version: 31.0.0 red diamond

ID: 333806Sample Name:DefenderControl.exeCookbook: default.jbsTime: 00:40:46Date: 24/12/2020Version: 31.0.0 Red Diamond

2444444444444555566677888888888999999999

1111111111111213131313141515

1516

Table of Contents

Table of ContentsAnalysis Report DefenderControl.exe

OverviewGeneral InformationDetectionSignaturesClassificationAnalysis Advice

StartupMalware ConfigurationYara Overview

Dropped FilesMemory Dumps

Sigma OverviewSignature Overview

Malware Analysis System Evasion:Mitre Att&ck MatrixBehavior GraphScreenshots

ThumbnailsAntivirus, Machine Learning and Genetic Malware Detection

Initial SampleDropped FilesUnpacked PE FilesDomainsURLs

Domains and IPsContacted DomainsURLs from Memory and BinariesContacted IPs

General InformationSimulations

Behavior and APIsJoe Sandbox View / Context

IPsDomainsASNJA3 FingerprintsDropped Files

Created / dropped FilesStatic File Info

GeneralFile IconStatic PE Info

GeneralAuthenticode SignatureEntrypoint PreviewRich HeadersData DirectoriesSectionsResourcesImportsVersion InfosPossible Origin

Network BehaviorCode Manipulations

Copyright null 2020 of 20

161616161616161619

2020

StatisticsSystem Behavior

Analysis Process: DefenderControl.exe PID: 3504 Parent PID: 5760GeneralFile Activities

File CreatedFile DeletedFile WrittenFile Read

DisassemblyCode Analysis


Analysis Report DefenderControl.exe

Overview

General Information

Sample Name:

DefenderControl.exe

Analysis ID: 333806

MD5: 3a24a7b7c1ba74…

SHA1: 5da4de1dbba557…

SHA256: a201f7f81277e28…

Most interesting Screenshot:

