Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Windows Defender.exe

Overview

General Information

Sample name:Windows Defender.exe
Analysis ID:1478308
MD5:fa3f84d3150dab7b7d8e35efbb8d02db
SHA1:5b690c0be18426633a1954844f49cee2b1e09cb7
SHA256:a42d5a457ee0d90dee5cb5ba969687a83ba5626abf040a2f3ed496f83456c162
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Machine Learning detection for sample
Queries memory information (via WMI often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to call native functions
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
One or more processes crash
PE / OLE file has an invalid certificate
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Yara signature match

Classification

Process Tree

  • System is w10x64native
  • Windows Defender.exe (PID: 9212 cmdline: "C:\Users\user\Desktop\Windows Defender.exe" MD5: FA3F84D3150DAB7B7D8E35EFBB8D02DB)
    • WerFault.exe (PID: 6520 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 9212 -s 1632 MD5: 40A149513D721F096DDF50C04DA2F01F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["rest-root.gl.at.ply.gg"], "Port": "22746", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.1279764215.0000000003691000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    00000001.00000002.1279764215.0000000003691000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x11bec:$s6: VirtualBox
    • 0x11b4a:$s8: Win32_ComputerSystem
    • 0x14ad9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x14b76:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x14c8b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x13656:$cnc4: POST / HTTP/1.1
    00000001.00000002.1279764215.00000000036B5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000001.00000002.1279764215.00000000036B5000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xdc0c:$s6: VirtualBox
      • 0xdb6a:$s8: Win32_ComputerSystem
      • 0x10af9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x10b96:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x10cab:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xf676:$cnc4: POST / HTTP/1.1
      00000001.00000002.1280549736.00000000050F0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        Click to see the 6 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.Windows Defender.exe.50f0000.3.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
          1.2.Windows Defender.exe.50f0000.3.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
            1.2.Windows Defender.exe.50f0000.3.raw.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xd67c:$s6: VirtualBox
            • 0xd5da:$s8: Win32_ComputerSystem
            • 0x10569:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x10606:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x1071b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0xf0e6:$cnc4: POST / HTTP/1.1
            1.2.Windows Defender.exe.3695570.1.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
              1.2.Windows Defender.exe.3695570.1.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                Click to see the 12 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: rest-root.gl.at.ply.ggAvira URL Cloud: Label: malware
                Found malware configuration
                Source: 00000001.00000002.1279764215.00000000036B5000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["rest-root.gl.at.ply.gg"], "Port": "22746", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
                Multi AV Scanner detection for submitted file
                Source: Windows Defender.exeReversingLabs: Detection: 65%
                Machine Learning detection for sample
                Source: Windows Defender.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: 1.2.Windows Defender.exe.50f0000.3.raw.unpackString decryptor: rest-root.gl.at.ply.gg
                Source: 1.2.Windows Defender.exe.50f0000.3.raw.unpackString decryptor: 22746
                Source: 1.2.Windows Defender.exe.50f0000.3.raw.unpackString decryptor: <123456789>
                Source: 1.2.Windows Defender.exe.50f0000.3.raw.unpackString decryptor: <Xwormmm>
                Source: 1.2.Windows Defender.exe.50f0000.3.raw.unpackString decryptor: Windows Defender
                Source: 1.2.Windows Defender.exe.50f0000.3.raw.unpackString decryptor: USB.exe
                Source: 1.2.Windows Defender.exe.50f0000.3.raw.unpackString decryptor: %AppData%
                Source: 1.2.Windows Defender.exe.50f0000.3.raw.unpackString decryptor: Windows defender.exe
                Source: Windows Defender.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: System.Xml.ni.pdb source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: System.ni.pdbRSDS source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: Microsoft.VisualBasic.pdb8: source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: System.Drawing.ni.pdb source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: System.Configuration.ni.pdb source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: System.Configuration.pdb source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: System.Drawing.ni.pdbRSDS source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: System.Xml.pdb source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: System.Management.pdbSystem.Configuration.ni.dll source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: System.pdb source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: System.Xml.ni.pdbRSDS# source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: Microsoft.VisualBasic.pdb source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: System.Core.ni.pdb source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: mscorlib.pdb source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: System.Management.pdb source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: System.Drawing.pdb source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: mscorlib.ni.pdb source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: System.Management.ni.pdb source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: System.Core.pdb source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: System.Core.pdbMZ source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: mscorlib.ni.pdbRSDS] source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: mscorlib.pdbH source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: System.ni.pdb source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: System.Core.ni.pdbRSDS source: WERAD4A.tmp.dmp.5.dr
                Source: C:\Users\user\Desktop\Windows Defender.exeCode function: 4x nop then jmp 00CA5148h1_2_00CA5060

                Networking

                barindex
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: rest-root.gl.at.ply.gg
                Yara detected Generic Downloader
                Source: Yara matchFile source: 1.2.Windows Defender.exe.50f0000.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Windows Defender.exe.3695570.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Windows Defender.exe.36b5590.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.1280549736.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                Source: unknownDNS query: name: ip-api.com
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: ip-api.com
                Source: Windows Defender.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                Source: Windows Defender.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                Source: Windows Defender.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                Source: Windows Defender.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                Source: Windows Defender.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                Source: Windows Defender.exe, 00000001.00000002.1274563768.0000000002952000.00000004.00000800.00020000.00000000.sdmp, Windows Defender.exe, 00000001.00000002.1274563768.0000000002962000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                Source: Windows Defender.exe, 00000001.00000002.1274563768.00000000028E0000.00000004.00000800.00020000.00000000.sdmp, Windows Defender.exe, 00000001.00000002.1274563768.0000000002895000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                Source: Windows Defender.exe, 00000001.00000002.1274563768.0000000002962000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.comd
                Source: Windows Defender.exeString found in binary or memory: http://ocsp.digicert.com0
                Source: Windows Defender.exeString found in binary or memory: http://ocsp.digicert.com0A
                Source: Windows Defender.exe, 00000001.00000002.1274563768.0000000002952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: Amcache.hve.5.drString found in binary or memory: http://upx.sf.net
                Source: Windows Defender.exeString found in binary or memory: http://www.digicert.com/CPS0

