h]
              push esi
              mov al, byte ptr [edi]
              dec edx
              mov cl, al
              and al, 07h
              shr cl, 00000003h
              dec eax
              mov ebx, FFFFFD00h
              dec eax
              shl ebx, cl
              mov cl, al
              dec eax
              lea ebx, dword ptr [esp+ebx*2-00000E78h]
              dec eax
              and ebx, FFFFFFC0h
              push 00000000h
              dec eax
              cmp esp, ebx
              jne 00007F841CCE855Bh
              push ebx
              dec eax
              lea edi, dword ptr [ebx+08h]
              mov cl, byte ptr [esi-01h]
              dec edx
              mov byte ptr [edi+02h], al
              mov al, cl
              shr cl, 00000004h
              mov byte ptr [edi+01h], cl
              and al, 0Fh
              mov byte ptr [edi], al
              dec eax
              lea ecx, dword ptr [edi-04h]
              push eax
              inc ecx
              push edi
              dec eax
              lea eax, dword ptr [edi+04h]
              inc ebp
              xor edi, edi
              inc ecx
              push esi
              inc ecx
              mov esi, 00000001h
              inc ecx
              push ebp
              inc ebp
              xor ebp, ebp
              inc ecx
              push esp
              push ebp
              push ebx
              dec eax
              mov dword ptr [esp-10h], ecx
              dec eax
              mov dword ptr [esp-28h], eax
              mov eax, 00000001h
              dec eax
              mov dword ptr [esp-08h], esi
              dec esp
              mov dword ptr [esp-18h], eax
              mov ebx, eax
              inc esp
              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0xe300000x159UPX1
              IMAGE_DIRECTORY_ENTRY_IMPORT0xe5e0000xd0UPX2
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0xdb90000x5e20UPX1
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0xe5e0d00x14UPX2
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0xe5dc180x28UPX1
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              UPX00x10000xa100000x0unknownunknownunknownunknownIMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              UPX10xa110000x44d0000x44ce00unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              UPX20xe5e0000x10000x200False0.28125data2.097972113314606IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              DLLImport
              KERNEL32.DLLLoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
              msvcrt.dllexit
              Report size exceeds maximum size, go to the download page of this report and download PCAP to see all network behavior.

              Click to jump to process

              Target ID:0
              Start time:00:21:04
              Start date:19/03/2023
              Path:C:\Users\user\Desktop\DefendUpdate.exe
              Wow64 process (32bit):false
              Commandline:C:\Users\user\Desktop\DefendUpdate.exe
              Imagebase:0x10d0000
              File size:4510208 bytes
              MD5 hash:D9C8A47EF46EC852F3EDDAD0EA93A799
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low

              Target ID:1
              Start time:00:21:05
              Start date:19/03/2023
              Path:C:\Windows\System32\cmd.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\user\Desktop\DefendUpdate.exe
              Imagebase:0x7ff707bb0000
              File size:273920 bytes
              MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Target ID:2
              Start time:00:21:05
              Start date:19/03/2023
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff745070000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Target ID:3
              Start time:00:21:06
              Start date:19/03/2023
              Path:C:\Windows\System32\choice.exe
              Wow64 process (32bit):false
              Commandline:choice /C Y /N /D Y /T 0
              Imagebase:0x7ff66f650000
              File size:33280 bytes
              MD5 hash:EA29BC6BCB1EFCE9C9946C3602F3E754
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:moderate

              No disassembly