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 1.2.Windows Defender.exe.50f0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 1.2.Windows Defender.exe.3695570.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 1.2.Windows Defender.exe.50f0000.3.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 1.2.Windows Defender.exe.3695570.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 1.2.Windows Defender.exe.36b5590.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 1.2.Windows Defender.exe.28bbfd8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 1.2.Windows Defender.exe.36b5590.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000001.00000002.1279764215.0000000003691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000001.00000002.1279764215.00000000036B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000001.00000002.1280549736.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000001.00000002.1274563768.0000000002895000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: C:\Users\user\Desktop\Windows Defender.exeCode function: 1_2_00CAA160 NtProtectVirtualMemory,1_2_00CAA160
                Source: C:\Users\user\Desktop\Windows Defender.exeCode function: 1_2_00CAA158 NtProtectVirtualMemory,1_2_00CAA158
                Source: C:\Users\user\Desktop\Windows Defender.exeCode function: 1_2_00CA41381_2_00CA4138
                Source: C:\Users\user\Desktop\Windows Defender.exeCode function: 1_2_00CAF5901_2_00CAF590
                Source: C:\Users\user\Desktop\Windows Defender.exeCode function: 1_2_00CA38681_2_00CA3868
                Source: C:\Users\user\Desktop\Windows Defender.exeCode function: 1_2_00CA35201_2_00CA3520
                Source: C:\Users\user\Desktop\Windows Defender.exeCode function: 1_2_05121CB81_2_05121CB8
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 9212 -s 1632
                Source: Windows Defender.exeStatic PE information: invalid certificate
                Source: Windows Defender.exe, 00000001.00000002.1273122404.000000000068E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Windows Defender.exe
                Source: Windows Defender.exe, 00000001.00000000.1207629158.0000000000152000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: OriginalFilenameVLC Media Player Update.exel& vs Windows Defender.exe
                Source: Windows Defender.exeBinary or memory string: OriginalFilenameVLC Media Player Update.exel& vs Windows Defender.exe
                Source: 1.2.Windows Defender.exe.50f0000.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 1.2.Windows Defender.exe.3695570.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 1.2.Windows Defender.exe.50f0000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 1.2.Windows Defender.exe.3695570.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 1.2.Windows Defender.exe.36b5590.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 1.2.Windows Defender.exe.28bbfd8.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 1.2.Windows Defender.exe.36b5590.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000001.00000002.1279764215.0000000003691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000001.00000002.1279764215.00000000036B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000001.00000002.1280549736.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000001.00000002.1274563768.0000000002895000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 1.2.Windows Defender.exe.50f0000.3.raw.unpack, k9ZEaIQ7WE7abcI.csCryptographic APIs: 'TransformFinalBlock'
                Source: 1.2.Windows Defender.exe.50f0000.3.raw.unpack, sjmftLizVeKZw8R.csCryptographic APIs: 'TransformFinalBlock'
                Source: 1.2.Windows Defender.exe.50f0000.3.raw.unpack, sjmftLizVeKZw8R.csCryptographic APIs: 'TransformFinalBlock'
                Source: 1.2.Windows Defender.exe.3695570.1.raw.unpack, k9ZEaIQ7WE7abcI.csCryptographic APIs: 'TransformFinalBlock'
                Source: 1.2.Windows Defender.exe.3695570.1.raw.unpack, sjmftLizVeKZw8R.csCryptographic APIs: 'TransformFinalBlock'
                Source: 1.2.Windows Defender.exe.3695570.1.raw.unpack, sjmftLizVeKZw8R.csCryptographic APIs: 'TransformFinalBlock'
                Source: 1.2.Windows Defender.exe.36b5590.2.raw.unpack, k9ZEaIQ7WE7abcI.csCryptographic APIs: 'TransformFinalBlock'
                Source: 1.2.Windows Defender.exe.36b5590.2.raw.unpack, sjmftLizVeKZw8R.csCryptographic APIs: 'TransformFinalBlock'
                Source: 1.2.Windows Defender.exe.36b5590.2.raw.unpack, sjmftLizVeKZw8R.csCryptographic APIs: 'TransformFinalBlock'
                Source: 1.2.Windows Defender.exe.50f0000.3.raw.unpack, k9ZEaIQ7WE7abcI.csBase64 encoded string: 'rdcKgil9jw1X2zdhihPXMwx7NCEcpYuAy8GxwHjnbaqaCLbIs27TnYWaWe1xcOjZQGlC3JnA6kJmSSCg'
                Source: 1.2.Windows Defender.exe.50f0000.3.raw.unpack, DNAvWoxlxYdwRmJ.csBase64 encoded string: 'UEic17gcdPhei7NnSlP1I0Y58TvKNTbgrbxsIk5USybNlzFCkAlPuXlyHhTWVtuIOh2yjhKVZAfTP5zk'
                Source: 1.2.Windows Defender.exe.50f0000.3.raw.unpack, cwqxDxQiWlgCHGb.csBase64 encoded string: 'ZVH0I3tjoa1EqoTOQwyS3s1Pr9kdpODAaYH2Y5UxLB6MgijTZzCxyRsE2F9ORt54HNUvt9qBdMvEHPpQ', 'SpRLbf9VI6TjUykFmo9x1LpfSeva0PzcIz6eomkLPGMVXzc0Ys7qZ1xYjsMJ47OlUDbRMfpp0IQyW1op', 'V4p81Jz72fONymG0ufV4eOafKCddIidlLZKD6eLGhay9oToKxM1nGWxqdBthCGD9SIUaudEivy7m2J4c', 'GEAL1LI9RSVoLCL39R7H5RJxMKUVhXpSi99d1h28Vi8H9xeKkhts6HrLYmjPGLrbvMHSFvc5Fx3DCPLz', 'Lm0SPRS8nECsoK8zCJpxprvXwYnvtnTLTOZZ70Iu34zz9Zmq7Em9DmcSg8EAF2Odi4syFegf8Is0oJCm', 'S60u4i1SJ9h68Vmptzs1AIRSzItwQ7HIzAHWCERgOo87v8qDBPS3HAIK7ZbeNOPgb3HqUZZ9rD20GW54', 'W3O1L1iqrk8KhZ87RWoTqXVc4W2M2ObxSpXv7drMTpcKr8xwZ9PijAVxca3bYrp1HKtFzoxdfMzH5b25', 'ImqIeQfEfEMyLQcQIs3NOYe2TQLeusfAvxL7vfxIR0F5kavKW2smnIBHqOS4MchBmFKIgVBZcVcdPKTu', 'sPnkd3CF4h2wf0vADBLdSubVdskF9QK6YYDT7pAvmXhfvf3m4ZcKqKu5VrhTxjvcX9sYvAr6AE4I1MmI', 'Pwnz8L4g7Q1hkgJ1G6Y8tzeoRggKLIFcFm8I5Wb1IduXdvHK9QtF8xbpCI4JVuw7a4FkJGZ1kyja7INW', 'zTcoLtiDQUKEfbbQ9DMQA6t1vjQdNhiy2nhLIOymrl7HawDadJNdPVKyvmuuO9qUtf0MDMzx97Dfow7n', 'HssZBJNobvSzJLj2MqIbojCesksghFPp8FVlg2cMG3b1bECZar1xmRuNzJuazdBvqej1rtWFG6T65I7o', 'KMSLjKVtooNric6EzwGzjkjqc3f1ud45t8aBvjKmQ8lKIYTjir3D58mY5HBoiXzwzDx746dzREdaMrWl'
                Source: 1.2.Windows Defender.exe.50f0000.3.raw.unpack, hkW0iHAt1n34uyi.csBase64 encoded string: 'ViJekX5myKyv49Z0rre4JgYbfabIkBmeQsIX0Lgd7HE2xxZQzMKkuFIVWP7D4qRmvir9dxSWtJ8IIX4p', 'zwD8WMc2WdKuVghVOFcg7UFSnswD7Nb6XXBVIff0WZuHnwmBYVmREHZXo5SGWC8nHVlwKx25WsDMTJIP', 'XF17ykcQAwVhqNmkqgqloozK6dJVhA90CNaNs8R49dbRb3NO4juUdeYTuDRBTWfQ3ozUVm3AbXwfDdcy', 'KEY4Vx29ifLGrOd4mzqFUgQFQWGAhK4tJZ9qfes3PNXMWLL68pOcGjPP4JpNgBjkACfl3KRqrxXT14T2'
                Source: 1.2.Windows Defender.exe.50f0000.3.raw.unpack, I3Th8Mh3i2t6BO8.csBase64 encoded string: 'ooPbg3qvntthc1Q2MOaYfqnYeCorl1rGWJAqDjvVK7DZlR1HF8qVL2TtZT2FehNaORfpdfWI4xIKVGOW', 'h9zhxh8trJDojSxz4ITn1YDS9EBVcSKfoSMLUNeofbxf7OXBUGFWirolxmtB1QmR3yLjIYz1Jbf70ld4'
                Source: 1.2.Windows Defender.exe.50f0000.3.raw.unpack, sjmftLizVeKZw8R.csBase64 encoded string: 'WEghI6uy2hFG1KHMgJsxoeGDRWzqEtXs8BJ5FHd0UUsFI9xL92oq63FtNLGtTw2sloDAYe86xqB7xWXt', 'goU85lIv4pENuscgMlWnuHS2oToHNclhUeiw1bQyy3BRHZkddyFpORvr5PP0EKuQsTlLKXC1p4cENgGr', 'u157DBp3iqR0B6XEZqjM42CgiUFW8T92NU4BAOhwquDkhRdMBsSRYe3q0ySCXVY41HLaPayoYhYbajoK', 'tqQq3wWS7UeKjGfGpnRdlcBpI3wfpTJh73RVES4EmHVEHFQqzNTy1f0bMk0mVTx3pbPLNFw9u1ReOW6w', 'wd7w6tcGfInQeyX9f5URfqDdOrpwKnz6mRWILeMPyLBeJlKht2NlbHY6bA2j3aQjHclStR97zJuKSzyW', 'WnJk9xds6ydUfk9kYx3UmjnpPwVHYl0N9PXCifxGEbl0JaGMHSZSp3USKAX4jTQmffZNsCf0CrWmb6Ky', 'TmqrLHLStmuvVyBREn23NU36bUw6coOO3DKqyX6KEdnaLxzj6jKamhdm7B70VDI9NjKBrsaWPPmgLZvj', 'r9l0Gd958lkcLlCpgsAQlzFEmniYPhTO9bAv8mPCy3aD0FXmzLOzgVPhxOxNlDMaZZm6PYGEiZu477I4', 'rKRJC6Ohqhl8eju1hY25TerPmTIDZYfFw6VVcVUxBoOiru5yZrQMI81x3KvuCWSi2DDDhoPT8arLkRev', 'peqHxWF4qkAxGfZzCiLc9DOMMepLszbIlaZAZK7bPIgpg9Pfq1I5ZkjGHNcjNkeRrGlnSK15S8MtEmpm', 'oz2CHMvGGyPS5AfvXkUNKRWY70JRmDKBsB3OodHfbmgG6aj0wJlG0vaIV3O2joyTwzaUbAoxX83agaMp'
                Source: 1.2.Windows Defender.exe.3695570.1.raw.unpack, k9ZEaIQ7WE7abcI.csBase64 encoded string: 'rdcKgil9jw1X2zdhihPXMwx7NCEcpYuAy8GxwHjnbaqaCLbIs27TnYWaWe1xcOjZQGlC3JnA6kJmSSCg'
                Source: 1.2.Windows Defender.exe.3695570.1.raw.unpack, DNAvWoxlxYdwRmJ.csBase64 encoded string: 'UEic17gcdPhei7NnSlP1I0Y58TvKNTbgrbxsIk5USybNlzFCkAlPuXlyHhTWVtuIOh2yjhKVZAfTP5zk'
                Source: 1.2.Windows Defender.exe.3695570.1.raw.unpack, cwqxDxQiWlgCHGb.csBase64 encoded string: 'ZVH0I3tjoa1EqoTOQwyS3s1Pr9kdpODAaYH2Y5UxLB6MgijTZzCxyRsE2F9ORt54HNUvt9qBdMvEHPpQ', 'SpRLbf9VI6TjUykFmo9x1LpfSeva0PzcIz6eomkLPGMVXzc0Ys7qZ1xYjsMJ47OlUDbRMfpp0IQyW1op', 'V4p81Jz72fONymG0ufV4eOafKCddIidlLZKD6eLGhay9oToKxM1nGWxqdBthCGD9SIUaudEivy7m2J4c', 'GEAL1LI9RSVoLCL39R7H5RJxMKUVhXpSi99d1h28Vi8H9xeKkhts6HrLYmjPGLrbvMHSFvc5Fx3DCPLz', 'Lm0SPRS8nECsoK8zCJpxprvXwYnvtnTLTOZZ70Iu34zz9Zmq7Em9DmcSg8EAF2Odi4syFegf8Is0oJCm', 'S60u4i1SJ9h68Vmptzs1AIRSzItwQ7HIzAHWCERgOo87v8qDBPS3HAIK7ZbeNOPgb3HqUZZ9rD20GW54', 'W3O1L1iqrk8KhZ87RWoTqXVc4W2M2ObxSpXv7drMTpcKr8xwZ9PijAVxca3bYrp1HKtFzoxdfMzH5b25', 'ImqIeQfEfEMyLQcQIs3NOYe2TQLeusfAvxL7vfxIR0F5kavKW2smnIBHqOS4MchBmFKIgVBZcVcdPKTu', 'sPnkd3CF4h2wf0vADBLdSubVdskF9QK6YYDT7pAvmXhfvf3m4ZcKqKu5VrhTxjvcX9sYvAr6AE4I1MmI', 'Pwnz8L4g7Q1hkgJ1G6Y8tzeoRggKLIFcFm8I5Wb1IduXdvHK9QtF8xbpCI4JVuw7a4FkJGZ1kyja7INW', 'zTcoLtiDQUKEfbbQ9DMQA6t1vjQdNhiy2nhLIOymrl7HawDadJNdPVKyvmuuO9qUtf0MDMzx97Dfow7n', 'HssZBJNobvSzJLj2MqIbojCesksghFPp8FVlg2cMG3b1bECZar1xmRuNzJuazdBvqej1rtWFG6T65I7o', 'KMSLjKVtooNric6EzwGzjkjqc3f1ud45t8aBvjKmQ8lKIYTjir3D58mY5HBoiXzwzDx746dzREdaMrWl'
                Source: 1.2.Windows Defender.exe.3695570.1.raw.unpack, hkW0iHAt1n34uyi.csBase64 encoded string: 'ViJekX5myKyv49Z0rre4JgYbfabIkBmeQsIX0Lgd7HE2xxZQzMKkuFIVWP7D4qRmvir9dxSWtJ8IIX4p', 'zwD8WMc2WdKuVghVOFcg7UFSnswD7Nb6XXBVIff0WZuHnwmBYVmREHZXo5SGWC8nHVlwKx25WsDMTJIP', 'XF17ykcQAwVhqNmkqgqloozK6dJVhA90CNaNs8R49dbRb3NO4juUdeYTuDRBTWfQ3ozUVm3AbXwfDdcy', 'KEY4Vx29ifLGrOd4mzqFUgQFQWGAhK4tJZ9qfes3PNXMWLL68pOcGjPP4JpNgBjkACfl3KRqrxXT14T2'
                Source: 1.2.Windows Defender.exe.3695570.1.raw.unpack, I3Th8Mh3i2t6BO8.csBase64 encoded string: 'ooPbg3qvntthc1Q2MOaYfqnYeCorl1rGWJAqDjvVK7DZlR1HF8qVL2TtZT2FehNaORfpdfWI4xIKVGOW', 'h9zhxh8trJDojSxz4ITn1YDS9EBVcSKfoSMLUNeofbxf7OXBUGFWirolxmtB1QmR3yLjIYz1Jbf70ld4'
                Source: 1.2.Windows Defender.exe.3695570.1.raw.unpack, sjmftLizVeKZw8R.csBase64 encoded string: 'WEghI6uy2hFG1KHMgJsxoeGDRWzqEtXs8BJ5FHd0UUsFI9xL92oq63FtNLGtTw2sloDAYe86xqB7xWXt', 'goU85lIv4pENuscgMlWnuHS2oToHNclhUeiw1bQyy3BRHZkddyFpORvr5PP0EKuQsTlLKXC1p4cENgGr', 'u157DBp3iqR0B6XEZqjM42CgiUFW8T92NU4BAOhwquDkhRdMBsSRYe3q0ySCXVY41HLaPayoYhYbajoK', 'tqQq3wWS7UeKjGfGpnRdlcBpI3wfpTJh73RVES4EmHVEHFQqzNTy1f0bMk0mVTx3pbPLNFw9u1ReOW6w', 'wd7w6tcGfInQeyX9f5URfqDdOrpwKnz6mRWILeMPyLBeJlKht2NlbHY6bA2j3aQjHclStR97zJuKSzyW', 'WnJk9xds6ydUfk9kYx3UmjnpPwVHYl0N9PXCifxGEbl0JaGMHSZSp3USKAX4jTQmffZNsCf0CrWmb6Ky', 'TmqrLHLStmuvVyBREn23NU36bUw6coOO3DKqyX6KEdnaLxzj6jKamhdm7B70VDI9NjKBrsaWPPmgLZvj', 'r9l0Gd958lkcLlCpgsAQlzFEmniYPhTO9bAv8mPCy3aD0FXmzLOzgVPhxOxNlDMaZZm6PYGEiZu477I4', 'rKRJC6Ohqhl8eju1hY25TerPmTIDZYfFw6VVcVUxBoOiru5yZrQMI81x3KvuCWSi2DDDhoPT8arLkRev', 'peqHxWF4qkAxGfZzCiLc9DOMMepLszbIlaZAZK7bPIgpg9Pfq1I5ZkjGHNcjNkeRrGlnSK15S8MtEmpm', 'oz2CHMvGGyPS5AfvXkUNKRWY70JRmDKBsB3OodHfbmgG6aj0wJlG0vaIV3O2joyTwzaUbAoxX83agaMp'
                Source: 1.2.Windows Defender.exe.36b5590.2.raw.unpack, k9ZEaIQ7WE7abcI.csBase64 encoded string: 'rdcKgil9jw1X2zdhihPXMwx7NCEcpYuAy8GxwHjnbaqaCLbIs27TnYWaWe1xcOjZQGlC3JnA6kJmSSCg'
                Source: 1.2.Windows Defender.exe.36b5590.2.raw.unpack, DNAvWoxlxYdwRmJ.csBase64 encoded string: 'UEic17gcdPhei7NnSlP1I0Y58TvKNTbgrbxsIk5USybNlzFCkAlPuXlyHhTWVtuIOh2yjhKVZAfTP5zk'
                Source: 1.2.Windows Defender.exe.36b5590.2.raw.unpack, cwqxDxQiWlgCHGb.csBase64 encoded string: 'ZVH0I3tjoa1EqoTOQwyS3s1Pr9kdpODAaYH2Y5UxLB6MgijTZzCxyRsE2F9ORt54HNUvt9qBdMvEHPpQ', 'SpRLbf9VI6TjUykFmo9x1LpfSeva0PzcIz6eomkLPGMVXzc0Ys7qZ1xYjsMJ47OlUDbRMfpp0IQyW1op', 'V4p81Jz72fONymG0ufV4eOafKCddIidlLZKD6eLGhay9oToKxM1nGWxqdBthCGD9SIUaudEivy7m2J4c', 'GEAL1LI9RSVoLCL39R7H5RJxMKUVhXpSi99d1h28Vi8H9xeKkhts6HrLYmjPGLrbvMHSFvc5Fx3DCPLz', 'Lm0SPRS8nECsoK8zCJpxprvXwYnvtnTLTOZZ70Iu34zz9Zmq7Em9DmcSg8EAF2Odi4syFegf8Is0oJCm', 'S60u4i1SJ9h68Vmptzs1AIRSzItwQ7HIzAHWCERgOo87v8qDBPS3HAIK7ZbeNOPgb3HqUZZ9rD20GW54', 'W3O1L1iqrk8KhZ87RWoTqXVc4W2M2ObxSpXv7drMTpcKr8xwZ9PijAVxca3bYrp1HKtFzoxdfMzH5b25', 'ImqIeQfEfEMyLQcQIs3NOYe2TQLeusfAvxL7vfxIR0F5kavKW2smnIBHqOS4MchBmFKIgVBZcVcdPKTu', 'sPnkd3CF4h2wf0vADBLdSubVdskF9QK6YYDT7pAvmXhfvf3m4ZcKqKu5VrhTxjvcX9sYvAr6AE4I1MmI', 'Pwnz8L4g7Q1hkgJ1G6Y8tzeoRggKLIFcFm8I5Wb1IduXdvHK9QtF8xbpCI4JVuw7a4FkJGZ1kyja7INW', 'zTcoLtiDQUKEfbbQ9DMQA6t1vjQdNhiy2nhLIOymrl7HawDadJNdPVKyvmuuO9qUtf0MDMzx97Dfow7n', 'HssZBJNobvSzJLj2MqIbojCesksghFPp8FVlg2cMG3b1bECZar1xmRuNzJuazdBvqej1rtWFG6T65I7o', 'KMSLjKVtooNric6EzwGzjkjqc3f1ud45t8aBvjKmQ8lKIYTjir3D58mY5HBoiXzwzDx746dzREdaMrWl'
                Source: 1.2.Windows Defender.exe.36b5590.2.raw.unpack, hkW0iHAt1n34uyi.csBase64 encoded string: 'ViJekX5myKyv49Z0rre4JgYbfabIkBmeQsIX0Lgd7HE2xxZQzMKkuFIVWP7D4qRmvir9dxSWtJ8IIX4p', 'zwD8WMc2WdKuVghVOFcg7UFSnswD7Nb6XXBVIff0WZuHnwmBYVmREHZXo5SGWC8nHVlwKx25WsDMTJIP', 'XF17ykcQAwVhqNmkqgqloozK6dJVhA90CNaNs8R49dbRb3NO4juUdeYTuDRBTWfQ3ozUVm3AbXwfDdcy', 'KEY4Vx29ifLGrOd4mzqFUgQFQWGAhK4tJZ9qfes3PNXMWLL68pOcGjPP4JpNgBjkACfl3KRqrxXT14T2'
                Source: 1.2.Windows Defender.exe.36b5590.2.raw.unpack, I3Th8Mh3i2t6BO8.csBase64 encoded string: 'ooPbg3qvntthc1Q2MOaYfqnYeCorl1rGWJAqDjvVK7DZlR1HF8qVL2TtZT2FehNaORfpdfWI4xIKVGOW', 'h9zhxh8trJDojSxz4ITn1YDS9EBVcSKfoSMLUNeofbxf7OXBUGFWirolxmtB1QmR3yLjIYz1Jbf70ld4'
                Source: 1.2.Windows Defender.exe.36b5590.2.raw.unpack, sjmftLizVeKZw8R.csBase64 encoded string: 'WEghI6uy2hFG1KHMgJsxoeGDRWzqEtXs8BJ5FHd0UUsFI9xL92oq63FtNLGtTw2sloDAYe86xqB7xWXt', 'goU85lIv4pENuscgMlWnuHS2oToHNclhUeiw1bQyy3BRHZkddyFpORvr5PP0EKuQsTlLKXC1p4cENgGr', 'u157DBp3iqR0B6XEZqjM42CgiUFW8T92NU4BAOhwquDkhRdMBsSRYe3q0ySCXVY41HLaPayoYhYbajoK', 'tqQq3wWS7UeKjGfGpnRdlcBpI3wfpTJh73RVES4EmHVEHFQqzNTy1f0bMk0mVTx3pbPLNFw9u1ReOW6w', 'wd7w6tcGfInQeyX9f5URfqDdOrpwKnz6mRWILeMPyLBeJlKht2NlbHY6bA2j3aQjHclStR97zJuKSzyW', 'WnJk9xds6ydUfk9kYx3UmjnpPwVHYl0N9PXCifxGEbl0JaGMHSZSp3USKAX4jTQmffZNsCf0CrWmb6Ky', 'TmqrLHLStmuvVyBREn23NU36bUw6coOO3DKqyX6KEdnaLxzj6jKamhdm7B70VDI9NjKBrsaWPPmgLZvj', 'r9l0Gd958lkcLlCpgsAQlzFEmniYPhTO9bAv8mPCy3aD0FXmzLOzgVPhxOxNlDMaZZm6PYGEiZu477I4', 'rKRJC6Ohqhl8eju1hY25TerPmTIDZYfFw6VVcVUxBoOiru5yZrQMI81x3KvuCWSi2DDDhoPT8arLkRev', 'peqHxWF4qkAxGfZzCiLc9DOMMepLszbIlaZAZK7bPIgpg9Pfq1I5ZkjGHNcjNkeRrGlnSK15S8MtEmpm', 'oz2CHMvGGyPS5AfvXkUNKRWY70JRmDKBsB3OodHfbmgG6aj0wJlG0vaIV3O2joyTwzaUbAoxX83agaMp'
                Source: 1.2.Windows Defender.exe.50f0000.3.raw.unpack, 85IhxSGtOfNN64Z.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 1.2.Windows Defender.exe.50f0000.3.raw.unpack, 85IhxSGtOfNN64Z.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 1.2.Windows Defender.exe.36b5590.2.raw.unpack, 85IhxSGtOfNN64Z.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 1.2.Windows Defender.exe.36b5590.2.raw.unpack, 85IhxSGtOfNN64Z.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 1.2.Windows Defender.exe.3695570.1.raw.unpack, 85IhxSGtOfNN64Z.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 1.2.Windows Defender.exe.3695570.1.raw.unpack, 85IhxSGtOfNN64Z.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.troj.evad.winEXE@2/6@1/1
                Source: C:\Users\user\Desktop\Windows Defender.exeMutant created: \Sessions\1\BaseNamedObjects\Vi0dGCBzRjwIFWiY
                Source: C:\Users\user\Desktop\Windows Defender.exeMutant created: NULL
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess9212
                Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\9e0538c4-4ad2-406f-8421-e1a21a836bc8Jump to behavior
                Source: Windows Defender.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: Windows Defender.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                Source: C:\Users\user\Desktop\Windows Defender.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: Windows Defender.exeReversingLabs: Detection: 65%
                Source: unknownProcess created: C:\Users\user\Desktop\Windows Defender.exe "C:\Users\user\Desktop\Windows Defender.exe"
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 9212 -s 1632
                Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: edgegdi.dllJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: Windows Defender.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Windows Defender.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: System.Xml.ni.pdb source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: System.ni.pdbRSDS source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: Microsoft.VisualBasic.pdb8: source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: System.Drawing.ni.pdb source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: System.Configuration.ni.pdb source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: System.Configuration.pdb source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: System.Drawing.ni.pdbRSDS source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: System.Xml.pdb source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: System.Management.pdbSystem.Configuration.ni.dll source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: System.pdb source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: System.Xml.ni.pdbRSDS# source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: Microsoft.VisualBasic.pdb source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: System.Core.ni.pdb source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: mscorlib.pdb source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: System.Management.pdb source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: System.Drawing.pdb source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: mscorlib.ni.pdb source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: System.Management.ni.pdb source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: System.Core.pdb source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: System.Core.pdbMZ source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: mscorlib.ni.pdbRSDS] source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: mscorlib.pdbH source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: System.ni.pdb source: WERAD4A.tmp.dmp.5.dr
                Source: Binary string: System.Core.ni.pdbRSDS source: WERAD4A.tmp.dmp.5.dr

                Data Obfuscation

                barindex
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: 1.2.Windows Defender.exe.50f0000.3.raw.unpack, hkW0iHAt1n34uyi.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{IiG77VCIYIyAinp.SAF5KmKklxldXEs,IiG77VCIYIyAinp.LotdAze8Ef6WJIY,IiG77VCIYIyAinp.Kx9554HmAGalplp,IiG77VCIYIyAinp.wqwaheO8RVJ9q8D,sjmftLizVeKZw8R.oZBtFDCxkh7P706()}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 1.2.Windows Defender.exe.50f0000.3.raw.unpack, hkW0iHAt1n34uyi.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{UyHzfp1JBRCQZN0[2],sjmftLizVeKZw8R.LmgXrb8KxfqOZHi(Convert.FromBase64String(UyHzfp1JBRCQZN0[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 1.2.Windows Defender.exe.3695570.1.raw.unpack, hkW0iHAt1n34uyi.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{IiG77VCIYIyAinp.SAF5KmKklxldXEs,IiG77VCIYIyAinp.LotdAze8Ef6WJIY,IiG77VCIYIyAinp.Kx9554HmAGalplp,IiG77VCIYIyAinp.wqwaheO8RVJ9q8D,sjmftLizVeKZw8R.oZBtFDCxkh7P706()}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 1.2.Windows Defender.exe.3695570.1.raw.unpack, hkW0iHAt1n34uyi.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{UyHzfp1JBRCQZN0[2],sjmftLizVeKZw8R.LmgXrb8KxfqOZHi(Convert.FromBase64String(UyHzfp1JBRCQZN0[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 1.2.Windows Defender.exe.36b5590.2.raw.unpack, hkW0iHAt1n34uyi.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{IiG77VCIYIyAinp.SAF5KmKklxldXEs,IiG77VCIYIyAinp.LotdAze8Ef6WJIY,IiG77VCIYIyAinp.Kx9554HmAGalplp,IiG77VCIYIyAinp.wqwaheO8RVJ9q8D,sjmftLizVeKZw8R.oZBtFDCxkh7P706()}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 1.2.Windows Defender.exe.36b5590.2.raw.unpack, hkW0iHAt1n34uyi.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{UyHzfp1JBRCQZN0[2],sjmftLizVeKZw8R.LmgXrb8KxfqOZHi(Convert.FromBase64String(UyHzfp1JBRCQZN0[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                .NET source code contains potential unpacker
                Source: Windows Defender.exe, aKYBFWxVcvgzSqutdA.cs.Net Code: INpXVPAqrasLxcuAFBIuBxs System.Reflection.Assembly.Load(byte[])
                Source: Windows Defender.exe, zVkaximmklVTnzxbYDlSgpv.cs.Net Code: KPpjglGKKVTcixXAO System.Reflection.Assembly.Load(byte[])
                Source: 1.2.Windows Defender.exe.50f0000.3.raw.unpack, hkW0iHAt1n34uyi.cs.Net Code: _6l4VVkKWlLft6pE System.AppDomain.Load(byte[])
                Source: 1.2.Windows Defender.exe.50f0000.3.raw.unpack, hkW0iHAt1n34uyi.cs.Net Code: _2yleSFZfrEaaNXy System.AppDomain.Load(byte[])
                Source: 1.2.Windows Defender.exe.50f0000.3.raw.unpack, hkW0iHAt1n34uyi.cs.Net Code: _2yleSFZfrEaaNXy
                Source: 1.2.Windows Defender.exe.3695570.1.raw.unpack, hkW0iHAt1n34uyi.cs.Net Code: _6l4VVkKWlLft6pE System.AppDomain.Load(byte[])
                Source: 1.2.Windows Defender.exe.3695570.1.raw.unpack, hkW0iHAt1n34uyi.cs.Net Code: _2yleSFZfrEaaNXy System.AppDomain.Load(byte[])
                Source: 1.2.Windows Defender.exe.3695570.1.raw.unpack, hkW0iHAt1n34uyi.cs.Net Code: _2yleSFZfrEaaNXy
                Source: 1.2.Windows Defender.exe.36b5590.2.raw.unpack, hkW0iHAt1n34uyi.cs.Net Code: _6l4VVkKWlLft6pE System.AppDomain.Load(byte[])
                Source: 1.2.Windows Defender.exe.36b5590.2.raw.unpack, hkW0iHAt1n34uyi.cs.Net Code: _2yleSFZfrEaaNXy System.AppDomain.Load(byte[])
                Source: 1.2.Windows Defender.exe.36b5590.2.raw.unpack, hkW0iHAt1n34uyi.cs.Net Code: _2yleSFZfrEaaNXy
                Source: Windows Defender.exeStatic PE information: 0xB7F4BC21 [Wed Oct 19 17:04:33 2067 UTC]
                Source: Windows Defender.exe, iCFfQamPVVoNDXlKXXpdY.csHigh entropy of concatenated method names: 'gkCXyxKQccFToBoFiwf', 'UlzHzWuZwAyaNEVVcsbpEF', 'LHjjkVRosykJukuYbCkUbee', 'jgTcqVpiPtnz', 'mKDeMFccvbkhTA', 'UkQhccADCoyXICuBxvIorg', 'PYCenFjuWUBOecFXmmGBpN', 'TaBZmmLLvnuAJayNyTtc', 'HoPZrXWCkf', 'CqjDmfwILJ'
                Source: Windows Defender.exe, ktoGgUIzzSITxyhxcImKG.csHigh entropy of concatenated method names: 'rVzWvgJydyi', 'CFjLAjEpfPeUaiLaheoAf', 'BSHJYbqAoKlNvbNRIDG', 'YcrfvNUiRyJiEW', 'QDqKcyeaUi', 'mkMPWluPHZbbO', 'GIjqADJZYwNSt', 'RuBWwiakVBbYnpPdpcc', 'VqujTfDNLQCErQxMYFfflWmhO', 'PUJvHkqvHazSCRfNZF'
                Source: Windows Defender.exe, AqnGDJXdpImuVfGaIOnp.csHigh entropy of concatenated method names: 'bDVenVjFAfDfzh', 'EGYmIcRagEyFkFClq', 'QYmRcPnoXodiOWx', 'VCqBgnJcpZoQyzxtMNiI', 'mdIyUFdxxpcHDkAvpldPK', 'CbXpXrjWBnovjYhCMh', 'frkLIvPxyWbEtcJahaeh', 'NbopTIAbNnZvielSPPuHu', 'zZiuSZyAbhAvRPvWpnPVl', 'CILxXISKkZrccPGYpadM'
                Source: 1.2.Windows Defender.exe.50f0000.3.raw.unpack, IiG77VCIYIyAinp.csHigh entropy of concatenated method names: 'On7tk7CL4ICqwtJ17iyjvmroiyw8WZlr4MB4LP0nA8dx3ySI', 'V7eUuu0Dc75KTOrci9ReUfHmMHpjn3wFJJRKZH6QBZt45qfA', '_7V3NAsTVvEpV1KghbpMBUBfXxJ0gqd14EW7QgC5jRRCOicxa', 'H3wsgnzQp18ON9bs9wjvVyXbX9kSmtp8LrrlKFAIKltFLuZt'
                Source: 1.2.Windows Defender.exe.50f0000.3.raw.unpack, 4HsJjuIP2UkRI9R.csHigh entropy of concatenated method names: 'jfw6pgiyRlXjLvW', '_73kiPYRZTt9iH8K', 'LuMB2o4Uhl3slYm', '_5iGvflySuJ2XB7mOoMsErBneGDDGoTVQxB7zXHDoI1b0LC9IeT7lXims44Ai1VS7R', 'qsUJnoNFDmuJGsQgdplxKlxv63v6KavmbVtF0JwKJQAA07HzBLj1iDe8rhkxBPZOs', 'YeW5xHeQumgoAkjFU2J9qnRqbGllYzYTu1JWTlFx65nbNgN6kfL4Tj3g8N066pGVH', 'C9g9BCZonES8wz7DXkLz8oNb9f926DDafJELUyu01BVE34DuE34v1X1ttiQoMK0Fl', '_6GrR4BNPHoCS3xvSYAnwhYYm8IFBAqwW3S7L67cWPC8A5B5CuHuaIboPDwjsyuUX7', 'rjcbd1yYzzaaY8lGu3cfV6xgZbMypogrooTZ5z7t3LIHv5eZFM7fWXHCLBBb8vEkG', 'AwF5JHjCl5FhRMAkYMRBiy5ekbqTyLdWmHkLQp1gM6RrCm8sIApYyfqhmokialfEU'
                Source: 1.2.Windows Defender.exe.50f0000.3.raw.unpack, k9ZEaIQ7WE7abcI.csHigh entropy of concatenated method names: 'SYKN04mGwOtKVri', 'RXvOTn7ZPneJ4ZmOWPMXI2mHhemT0Op6a4Wr1k71y4plI4drhye04rKq9kMGh3xstgorqutmVwu8tcdV', '_9wlF4qXH0wGWgIlS9v9hUETRfiDCq4jhZJgaODbm9EYAkznyRHytEMnJ4sCOFGcXoQJWorb0sK3GUFG9', 'kSb5yxplkRlmGSPlEOM22U9HEoVFXc5txExM3cE5l909fwyxWVquMoNW09PCg57MSbhzrIynoB6jPMdf', '_82BSeVPHTKcOIrF2B5Rgi85jyt297gdkbsm9gtzjOjptS0tyVVEGOljUszwSogP0eu0zgr2L7yYMZezB'
                Source: 1.2.Windows Defender.exe.50f0000.3.raw.unpack, yfcXnm8Ph88Q7SS.csHigh entropy of concatenated method names: 'YxIUiUb1239uDz3', 'gMqKkY39oBJdPEc', 'wDmblHZzi5ufWIx', 'fIi1pkQemOV1VOg', 'LP2QKJGgCnpmSZ9', 'LIjuTg9mGO9GE6i', 'HzUFxULiarW50EW', '_80kl1VPnKSNLHn1', 'Dm2owszwUpyoSfa', 'hfZTr2VHFCTKyZz'
                Source: 1.2.Windows Defender.exe.50f0000.3.raw.unpack, 85IhxSGtOfNN64Z.csHigh entropy of concatenated method names: 'yWre6hYlj3lAFIe', 'w53lih6zzuxhdoo', 'ztKj3tzVIquKCWN', 'iAZZ3meOOCoWCuv', 'AG6EflH4htfZrjb', 'di3uQfxFg5FUgGd', 'SUaVC5nJy749fR2', 'Ml9Lz9F6G4XkEEc', 'gxrqTZHTbl6sS38', 'EoQBMeo9SVrfYpN'
                Source: 1.2.Windows Defender.exe.50f0000.3.raw.unpack, DNAvWoxlxYdwRmJ.csHigh entropy of concatenated method names: 'YIMRtj1s9oNdU0N', '_5520HD1l8I2XRvvtXor9rfriehZm8XltHQUn20fvMgMr2pscG6OXUObl62pMLvYKdozsLDDyfkrTUzmW', 'kiAxGyXDIwuNBtK5wSL03PDYcLGzFoSqgROWN7GzW8uxRe1zCAcaKSVXJCHkWSmyAx9dKZPxZnbkoans', 'UBEhOpEhEJVw0VvqFMFmXP0eFyLMjTEZiaEqtdOUt1LVVYwizDfaeR1OegbFNjEvIFl2IUDB5TiCzhtw', 'Q3EP9OA0Z2GirNFLWCgus087plBS9P1WIaB5fpMmWaE5VJSj6kbZXEy1T1A2SkZr06zNXvZHj8S5hGZy'
                Source: 1.2.Windows Defender.exe.50f0000.3.raw.unpack, cwqxDxQiWlgCHGb.csHigh entropy of concatenated method names: 'NKOK6UgjJmOa6Im', 'igBJYGsMPitE6DG', 'jVpPD8sTfj9Nd10', 'G3EE5RtitA8krxl', 'Iz350rgzj3tqXNt', '_2LohON0bxHVhFNj', 'ufnMJe4vzMbpR6d', 'ifAbAoEYZVj5dHE', 'cIT6pad9Nfm5BIM', 'tkvQFISXvFMdFiN'
                Source: 1.2.Windows Defender.exe.50f0000.3.raw.unpack, hkW0iHAt1n34uyi.csHigh entropy of concatenated method names: 'ZA1wSX8Y9rkyTOK', '_6l4VVkKWlLft6pE', 'mPqymSheHPUODwD', 'L2l2tsx1mGtScNH', 'GgWLdnBgKUFVsKe', 'mAzEPTGccxcwXrt', 'Ngd0V2uENuoJV7Y', '_1avyPG6avJrhMmb', 'YwYLCnL16L0IAiE', 'DfKhJS0b7F4dMa0'
                Source: 1.2.Windows Defender.exe.50f0000.3.raw.unpack, I3Th8Mh3i2t6BO8.csHigh entropy of concatenated method names: 'ycTB3QchYaPi6ld', 'deWxASI79woyq9X', '_0n7KpTltKIHYr4T', 'cnoumh2fnWdtSFr', 'pPbZfiyGiLZG83y0NXDujtd2OM9WsXrz7NxMSTjqhuuqXe5XIiwVCIBWN2VwcjY0oBNfeFPxal0iaAv6', 'lUNdOxJmo5suVRX8JZ85chk8dM8838T0TptE9RG0agy0GZKB25UGwHyyGXQzzotyY8KLjqrlJW1NAgA4', '_4vaG21eQNCBulv8UEgvZCAGl3LLf0chsyWtLb0RTqD5A7FuuJ1qSC6ANZnjGgbj59DVznlAqMwOu0LBo', 'Oy6IC0Gx3rsmgu9XRxA3eALAbWTpa6qGsJVPVVuv2so4quJbzZpYJpfbZZgBRr0MRDQQcTswHO6B3PEB', 'GmuG9UvlyARiNeQmXPqoYPMWFFeN1J2qPCDGaWZFGxmfPxArgsFTyoZrkl68opIm9IqICHdpruCNVwyD', 'EY72UclcflxCpseqbhJFb2aRgAGvqfAxZFhVmgMBW6u46L1oNPeisTXrv4zGXLoMmlDtzGeHk2ylsHpd'
                Source: 1.2.Windows Defender.exe.50f0000.3.raw.unpack, sjmftLizVeKZw8R.csHigh entropy of concatenated method names: 'fC2Hv3iN2A8bbkN', 'LDG4MG013gN6bXu', 'e5Y4CqvEcAEoHx6', 'WxHBkeBtQLLel5W', 'LclPVtD49F1s3Ze', 'HQae3xAr1kaUxi8', '_4JhsqusRTKSKtTK', 'KBnf1CAHIhlDR6u', 'TQKV9rsqz5qXI2U', 'eztSPsRMjtnDHAH'
                Source: 1.2.Windows Defender.exe.50f0000.3.raw.unpack, GzYlpNyzaslb0P5ovfphEnusQWYGKo.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'EJzGa7Ric7poYCgb41mvt5ldgjt51zq0BhFA1Xjj4wvS8InZ', 'GQ7tE9xs7bgguiu4ayikFAYQW0uh1MtAiHNsSkYdUqkdsLPI', 'omqgjj5ThJ8sFg3yxDaEwabnJhSmuqwI4e38fCjJrhdNKM5V', 'fsP5Xf2jdvqOWEV11Et9IH91ihdTx8o2dGfo9jMlkXZcQBQX'
                Source: 1.2.Windows Defender.exe.3695570.1.raw.unpack, IiG77VCIYIyAinp.csHigh entropy of concatenated method names: 'On7tk7CL4ICqwtJ17iyjvmroiyw8WZlr4MB4LP0nA8dx3ySI', 'V7eUuu0Dc75KTOrci9ReUfHmMHpjn3wFJJRKZH6QBZt45qfA', '_7V3NAsTVvEpV1KghbpMBUBfXxJ0gqd14EW7QgC5jRRCOicxa', 'H3wsgnzQp18ON9bs9wjvVyXbX9kSmtp8LrrlKFAIKltFLuZt'
                Source: 1.2.Windows Defender.exe.3695570.1.raw.unpack, 4HsJjuIP2UkRI9R.csHigh entropy of concatenated method names: 'jfw6pgiyRlXjLvW', '_73kiPYRZTt9iH8K', 'LuMB2o4Uhl3slYm', '_5iGvflySuJ2XB7mOoMsErBneGDDGoTVQxB7zXHDoI1b0LC9IeT7lXims44Ai1VS7R', 'qsUJnoNFDmuJGsQgdplxKlxv63v6KavmbVtF0JwKJQAA07HzBLj1iDe8rhkxBPZOs', 'YeW5xHeQumgoAkjFU2J9qnRqbGllYzYTu1JWTlFx65nbNgN6kfL4Tj3g8N066pGVH', 'C9g9BCZonES8wz7DXkLz8oNb9f926DDafJELUyu01BVE34DuE34v1X1ttiQoMK0Fl', '_6GrR4BNPHoCS3xvSYAnwhYYm8IFBAqwW3S7L67cWPC8A5B5CuHuaIboPDwjsyuUX7', 'rjcbd1yYzzaaY8lGu3cfV6xgZbMypogrooTZ5z7t3LIHv5eZFM7fWXHCLBBb8vEkG', 'AwF5JHjCl5FhRMAkYMRBiy5ekbqTyLdWmHkLQp1gM6RrCm8sIApYyfqhmokialfEU'
                Source: 1.2.Windows Defender.exe.3695570.1.raw.unpack, k9ZEaIQ7WE7abcI.csHigh entropy of concatenated method names: 'SYKN04mGwOtKVri', 'RXvOTn7ZPneJ4ZmOWPMXI2mHhemT0Op6a4Wr1k71y4plI4drhye04rKq9kMGh3xstgorqutmVwu8tcdV', '_9wlF4qXH0wGWgIlS9v9hUETRfiDCq4jhZJgaODbm9EYAkznyRHytEMnJ4sCOFGcXoQJWorb0sK3GUFG9', 'kSb5yxplkRlmGSPlEOM22U9HEoVFXc5txExM3cE5l909fwyxWVquMoNW09PCg57MSbhzrIynoB6jPMdf', '_82BSeVPHTKcOIrF2B5Rgi85jyt297gdkbsm9gtzjOjptS0tyVVEGOljUszwSogP0eu0zgr2L7yYMZezB'
                Source: 1.2.Windows Defender.exe.3695570.1.raw.unpack, yfcXnm8Ph88Q7SS.csHigh entropy of concatenated method names: 'YxIUiUb1239uDz3', 'gMqKkY39oBJdPEc', 'wDmblHZzi5ufWIx', 'fIi1pkQemOV1VOg', 'LP2QKJGgCnpmSZ9', 'LIjuTg9mGO9GE6i', 'HzUFxULiarW50EW', '_80kl1VPnKSNLHn1', 'Dm2owszwUpyoSfa', 'hfZTr2VHFCTKyZz'
                Source: 1.2.Windows Defender.exe.3695570.1.raw.unpack, 85IhxSGtOfNN64Z.csHigh entropy of concatenated method names: 'yWre6hYlj3lAFIe', 'w53lih6zzuxhdoo', 'ztKj3tzVIquKCWN', 'iAZZ3meOOCoWCuv', 'AG6EflH4htfZrjb', 'di3uQfxFg5FUgGd', 'SUaVC5nJy749fR2', 'Ml9Lz9F6G4XkEEc', 'gxrqTZHTbl6sS38', 'EoQBMeo9SVrfYpN'
                Source: 1.2.Windows Defender.exe.3695570.1.raw.unpack, DNAvWoxlxYdwRmJ.csHigh entropy of concatenated method names: 'YIMRtj1s9oNdU0N', '_5520HD1l8I2XRvvtXor9rfriehZm8XltHQUn20fvMgMr2pscG6OXUObl62pMLvYKdozsLDDyfkrTUzmW', 'kiAxGyXDIwuNBtK5wSL03PDYcLGzFoSqgROWN7GzW8uxRe1zCAcaKSVXJCHkWSmyAx9dKZPxZnbkoans', 'UBEhOpEhEJVw0VvqFMFmXP0eFyLMjTEZiaEqtdOUt1LVVYwizDfaeR1OegbFNjEvIFl2IUDB5TiCzhtw', 'Q3EP9OA0Z2GirNFLWCgus087plBS9P1WIaB5fpMmWaE5VJSj6kbZXEy1T1A2SkZr06zNXvZHj8S5hGZy'
                Source: 1.2.Windows Defender.exe.3695570.1.raw.unpack, cwqxDxQiWlgCHGb.csHigh entropy of concatenated method names: 'NKOK6UgjJmOa6Im', 'igBJYGsMPitE6DG', 'jVpPD8sTfj9Nd10', 'G3EE5RtitA8krxl', 'Iz350rgzj3tqXNt', '_2LohON0bxHVhFNj', 'ufnMJe4vzMbpR6d', 'ifAbAoEYZVj5dHE', 'cIT6pad9Nfm5BIM', 'tkvQFISXvFMdFiN'
                Source: 1.2.Windows Defender.exe.3695570.1.raw.unpack, hkW0iHAt1n34uyi.csHigh entropy of concatenated method names: 'ZA1wSX8Y9rkyTOK', '_6l4VVkKWlLft6pE', 'mPqymSheHPUODwD', 'L2l2tsx1mGtScNH', 'GgWLdnBgKUFVsKe', 'mAzEPTGccxcwXrt', 'Ngd0V2uENuoJV7Y', '_1avyPG6avJrhMmb', 'YwYLCnL16L0IAiE', 'DfKhJS0b7F4dMa0'
                Source: 1.2.Windows Defender.exe.3695570.1.raw.unpack, I3Th8Mh3i2t6BO8.csHigh entropy of concatenated method names: 'ycTB3QchYaPi6ld', 'deWxASI79woyq9X', '_0n7KpTltKIHYr4T', 'cnoumh2fnWdtSFr', 'pPbZfiyGiLZG83y0NXDujtd2OM9WsXrz7NxMSTjqhuuqXe5XIiwVCIBWN2VwcjY0oBNfeFPxal0iaAv6', 'lUNdOxJmo5suVRX8JZ85chk8dM8838T0TptE9RG0agy0GZKB25UGwHyyGXQzzotyY8KLjqrlJW1NAgA4', '_4vaG21eQNCBulv8UEgvZCAGl3LLf0chsyWtLb0RTqD5A7FuuJ1qSC6ANZnjGgbj59DVznlAqMwOu0LBo', 'Oy6IC0Gx3rsmgu9XRxA3eALAbWTpa6qGsJVPVVuv2so4quJbzZpYJpfbZZgBRr0MRDQQcTswHO6B3PEB', 'GmuG9UvlyARiNeQmXPqoYPMWFFeN1J2qPCDGaWZFGxmfPxArgsFTyoZrkl68opIm9IqICHdpruCNVwyD', 'EY72UclcflxCpseqbhJFb2aRgAGvqfAxZFhVmgMBW6u46L1oNPeisTXrv4zGXLoMmlDtzGeHk2ylsHpd'
                Source: 1.2.Windows Defender.exe.3695570.1.raw.unpack, sjmftLizVeKZw8R.csHigh entropy of concatenated method names: 'fC2Hv3iN2A8bbkN', 'LDG4MG013gN6bXu', 'e5Y4CqvEcAEoHx6', 'WxHBkeBtQLLel5W', 'LclPVtD49F1s3Ze', 'HQae3xAr1kaUxi8', '_4JhsqusRTKSKtTK', 'KBnf1CAHIhlDR6u', 'TQKV9rsqz5qXI2U', 'eztSPsRMjtnDHAH'
                Source: 1.2.Windows Defender.exe.3695570.1.raw.unpack, GzYlpNyzaslb0P5ovfphEnusQWYGKo.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'EJzGa7Ric7poYCgb41mvt5ldgjt51zq0BhFA1Xjj4wvS8InZ', 'GQ7tE9xs7bgguiu4ayikFAYQW0uh1MtAiHNsSkYdUqkdsLPI', 'omqgjj5ThJ8sFg3yxDaEwabnJhSmuqwI4e38fCjJrhdNKM5V', 'fsP5Xf2jdvqOWEV11Et9IH91ihdTx8o2dGfo9jMlkXZcQBQX'
                Source: 1.2.Windows Defender.exe.36b5590.2.raw.unpack, IiG77VCIYIyAinp.csHigh entropy of concatenated method names: 'On7tk7CL4ICqwtJ17iyjvmroiyw8WZlr4MB4LP0nA8dx3ySI', 'V7eUuu0Dc75KTOrci9ReUfHmMHpjn3wFJJRKZH6QBZt45qfA', '_7V3NAsTVvEpV1KghbpMBUBfXxJ0gqd14EW7QgC5jRRCOicxa', 'H3wsgnzQp18ON9bs9wjvVyXbX9kSmtp8LrrlKFAIKltFLuZt'
                Source: 1.2.Windows Defender.exe.36b5590.2.raw.unpack, 4HsJjuIP2UkRI9R.csHigh entropy of concatenated method names: 'jfw6pgiyRlXjLvW', '_73kiPYRZTt9iH8K', 'LuMB2o4Uhl3slYm', '_5iGvflySuJ2XB7mOoMsErBneGDDGoTVQxB7zXHDoI1b0LC9IeT7lXims44Ai1VS7R', 'qsUJnoNFDmuJGsQgdplxKlxv63v6KavmbVtF0JwKJQAA07HzBLj1iDe8rhkxBPZOs', 'YeW5xHeQumgoAkjFU2J9qnRqbGllYzYTu1JWTlFx65nbNgN6kfL4Tj3g8N066pGVH', 'C9g9BCZonES8wz7DXkLz8oNb9f926DDafJELUyu01BVE34DuE34v1X1ttiQoMK0Fl', '_6GrR4BNPHoCS3xvSYAnwhYYm8IFBAqwW3S7L67cWPC8A5B5CuHuaIboPDwjsyuUX7', 'rjcbd1yYzzaaY8lGu3cfV6xgZbMypogrooTZ5z7t3LIHv5eZFM7fWXHCLBBb8vEkG', 'AwF5JHjCl5FhRMAkYMRBiy5ekbqTyLdWmHkLQp1gM6RrCm8sIApYyfqhmokialfEU'
                Source: 1.2.Windows Defender.exe.36b5590.2.raw.unpack, k9ZEaIQ7WE7abcI.csHigh entropy of concatenated method names: 'SYKN04mGwOtKVri', 'RXvOTn7ZPneJ4ZmOWPMXI2mHhemT0Op6a4Wr1k71y4plI4drhye04rKq9kMGh3xstgorqutmVwu8tcdV', '_9wlF4qXH0wGWgIlS9v9hUETRfiDCq4jhZJgaODbm9EYAkznyRHytEMnJ4sCOFGcXoQJWorb0sK3GUFG9', 'kSb5yxplkRlmGSPlEOM22U9HEoVFXc5txExM3cE5l909fwyxWVquMoNW09PCg57MSbhzrIynoB6jPMdf', '_82BSeVPHTKcOIrF2B5Rgi85jyt297gdkbsm9gtzjOjptS0tyVVEGOljUszwSogP0eu0zgr2L7yYMZezB'
                Source: 1.2.Windows Defender.exe.36b5590.2.raw.unpack, yfcXnm8Ph88Q7SS.csHigh entropy of concatenated method names: 'YxIUiUb1239uDz3', 'gMqKkY39oBJdPEc', 'wDmblHZzi5ufWIx', 'fIi1pkQemOV1VOg', 'LP2QKJGgCnpmSZ9', 'LIjuTg9mGO9GE6i', 'HzUFxULiarW50EW', '_80kl1VPnKSNLHn1', 'Dm2owszwUpyoSfa', 'hfZTr2VHFCTKyZz'
                Source: 1.2.Windows Defender.exe.36b5590.2.raw.unpack, 85IhxSGtOfNN64Z.csHigh entropy of concatenated method names: 'yWre6hYlj3lAFIe', 'w53lih6zzuxhdoo', 'ztKj3tzVIquKCWN', 'iAZZ3meOOCoWCuv', 'AG6EflH4htfZrjb', 'di3uQfxFg5FUgGd', 'SUaVC5nJy749fR2', 'Ml9Lz9F6G4XkEEc', 'gxrqTZHTbl6sS38', 'EoQBMeo9SVrfYpN'
                Source: 1.2.Windows Defender.exe.36b5590.2.raw.unpack, DNAvWoxlxYdwRmJ.csHigh entropy of concatenated method names: 'YIMRtj1s9oNdU0N', '_5520HD1l8I2XRvvtXor9rfriehZm8XltHQUn20fvMgMr2pscG6OXUObl62pMLvYKdozsLDDyfkrTUzmW', 'kiAxGyXDIwuNBtK5wSL03PDYcLGzFoSqgROWN7GzW8uxRe1zCAcaKSVXJCHkWSmyAx9dKZPxZnbkoans', 'UBEhOpEhEJVw0VvqFMFmXP0eFyLMjTEZiaEqtdOUt1LVVYwizDfaeR1OegbFNjEvIFl2IUDB5TiCzhtw', 'Q3EP9OA0Z2GirNFLWCgus087plBS9P1WIaB5fpMmWaE5VJSj6kbZXEy1T1A2SkZr06zNXvZHj8S5hGZy'
                Source: 1.2.Windows Defender.exe.36b5590.2.raw.unpack, cwqxDxQiWlgCHGb.csHigh entropy of concatenated method names: 'NKOK6UgjJmOa6Im', 'igBJYGsMPitE6DG', 'jVpPD8sTfj9Nd10', 'G3EE5RtitA8krxl', 'Iz350rgzj3tqXNt', '_2LohON0bxHVhFNj', 'ufnMJe4vzMbpR6d', 'ifAbAoEYZVj5dHE', 'cIT6pad9Nfm5BIM', 'tkvQFISXvFMdFiN'
                Source: 1.2.Windows Defender.exe.36b5590.2.raw.unpack, hkW0iHAt1n34uyi.csHigh entropy of concatenated method names: 'ZA1wSX8Y9rkyTOK', '_6l4VVkKWlLft6pE', 'mPqymSheHPUODwD', 'L2l2tsx1mGtScNH', 'GgWLdnBgKUFVsKe', 'mAzEPTGccxcwXrt', 'Ngd0V2uENuoJV7Y', '_1avyPG6avJrhMmb', 'YwYLCnL16L0IAiE', 'DfKhJS0b7F4dMa0'
                Source: 1.2.Windows Defender.exe.36b5590.2.raw.unpack, I3Th8Mh3i2t6BO8.csHigh entropy of concatenated method names: 'ycTB3QchYaPi6ld', 'deWxASI79woyq9X', '_0n7KpTltKIHYr4T', 'cnoumh2fnWdtSFr', 'pPbZfiyGiLZG83y0NXDujtd2OM9WsXrz7NxMSTjqhuuqXe5XIiwVCIBWN2VwcjY0oBNfeFPxal0iaAv6', 'lUNdOxJmo5suVRX8JZ85chk8dM8838T0TptE9RG0agy0GZKB25UGwHyyGXQzzotyY8KLjqrlJW1NAgA4', '_4vaG21eQNCBulv8UEgvZCAGl3LLf0chsyWtLb0RTqD5A7FuuJ1qSC6ANZnjGgbj59DVznlAqMwOu0LBo', 'Oy6IC0Gx3rsmgu9XRxA3eALAbWTpa6qGsJVPVVuv2so4quJbzZpYJpfbZZgBRr0MRDQQcTswHO6B3PEB', 'GmuG9UvlyARiNeQmXPqoYPMWFFeN1J2qPCDGaWZFGxmfPxArgsFTyoZrkl68opIm9IqICHdpruCNVwyD', 'EY72UclcflxCpseqbhJFb2aRgAGvqfAxZFhVmgMBW6u46L1oNPeisTXrv4zGXLoMmlDtzGeHk2ylsHpd'
                Source: 1.2.Windows Defender.exe.36b5590.2.raw.unpack, sjmftLizVeKZw8R.csHigh entropy of concatenated method names: 'fC2Hv3iN2A8bbkN', 'LDG4MG013gN6bXu', 'e5Y4CqvEcAEoHx6', 'WxHBkeBtQLLel5W', 'LclPVtD49F1s3Ze', 'HQae3xAr1kaUxi8', '_4JhsqusRTKSKtTK', 'KBnf1CAHIhlDR6u', 'TQKV9rsqz5qXI2U', 'eztSPsRMjtnDHAH'
                Source: 1.2.Windows Defender.exe.36b5590.2.raw.unpack, GzYlpNyzaslb0P5ovfphEnusQWYGKo.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'EJzGa7Ric7poYCgb41mvt5ldgjt51zq0BhFA1Xjj4wvS8InZ', 'GQ7tE9xs7bgguiu4ayikFAYQW0uh1MtAiHNsSkYdUqkdsLPI', 'omqgjj5ThJ8sFg3yxDaEwabnJhSmuqwI4e38fCjJrhdNKM5V', 'fsP5Xf2jdvqOWEV11Et9IH91ihdTx8o2dGfo9jMlkXZcQBQX'
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Check if machine is in data center or colocation facility
                Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                Queries memory information (via WMI often done to detect virtual machines)
                Source: C:\Users\user\Desktop\Windows Defender.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
                Source: C:\Users\user\Desktop\Windows Defender.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: Windows Defender.exe, 00000001.00000002.1274563768.00000000028E0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Source: Windows Defender.exe, 00000001.00000002.1279764215.00000000036B5000.00000004.00000800.00020000.00000000.sdmp, Windows Defender.exe, 00000001.00000002.1279764215.0000000003691000.00000004.00000800.00020000.00000000.sdmp, Windows Defender.exe, 00000001.00000002.1280549736.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, Windows Defender.exe, 00000001.00000002.1274563768.0000000002895000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLLASSBC68E0MEKPEVR4DCWZ2QYFOLPF9HXYGFFRWC6JFPPHY7QHASTUWIU0M2HUWJOFFN62RZJLF4OPSJSN2JVIV7DCXK1HHOUAWAPLZC2HUHO9OUDJYBBIID5WMYEQSOIT5FGZODAHXWX7TS22XFA6F7CQMYRVHDGON7XHUXBTVMB5OQ8SEHPYA5F1L9R1KDGX1H3APQOKXHEQUB2UQJBOWDNEM3V1ZCG0HYZWOUOUGQ4OSRNRY4T5ANUNOTOHVIMVRKLU4B14PUDOWL6SXKUVEOI33A1EHABCQQZCRA8PQMNCOEW7QMMT9OGFVWICUY9U5MKOQDNF4F0WI3R1WUHIWOAX3AGLL9SIWGVQQZSTYNDJBKFAQGCEPOUNPCAQIRZHUNRPUIKAFIBJPFZSMINKFA9FNC0W9L0CIPAIZR4UDR3PY7U2OYKFANVKA4AI25VQYVC9LTPWNJHKLUCICHGEDANAVMOBF1IPNSKPUB86GARB59HI5VVHTTQVYDRDW1JZOWNBZIB8JCDPHZSUBZHAVTORVDAC7POF10AKNEWW7FKGKHXWNZZAGHJIF00NPSI9KYKOTYSZOORAPLXSKRC9HKZJSZODJMOY6TYQ6ODNJVASSCQIU7IZOZF0R0XAAO7YBTDMT4Z0YDGF9LM2MYLTTFX7XC5MCCURYT1OVSXMGZ2P8INFO
                Source: C:\Users\user\Desktop\Windows Defender.exeMemory allocated: CA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeMemory allocated: 2690000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeMemory allocated: 2570000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                Source: C:\Users\user\Desktop\Windows Defender.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: Windows Defender.exe, 00000001.00000002.1274563768.0000000002895000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                Source: Windows Defender.exe, 00000001.00000002.1273122404.0000000000740000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

                Anti Debugging

                barindex
                Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                Source: C:\Users\user\Desktop\Windows Defender.exeCode function: 1_2_0512387C CheckRemoteDebuggerPresent,1_2_0512387C
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeMemory allocated: page read and write | page guardJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeQueries volume information: C:\Users\user\Desktop\Windows Defender.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Windows Defender.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: Amcache.hve.5.drBinary or memory string: msmpeng.exe
                Source: Amcache.hve.5.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.2107.4-0\msmpeng.exe
                Source: Amcache.hve.5.drBinary or memory string: MsMpEng.exe

                Stealing of Sensitive Information

                barindex
                Yara detected XWorm
                Source: Yara matchFile source: 1.2.Windows Defender.exe.50f0000.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Windows Defender.exe.3695570.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Windows Defender.exe.50f0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Windows Defender.exe.3695570.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Windows Defender.exe.36b5590.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Windows Defender.exe.28bbfd8.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Windows Defender.exe.36b5590.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.1279764215.0000000003691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1279764215.00000000036B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1280549736.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1274563768.0000000002895000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1274563768.00000000028E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Windows Defender.exe PID: 9212, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected XWorm
                Source: Yara matchFile source: 1.2.Windows Defender.exe.50f0000.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Windows Defender.exe.3695570.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Windows Defender.exe.50f0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Windows Defender.exe.3695570.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Windows Defender.exe.36b5590.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Windows Defender.exe.28bbfd8.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Windows Defender.exe.36b5590.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.1279764215.0000000003691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1279764215.00000000036B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1280549736.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1274563768.0000000002895000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1274563768.00000000028E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Windows Defender.exe PID: 9212, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                Windows Management Instrumentation                		1
                DLL Side-Loading                		1
                Process Injection                		3
                Virtualization/Sandbox Evasion                		OS Credential Dumping431
                Security Software Discovery                		Remote Services11
                Archive Collected Data                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Disable or Modify Tools                		LSASS Memory3
                Virtualization/Sandbox Evasion                		Remote Desktop ProtocolData from Removable Media1
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                Process Injection                		Security Account Manager1
                System Network Configuration Discovery                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                Deobfuscate/Decode Files or Information                		NTDS23
                System Information Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                Obfuscated Files or Information                		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                Software Packing                		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Timestomp                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Windows Defender.exe66%ReversingLabsWin32.Trojan.Generic
                Windows Defender.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://upx.sf.net0%Avira URL Cloudsafe
                rest-root.gl.at.ply.gg100%Avira URL Cloudmalware
                http://ip-api.com/line/?fields=hosting0%Avira URL Cloudsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%Avira URL Cloudsafe
                http://ip-api.com0%Avira URL Cloudsafe
                http://ip-api.comd0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                ip-api.com
                		208.95.112.1
                		truetrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  rest-root.gl.at.ply.ggtrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://ip-api.com/line/?fields=hostingfalse
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://upx.sf.netAmcache.hve.5.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameWindows Defender.exe, 00000001.00000002.1274563768.0000000002952000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://ip-api.comWindows Defender.exe, 00000001.00000002.1274563768.0000000002952000.00000004.00000800.00020000.00000000.sdmp, Windows Defender.exe, 00000001.00000002.1274563768.0000000002962000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://ip-api.comdWindows Defender.exe, 00000001.00000002.1274563768.0000000002962000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  208.95.112.1
                  		ip-api.comUnited States
                  		53334TUT-ASUStrue

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1478308
                  Start date and time:2024-07-22 13:56:39 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 6m 55s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                  Run name:Suspected VM Detection
                  Number of analysed new started processes analysed:16
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:Windows Defender.exe
                  Detection:MAL
                  Classification:mal100.troj.evad.winEXE@2/6@1/1
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 11
                  • Number of non-executed functions: 1
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                  • Excluded IPs from analysis (whitelisted): 20.189.173.20
                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtSetInformationFile calls found.
                  • VT rate limit hit for: Windows Defender.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  07:58:47API Interceptor1x Sleep call for process: WerFault.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  208.95.112.1kTWqylz02uGet hashmaliciousXehook StealerBrowse
                  • ip-api.com/json/?fields=11827
                  Injector.exeGet hashmaliciousZTratBrowse
                  • ip-api.com/xml/?fields=countryCode,query
                  2lDAndk18M.exeGet hashmaliciousAsyncRAT, Blank Grabber, DcRatBrowse
                  • ip-api.com/json/?fields=225545
                  e45AiBoV6X.exeGet hashmaliciousBlank GrabberBrowse
                  • ip-api.com/json/?fields=225545
                  iA8m9FfF5v.exeGet hashmaliciousDCRatBrowse
                  • ip-api.com/line/?fields=hosting
                  R6UcgOy5nE.rtfGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • ip-api.com/line/?fields=hosting
                  PR240614_ORDER.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                  • ip-api.com/line/?fields=hosting
                  IEnetcache.htaGet hashmaliciousCobalt Strike, AgentTesla, PureLog StealerBrowse
                  • ip-api.com/line/?fields=hosting
                  winiti.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • ip-api.com/line/?fields=hosting
                  payment_application.xlsGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • ip-api.com/line/?fields=hosting

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  ip-api.comkTWqylz02uGet hashmaliciousXehook StealerBrowse
                  • 208.95.112.1
                  Injector.exeGet hashmaliciousZTratBrowse
                  • 208.95.112.1
                  2lDAndk18M.exeGet hashmaliciousAsyncRAT, Blank Grabber, DcRatBrowse
                  • 208.95.112.1
                  e45AiBoV6X.exeGet hashmaliciousBlank GrabberBrowse
                  • 208.95.112.1
                  iA8m9FfF5v.exeGet hashmaliciousDCRatBrowse
                  • 208.95.112.1
                  R6UcgOy5nE.rtfGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • 208.95.112.1
                  PR240614_ORDER.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                  • 208.95.112.1
                  IEnetcache.htaGet hashmaliciousCobalt Strike, AgentTesla, PureLog StealerBrowse
                  • 208.95.112.1
                  winiti.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • 208.95.112.1
                  payment_application.xlsGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • 208.95.112.1

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  TUT-ASUSkTWqylz02uGet hashmaliciousXehook StealerBrowse
                  • 208.95.112.1
                  Injector.exeGet hashmaliciousZTratBrowse
                  • 208.95.112.1
                  2lDAndk18M.exeGet hashmaliciousAsyncRAT, Blank Grabber, DcRatBrowse
                  • 208.95.112.1
                  e45AiBoV6X.exeGet hashmaliciousBlank GrabberBrowse
                  • 208.95.112.1
                  iA8m9FfF5v.exeGet hashmaliciousDCRatBrowse
                  • 208.95.112.1
                  R6UcgOy5nE.rtfGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • 208.95.112.1
                  PR240614_ORDER.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                  • 208.95.112.1
                  Roblox Account Manager.exeGet hashmaliciousUnknownBrowse
                  • 208.95.112.1
                  Roblox Account Manager.exeGet hashmaliciousUnknownBrowse
                  • 208.95.112.1
                  IEnetcache.htaGet hashmaliciousCobalt Strike, AgentTesla, PureLog StealerBrowse
                  • 208.95.112.1

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Windows Defender_7e6cd544cbd8cf37341e36f3db8ac525bdf1ec51_b64cc9ab_d6a53279-b9f7-44f5-a62e-9c9642d99aab\Report.wer

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):65536
                  Entropy (8bit):1.2602140632504846
                  Encrypted:false
                  SSDEEP:192:FzMFwR9TKmc9bRaWoe+w62WLvSZDu76sfAIO8B:BMFw7Xc9bRanwYvSZDu76sfAIO8B
                  MD5:FDAB70486428C072718FB967F2A5D2E3
                  SHA1:845913BD3B3FCC101A2F986C6BA222CF43084C53
                  SHA-256:5BADFBF6FBC8627BA44972F443D3008832C17741016D2E0EF0539D36DEA7579B
                  SHA-512:75255229B85E9CF12686BBE0B8D57C27691A4B28C8E2E8A9FA880A5BD9FEC820674B989E0097AAC2C9996414C4FBE68D1839F48CABDCAF7C02D67B0CBD1172FE
                  Malicious:false
                  Reputation:low
                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.6.1.2.3.1.2.5.0.7.7.0.6.1.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.6.1.2.3.1.2.5.5.4.5.6.7.5.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.6.a.5.3.2.7.9.-.b.9.f.7.-.4.4.f.5.-.a.6.2.e.-.9.c.9.6.4.2.d.9.9.a.a.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.e.e.e.3.1.a.d.-.c.2.b.9.-.4.9.6.b.-.8.6.8.b.-.4.b.a.9.e.d.1.4.0.3.e.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.V.L.C. .M.e.d.i.a. .P.l.a.y.e.r. .U.p.d.a.t.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.2.3.f.c.-.0.0.0.1.-.0.0.4.1.-.d.c.9.6.-.7.8.7.e.2.e.d.c.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.8.9.4.8.0.3.b.0.6.a.9.4.d.0.a.c.7.1.d.4.6.e.b.f.c.1.c.e.0.6.d.0.0.0.0.0.0.0.0.!.0.0.0.0.5.b.6.9.0.c.0.b.e.1.8.4.2.6.6.

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERAD4A.tmp.dmp

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Mini DuMP crash report, 15 streams, Mon Jul 22 11:58:45 2024, 0x1205a4 type
                  Category:dropped
                  Size (bytes):284736
                  Entropy (8bit):3.8261294913195765
                  Encrypted:false
                  SSDEEP:3072:H7iW+O2pmEBhaV8IPS4uEquyhbt+EJLTgOfw:H7nkXhAS4vyNQETgOI
                  MD5:716B9932D854DFA00FDFEF00B6D5EA29
                  SHA1:10A60D07D1252614017916BB584EBFF0F71C0C17
                  SHA-256:24D66402E63367D1D43AE99C64598A6C67FF529ACE8CAC5C706E1CD34390DC8F
                  SHA-512:E99C1F1D1D9AD564280DD5680CA0F1E194646A7F23AC4403272E5D252F4F12D34C8C0116C05B1BE57A805FC6B1C0AFA22395372E0D0895A3B854C50C7637B22A
                  Malicious:false
                  Reputation:low
                  Preview:MDMP..a..... .......uI.f......................... ..........<....*......t+..Ha..........`.......8...........T............?..p............*...........,..............................................................................bJ......d-......GenuineIntel...........T........#..pI.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERAE74.tmp.WERInternalMetadata.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):8400
                  Entropy (8bit):3.690738488123669
                  Encrypted:false
                  SSDEEP:192:R9l7lZNihc68D6YtdSU9bsEGgmfZNW9pDP89bdCsfAT/m:R9lnNia646Y3SU9bmgmfDXdBfAi
                  MD5:0DC927DEFDE8F073833BDB9C9B6D64EE
                  SHA1:30AD00C22D04278F19FFCD980FA0113312FF64A6
                  SHA-256:BC4EA4CD2963E1F2F7D71AB1C0F7D40658C3F82FDB3542B9954652875C6CA674
                  SHA-512:2385BF998EA6AEA4243E53770D852CA468643BA833FF94A44ED8D64C7700F96D0E27314556EBE575B2D79E1F64F5EC1619FBF9E1E9DEFAD6DFE6B270F3D288DA
                  Malicious:false
                  Reputation:low
                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.2.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...1.1.6.5...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.1.6.5.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.9.2.1.2.<./.P.i.

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERAEA4.tmp.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):4939
                  Entropy (8bit):4.485022978575979
                  Encrypted:false
                  SSDEEP:48:cvIwwtl8zspe702I7VFJ5WS2Cfjk2XGs3rm8M4JVbi9PFCZ+q8vbbi9EnL94EMd:uILfQ7GySPfDJJVrZKbnnL94EMd
                  MD5:245D7C5BE066C611077EB2B422595E81
                  SHA1:C428A2FE6B83D4A3CA658A10E5E7EB84E0B9632C
                  SHA-256:36B1D45FD6868E2C9E07B077A50C4082CB4EE2CB04579C6E72D1A5F7D1BD7939
                  SHA-512:3EA3ADB1CD44A62F30C36926C43279D6439C7F523ADF30FE4E6B3ADA572842D3EE4D7F9D9EF12845FC70FFF12A6A282CE3C60B92BB7D29D362A1193B29C0DE7E
                  Malicious:false
                  Reputation:low
                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19042" />.. <arg nm="vercsdbld" val="1165" />.. <arg nm="verqfe" val="1165" />.. <arg nm="csdbld" val="1165" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="242" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="222765910" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="

                  C:\Windows\appcompat\Programs\Amcache.hve

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):2359296
                  Entropy (8bit):4.357924899917069
                  Encrypted:false
                  SSDEEP:49152:TQRxc2QgkjPy7Bb/+iDvkUag6nSzfE8lO:O
                  MD5:3413FB10E944EB2EFBE3DE00B8503FDD
                  SHA1:AE701B992A5BB4507616419529FED6B5C6513619
                  SHA-256:63F63569482F3F579D707F41A7774A3F01B6C86E31EBE5E28B865CF8F971322B
                  SHA-512:C7FA06AB6059791E39BB1CB0398C0B444C95060462994F93BD63509F6F08FDB6EEFCBE5A66E946E9310DA97A41CA00A65F4F92D7E0386ED3D6AD5AF5D1B641FC
                  Malicious:false
                  Reputation:low
                  Preview:regfi...i...5.#.^................... .....!.....\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e......Q......P..#....Q......P..#........Q......P..#.rmtm..M...................................................................................................................................................................................................................................................................................................................................................y........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Windows\appcompat\Programs\Amcache.hve.LOG1

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):61440
                  Entropy (8bit):4.6665813660646105
                  Encrypted:false
                  SSDEEP:1536:S052EqHw/us3Qn+uBfAAyXt/m+fewAUZgNf:352THw/P3oAHt/m+Ywuf
                  MD5:97F7D2BD0ED4B88CE7EFD8B0F5A5585C
                  SHA1:BAFBB15B5F6972FAF9872410E957990BF6FE86BE
                  SHA-256:0F778A77D349B5BF6296AEC54C022C59F4135478A2BD08C3ECD163F3B8969CD7
                  SHA-512:D81A21E2F51811211C173A2EEE8B70739A8FC7A3DE94B2B8F13D447662458DA9163595836D65D3426AFFC0679640DD0EC619FC3AF394D1E4CEA26FAA946F56BF
                  Malicious:false
                  Reputation:low
                  Preview:regfh...h...5.#.^................... .....!.....\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e......Q......P..#....Q......P..#........Q......P..#.rmtm..M...................................................................................................................................................................................................................................................................................................................................................yHvLE........h.....!......0.+.~...BL...R..........`.......p.......0.......`...............0.......p.......`...............................0..............hbin................5.#.^...........nk,....S...............................................................&...{11517B7C-E79D-4e20-961B-75A811715ADD}......nk ..'..........(...........@...............................*...N.......)...InventoryMiscellaneousMemorySlotArrayInfo....................mG.....nk .$4./T....... ...................

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Entropy (8bit):5.180274275161101
                  TrID:
                  • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                  • Win32 Executable (generic) a (10002005/4) 49.97%
                  • Generic Win/DOS Executable (2004/3) 0.01%
                  • DOS Executable Generic (2002/1) 0.01%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:Windows Defender.exe
                  File size:502'752 bytes
                  MD5:fa3f84d3150dab7b7d8e35efbb8d02db
                  SHA1:5b690c0be18426633a1954844f49cee2b1e09cb7
                  SHA256:a42d5a457ee0d90dee5cb5ba969687a83ba5626abf040a2f3ed496f83456c162
                  SHA512:a4dd554461e167c6a272f8ca90bcde729c319a115419b2a8874af34241116afadf9e6a4dec7db5e145f7e5a1d98827f0a50861c862abb89de81c3f4703247f1b
                  SSDEEP:6144:OVFOiR8/1j4qvn00lCrBwlAaQrhPDGdcxO:OfR4Ef0lCVwlAFrhGF
                  TLSH:11B41F1D5F96C408D04318F87B9BA434F3EE6D970C077146AEA7BE63B0A5EB129F2446
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...!............."...0..2...f.......Q... ...`....@.. ....................................`................................

                  File Icon

                  Icon Hash:0f0359756d2d170e

                  Static PE Info

                  General

                  Entrypoint:0x4351ce
                  Entrypoint Section:.text
                  Digitally signed:true
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Time Stamp:0xB7F4BC21 [Wed Oct 19 17:04:33 2067 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                  Authenticode Signature

                  Signature Valid:false
                  Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                  Signature Validation Error:The digital signature of the object did not verify
                  Error Number:-2146869232
                  Not Before, Not After
                  • 11/09/2021 02:00:00 08/09/2024 01:59:59
                  Subject Chain
                  • CN=Exodus Movement Inc, O=Exodus Movement Inc, L=Omaha, S=Nebraska, C=US
                  Version:3
                  Thumbprint MD5:CED58D1A90157A37CE233AA1BCD0FB97
                  Thumbprint SHA-1:95CD272425EC24593C8B582B9BD3C1162C1A4FDC
                  Thumbprint SHA-256:C73E87014B0E646F49AF31679721A6173125338348EA2DF9CDB1047227491874
                  Serial:0B82278116BA03AF97BB3C4BC8194D83

                  Entrypoint Preview

                  Instruction
                  jmp dword ptr [00402000h]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x351800x4b.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x360000x46308.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x79a000x11e0.rsrc
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x7e0000xc.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x20000x331d40x332000f4d21e8d9e0c18a5b315382d500af19False0.5495205531784841data5.273021850836461IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rsrc0x360000x463080x464008168433606e2d1a219e3966a8d0029c4False0.08507909808718861data4.4925734636535966IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0x7e0000xc0x2009c2895fcf2d6a1c09cba60f6749c50dfFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_ICON0x361c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.50177304964539
                  RT_ICON0x366280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.2924484052532833
                  RT_ICON0x376d00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.22780082987551867
                  RT_ICON0x39c780x42028Device independent bitmap graphic, 256 x 512 x 32, image size 00.07216247004171968
                  RT_GROUP_ICON0x7bca00x3edata0.7580645161290323
                  RT_VERSION0x7bce00x43cdata0.45295202952029523
                  RT_MANIFEST0x7c11c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                  Imports

                  DLLImport
                  mscoree.dll_CorExeMain

                  Network Behavior

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 22, 2024 13:58:45.665452003 CEST4977180192.168.11.20208.95.112.1
                  Jul 22, 2024 13:58:45.769500017 CEST8049771208.95.112.1192.168.11.20
                  Jul 22, 2024 13:58:45.769762993 CEST4977180192.168.11.20208.95.112.1
                  Jul 22, 2024 13:58:45.770914078 CEST4977180192.168.11.20208.95.112.1
                  Jul 22, 2024 13:58:45.876930952 CEST8049771208.95.112.1192.168.11.20
                  Jul 22, 2024 13:58:45.919534922 CEST4977180192.168.11.20208.95.112.1
                  Jul 22, 2024 13:58:49.466415882 CEST4977180192.168.11.20208.95.112.1

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 22, 2024 13:58:45.549839973 CEST6375553192.168.11.201.1.1.1
                  Jul 22, 2024 13:58:45.661248922 CEST53637551.1.1.1192.168.11.20

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Jul 22, 2024 13:58:45.549839973 CEST192.168.11.201.1.1.10x5022Standard query (0)ip-api.comA (IP address)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Jul 22, 2024 13:58:45.661248922 CEST1.1.1.1192.168.11.200x5022No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                  HTTP Request Dependency Graph

                  • ip-api.com

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.11.2049771208.95.112.1809212C:\Users\user\Desktop\Windows Defender.exe
                  TimestampBytes transferredDirectionData
                  Jul 22, 2024 13:58:45.770914078 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                  Host: ip-api.com
                  Connection: Keep-Alive
                  Jul 22, 2024 13:58:45.876930952 CEST174INHTTP/1.1 200 OK
                  Date: Mon, 22 Jul 2024 11:58:45 GMT
                  Content-Type: text/plain; charset=utf-8
                  Content-Length: 5
                  Access-Control-Allow-Origin: *
                  X-Ttl: 60
                  X-Rl: 44
                  Data Raw: 74 72 75 65 0a
                  Data Ascii: true


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:1
                  Start time:07:58:40
                  Start date:22/07/2024
                  Path:C:\Users\user\Desktop\Windows Defender.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\Windows Defender.exe"
                  Imagebase:0x150000
                  File size:502'752 bytes
                  MD5 hash:FA3F84D3150DAB7B7D8E35EFBB8D02DB
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000002.1279764215.0000000003691000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000001.00000002.1279764215.0000000003691000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000002.1279764215.00000000036B5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000001.00000002.1279764215.00000000036B5000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000002.1280549736.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000001.00000002.1280549736.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000001.00000002.1280549736.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000002.1274563768.0000000002895000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000001.00000002.1274563768.0000000002895000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000002.1274563768.00000000028E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:5
                  Start time:07:58:44
                  Start date:22/07/2024
                  Path:C:\Windows\SysWOW64\WerFault.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 9212 -s 1632
                  Imagebase:0x980000
                  File size:482'640 bytes
                  MD5 hash:40A149513D721F096DDF50C04DA2F01F
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:17.7%
                    Dynamic/Decrypted Code Coverage:100%
                    Signature Coverage:19.4%
                    Total number of Nodes:31
                    Total number of Limit Nodes:2
                    execution_graph 14611 caf6c0 14612 caf6c8 14611->14612 14616 5120090 14612->14616 14621 5120081 14612->14621 14613 caf6f1 14617 5120099 14616->14617 14618 51200a3 14617->14618 14626 5125743 14617->14626 14631 5125750 14617->14631 14618->14613 14623 5120090 14621->14623 14622 51200a3 14622->14613 14623->14622 14624 5125743 CheckRemoteDebuggerPresent 14623->14624 14625 5125750 CheckRemoteDebuggerPresent 14623->14625 14624->14622 14625->14622 14627 5125750 14626->14627 14628 5125775 14627->14628 14636 512387c 14627->14636 14628->14618 14633 512576d 14631->14633 14632 5125775 14632->14618 14633->14632 14634 512387c CheckRemoteDebuggerPresent 14633->14634 14635 5125979 14634->14635 14635->14618 14637 51259b0 CheckRemoteDebuggerPresent 14636->14637 14639 5125979 14637->14639 14639->14618 14640 caa160 14641 caa1ae NtProtectVirtualMemory 14640->14641 14643 caa1f8 14641->14643 14644 caf590 14645 cafb34 14644->14645 14646 caf5b9 14644->14646 14648 5120090 CheckRemoteDebuggerPresent 14646->14648 14649 5120081 CheckRemoteDebuggerPresent 14646->14649 14647 caf6f1 14648->14647 14649->14647

                    Executed Functions

                    Function 05121CB8 Relevance: 8.4, Strings: 6, Instructions: 890COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.1280665698.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_5120000_Windows Defender.jbxd
                    Similarity
                    • API ID:
                    • String ID: (o8r$(o8r$(o8r$,<r$,<r$H<r
                    • API String ID: 0-2343796327
                    • Opcode ID: ecb11bcfc8d5a8cbb9ec2d55e137a6af09eed5331655c14c9ef362ee0c43e0d7
                    • Instruction ID: e736d8bb543754944ae8bf80316d7ef659d2f3815a715a69af1c58e8d957efd3
                    • Opcode Fuzzy Hash: ecb11bcfc8d5a8cbb9ec2d55e137a6af09eed5331655c14c9ef362ee0c43e0d7
                    • Instruction Fuzzy Hash: 74728134A002199FDB14DF69C994BAEBBF6FF88300F148159E916AB3A1DB34DD51CB90
                    Function 00CAF590 Relevance: 4.2, Strings: 3, Instructions: 454COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 513 caf590-caf5b3 514 caf5b9-caf6e2 513->514 515 cafb34-cafbfa 513->515 563 caf6eb 514->563 564 caf6e4 514->564 543 cafbff-cafc32 515->543 663 caf6eb call 5120090 563->663 664 caf6eb call 5120081 563->664 564->563 565 caf6f1-caf765 call cae8c0 call cae8d0 577 caf776-caf785 565->577 578 caf767-caf76f 565->578 581 caf7a7-caf8b4 call ca0228 call cae8e0 577->581 582 caf787-caf7a1 call cae8c0 577->582 578->577 605 caf8ba-caf8de 581->605 606 cafa2f-cafa42 581->606 582->581 609 caf92c-caf955 605->609 610 caf8e0-caf8e7 605->610 616 cafa47-cafa9c 606->616 621 caf96c-caf97f 609->621 622 caf957-caf96a 609->622 610->606 612 caf8ed-caf90f 610->612 626 caf911-caf917 612->626 627 caf927-caf92a 612->627 646 cafa9e 616->646 647 cafaa4-cafb33 616->647 625 caf987-caf9b3 621->625 622->625 637 caf9ca-caf9dd 625->637 638 caf9b5-caf9c8 625->638 628 caf91b-caf91d 626->628 629 caf919 626->629 627->609 628->627 629->627 639 caf9e5-cafa2d call cae8f0 637->639 638->639 639->616 646->647 663->565 664->565
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.1274232601.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_ca0000_Windows Defender.jbxd
                    Similarity
                    • API ID:
                    • String ID: $8r$$8r$$8r
                    • API String ID: 0-1098494293
                    • Opcode ID: bbf3485db785ca307ba03afcea58c7c2d95938b7d8ecabc0311746048f0c8178
                    • Instruction ID: 2885c33a2f1e1146eb36d8015b838d42d71de351f4e382dbe90591e12511ea50
                    • Opcode Fuzzy Hash: bbf3485db785ca307ba03afcea58c7c2d95938b7d8ecabc0311746048f0c8178
                    • Instruction Fuzzy Hash: 4BF182347012059FDB19AFB8E868B7D3BB7BF89700F108429E5069B3A9DF759C018B95
                    Function 0512387C Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1366 512387c-5125a34 CheckRemoteDebuggerPresent 1369 5125a36-5125a3c 1366->1369 1370 5125a3d-5125a78 1366->1370 1369->1370
                    APIs
                    • CheckRemoteDebuggerPresent.KERNEL32(00000000,?), ref: 05125A27
                    Memory Dump Source
                    • Source File: 00000001.00000002.1280665698.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_5120000_Windows Defender.jbxd
                    Similarity
                    • API ID: CheckDebuggerPresentRemote
                    • String ID:
                    • API String ID: 3662101638-0
                    • Opcode ID: dcc0dab97992d41c0d7a803b31a9d6ec76657a9554003ee934683269cbbd041f
                    • Instruction ID: 2472ac5ca896f6061a98c6b3a76f186de567fdb04e06f03673b83b30ddd2536a
                    • Opcode Fuzzy Hash: dcc0dab97992d41c0d7a803b31a9d6ec76657a9554003ee934683269cbbd041f
                    • Instruction Fuzzy Hash: B42148B1800259CFDB00CF9AD884BEEFBF5FF48214F15842AE459A7641D778A944CFA1
                    Function 00CAA158 Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1380 caa158-caa1f6 NtProtectVirtualMemory 1383 caa1f8-caa1fe 1380->1383 1384 caa1ff-caa224 1380->1384 1383->1384
                    APIs
                    • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 00CAA1E9
                    Memory Dump Source
                    • Source File: 00000001.00000002.1274232601.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_ca0000_Windows Defender.jbxd
                    Similarity
                    • API ID: MemoryProtectVirtual
                    • String ID:
                    • API String ID: 2706961497-0
                    • Opcode ID: 676e598601c4ff692dd259d6979c6887fbd1255966670254e1dce86674bd612e
                    • Instruction ID: 889d0a043e2d8f0dce0edb0fc488bd7d97ac8861e1332cec3b5ae9d42a7e4d3c
                    • Opcode Fuzzy Hash: 676e598601c4ff692dd259d6979c6887fbd1255966670254e1dce86674bd612e
                    • Instruction Fuzzy Hash: BC21F2B1D013499FDB10CFAAD984AEEFBF5FF48314F20842AE419A7240D7759905CBA1
                    Function 00CAA160 Relevance: 1.6, APIs: 1, Instructions: 63nativeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1388 caa160-caa1f6 NtProtectVirtualMemory 1391 caa1f8-caa1fe 1388->1391 1392 caa1ff-caa224 1388->1392 1391->1392
                    APIs
                    • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 00CAA1E9
                    Memory Dump Source
                    • Source File: 00000001.00000002.1274232601.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_ca0000_Windows Defender.jbxd
                    Similarity
                    • API ID: MemoryProtectVirtual
                    • String ID:
                    • API String ID: 2706961497-0
                    • Opcode ID: 7400b32d18a452f10f1aee87006ad83b5a55922a1acb4d5a2ef02f1548b7d7fd
                    • Instruction ID: c126b73cbf2f829b277ff3d2bed95f886d0430324125d076e36a25840160de96
                    • Opcode Fuzzy Hash: 7400b32d18a452f10f1aee87006ad83b5a55922a1acb4d5a2ef02f1548b7d7fd
                    • Instruction Fuzzy Hash: 2621FFB1D013499FDB10CFAAD984AEEFBF5FF48314F20842AE519A7240D775A904CBA1
                    Function 00CA3868 Relevance: .3, Instructions: 281COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.1274232601.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_ca0000_Windows Defender.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5d72b379d69fc012fa1539483941874fe9efbedce1987303d85588148834004e
                    • Instruction ID: f53a45c0a3317382528dce58f19238e70a392e0244761a15cbb8a5a1cd4cce24
                    • Opcode Fuzzy Hash: 5d72b379d69fc012fa1539483941874fe9efbedce1987303d85588148834004e
                    • Instruction Fuzzy Hash: CAB1A370E0025ACFDB10CFA9D9957DEBBF2AF49308F148129E815A7290EB749E41CB91
                    Function 00CA4138 Relevance: .3, Instructions: 266COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.1274232601.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_ca0000_Windows Defender.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 392b511a369c86da41f325b85b14d5892b292b9be776ea612520fb6fff66e7da
                    • Instruction ID: 9e16ed5a20f4effc24113c16909631b35bace36433e789480f991bb00b34ff19
                    • Opcode Fuzzy Hash: 392b511a369c86da41f325b85b14d5892b292b9be776ea612520fb6fff66e7da
                    • Instruction Fuzzy Hash: AFB17270E0020ACFDF18CFA9D9857DDBBF2BF89318F148529D825A7254EBB49945CB81
                    Function 00CA5060 Relevance: .1, Instructions: 80COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.1274232601.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_ca0000_Windows Defender.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 760a2f5249202a3663c6fde6bb5a3badd96039953c6207dc74ac8bc6e790f466
                    • Instruction ID: 816169a1e5b7ce1c9046ea166f1221c210a08c7a4ae68e3b9c2137bc719e5795
                    • Opcode Fuzzy Hash: 760a2f5249202a3663c6fde6bb5a3badd96039953c6207dc74ac8bc6e790f466
                    • Instruction Fuzzy Hash: 03216A74D46A09CBCB04DF65E8487FDB7B5FB8B305F00E029E415A3254CB740A89CB95
                    Function 051259AB Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1373 51259ab-5125a34 CheckRemoteDebuggerPresent 1376 5125a36-5125a3c 1373->1376 1377 5125a3d-5125a78 1373->1377 1376->1377
                    APIs
                    • CheckRemoteDebuggerPresent.KERNEL32(00000000,?), ref: 05125A27
                    Memory Dump Source
                    • Source File: 00000001.00000002.1280665698.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_5120000_Windows Defender.jbxd
                    Similarity
                    • API ID: CheckDebuggerPresentRemote
                    • String ID:
                    • API String ID: 3662101638-0
                    • Opcode ID: fc758fca6e7243b9c84ef914400e00ca6f7890191335e2bf891a6ee8bb209f12
                    • Instruction ID: 08b65d5a5c882c280c6ecec99502207e562fc58fb40755c310ed7551cee69b9d
                    • Opcode Fuzzy Hash: fc758fca6e7243b9c84ef914400e00ca6f7890191335e2bf891a6ee8bb209f12
                    • Instruction Fuzzy Hash: 642125B2800259CFDB00CF9AD885BEEFBF5AF48214F15842AE855A7641D778A944CF61
                    Function 009FD638 Relevance: .1, Instructions: 75COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.1273859925.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_9fd000_Windows Defender.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ff27a72953850f3928bb2d99a9eb3ca8a2e1d4e14668d40b481863ae0215bfe8
                    • Instruction ID: acd6e1c684f020d8c67a78fdc760a0b60a34b0f5092c390d60bcb59b2d31c83a
                    • Opcode Fuzzy Hash: ff27a72953850f3928bb2d99a9eb3ca8a2e1d4e14668d40b481863ae0215bfe8
                    • Instruction Fuzzy Hash: 972137B1504348DFDB00DF14D9C4F26BB67FB98314F208569EA094F256C33AD856DBA2
                    Function 009FD633 Relevance: .1, Instructions: 56COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.1273859925.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_9fd000_Windows Defender.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 66e9b06044a43a9dacc60d89ace84213b36264ddc5abfe4f91f937dba0617c70
                    • Instruction ID: 1f0e2c6bbc2befada4ec07c0c7f4909cdb9375a60989807fd04fac12a96f218a
                    • Opcode Fuzzy Hash: 66e9b06044a43a9dacc60d89ace84213b36264ddc5abfe4f91f937dba0617c70
                    • Instruction Fuzzy Hash: 2811D376504284CFDB11CF14D9C4B26BF72FB94314F2486A9D9094F656C33AD85ACBA1

                    Non-executed Functions

                    Function 00CA3520 Relevance: .2, Instructions: 238COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.1274232601.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_ca0000_Windows Defender.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 702e29e1ffeca3ffa1b4f0bb931a44c4fae2a9011b84514f92fd5e6f72860970
                    • Instruction ID: 0c786732f5d96c21edf6709125fe4e229f3f6cc7a8ea23b35275e09e48ed04b6
                    • Opcode Fuzzy Hash: 702e29e1ffeca3ffa1b4f0bb931a44c4fae2a9011b84514f92fd5e6f72860970
                    • Instruction Fuzzy Hash: 1E918FB0E0024A9FDB10CFA9C9957DDBBF2BF49308F248129E415E7390EB749A45CB81