Detection

Score: 36

Range: 0 - 100

Whitelisted: false

Confidence: 20%

Signatures

Found stalling execution ending in A






Found stalling execution ending in AFound stalling execution ending in A……

Contains capabilities to detect virtua






Contains capabilities to detect virtuaContains capabilities to detect virtua……

Contains functionality for read data f






Contains functionality for read data fContains functionality for read data f……

Contains functionality to access load






Contains functionality to access loadContains functionality to access load……

Contains functionality to check if a d






Contains functionality to check if a dContains functionality to check if a d……

Contains functionality to check if a w






Contains functionality to check if a wContains functionality to check if a w……

Contains functionality to communica






Contains functionality to communicaContains functionality to communica……

Contains functionality to dynamically






Contains functionality to dynamicallyContains functionality to dynamically……

Contains functionality to execute pro






Contains functionality to execute proContains functionality to execute pro……

Contains functionality to launch a pr






Contains functionality to launch a prContains functionality to launch a pr……







Contains functionality to launch a prContains functionality to launch a pr……

Contains functionality to open a port






Contains functionality to open a portContains functionality to open a port……

Contains functionality to query CPU






Contains functionality to query CPU Contains functionality to query CPU ……

Contains functionality to read the cli






Contains functionality to read the cliContains functionality to read the cli……

Contains functionality to retrieve info






Contains functionality to retrieve infoContains functionality to retrieve info……

Contains functionality to shutdown /






Contains functionality to shutdown / Contains functionality to shutdown / ……

Contains functionality to simulate ke






Contains functionality to simulate keContains functionality to simulate ke……

Contains functionality to simulate m






Contains functionality to simulate mContains functionality to simulate m……

Contains functionality which may be






Contains functionality which may beContains functionality which may be……

Creates a DirectInput object (often fo






Creates a DirectInput object (often foCreates a DirectInput object (often fo……

Detected potential crypto function






Detected potential crypto functionDetected potential crypto function

Found a high number of Window / Us






Found a high number of Window / UsFound a high number of Window / Us……

Found large amount of non-executed






Found large amount of non-executedFound large amount of non-executed……

Found potential string decryption / a






Found potential string decryption / aFound potential string decryption / a……

May sleep (evasive loops) to hinder






May sleep (evasive loops) to hinder May sleep (evasive loops) to hinder ……

PE / OLE file has an invalid certificate






PE / OLE file has an invalid certificatePE / OLE file has an invalid certificate

PE file contains strange resources






PE file contains strange resourcesPE file contains strange resources

Potential key logger detected (key s






Potential key logger detected (key sPotential key logger detected (key s……

Sample execution stops while proce






Sample execution stops while proceSample execution stops while proce……

Sample file is different than original






Sample file is different than original Sample file is different than original ……

Sleep loop found (likely to delay exe






Sleep loop found (likely to delay exeSleep loop found (likely to delay exe……

Uses code obfuscation techniques (






Uses code obfuscation techniques (Uses code obfuscation techniques (……

Yara signature match






Yara signature matchYara signature match

Classification

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook

Sample may be VM or Sandbox-aware, try analysis on a native machine

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Malware Configuration

Ransomware

Spreading

Phishing

Banker

Trojan / Bot

Adware

Spyware

Exploiter

Evader

Miner

clean

clean

clean

clean

clean

clean

clean

suspicious

suspicious

suspicious

suspicious

suspicious

suspicious

suspicious

malicious

malicious

malicious

malicious

malicious

malicious

malicious

System is w10x64

DefenderControl.exe (PID: 3504 cmdline: 'C:\Users\user\Desktop\DefenderControl.exe' MD5: 3A24A7B7C1BA74A5AFA50F88BA81D550)

cleanup

No configs have been found

Source Rule Description Author Strings

C:\Users\user\AppData\Local\Temp\wnbclmk MAL_Sednit_DelphiDownloader_Apr18_2

Detects malware from Sednit Delphi Downloader report

Florian Roth 0x4a23:$s9: 5C536F6674776172655C4D6963726F736F66745C57696E646F77735C43757272656E7456657273696F6E

Startup

Yara Overview

Dropped Files

Memory Dumps


Sigma Overview

No Sigma rule has matched

Signature Overview

• Spreading

• Networking

• Key, Mouse, Clipboard, Microphone and Screen Capturing

• System Summary

• Data Obfuscation

• Hooking and other Techniques for Hiding and Protection

• Malware Analysis System Evasion

• Anti Debugging

• HIPS / PFW / Operating System Protection Evasion

• Language, Device and Operating System Detection

• Remote Access Functionality

Click to jump to signature section

Malware Analysis System Evasion:

Found stalling execution ending in API Sleep call

Mitre Att&ck Matrix

InitialAccess Execution Persistence

PrivilegeEscalation Defense Evasion

CredentialAccess Discovery

LateralMovement Collection Exfiltration

Commandand Control

NetworkEffects

ValidAccounts 2

NativeAPI 1

ValidAccounts 2

Valid Accounts 2 Masquerading 1 InputCapture 3 1

System TimeDiscovery 2

RemoteServices

InputCapture 3 1

ExfiltrationOver OtherNetworkMedium

EncryptedChannel 1

Eavesdrop onInsecureNetworkCommunication

DefaultAccounts

ScheduledTask/Job

Boot orLogonInitializationScripts

Exploitation forPrivilegeEscalation 1

Valid Accounts 2 LSASSMemory

Security SoftwareDiscovery 3

RemoteDesktopProtocol

ArchiveCollectedData 1

ExfiltrationOverBluetooth

Junk Data Exploit SS7 toRedirect PhoneCalls/SMS

DomainAccounts

At (Linux) Logon Script(Windows)

Access TokenManipulation 2 1

Virtualization/SandboxEvasion 3 1

SecurityAccountManager

Virtualization/SandboxEvasion 3 1

SMB/WindowsAdmin Shares

ClipboardData 2

AutomatedExfiltration

Steganography Exploit SS7 toTrack DeviceLocation

LocalAccounts

At(Windows)

Logon Script(Mac)

ProcessInjection 1

Access TokenManipulation 2 1

NTDS Process Discovery 2 DistributedComponentObject Model

Input Capture ScheduledTransfer

ProtocolImpersonation

SIM CardSwap

Source Rule Description Author Strings

00000000.00000002.579588699.00000000008BD000.00000004.00000001.sdmp

MAL_Sednit_DelphiDownloader_Apr18_2


Florian Roth 0x69e3:$s9: 5C536F6674776172655C4D6963726F736F66745C57696E646F77735C43757272656E7456657273696F6E

00000000.00000003.204202979.00000000033A4000.00000004.00000001.sdmp



Florian Roth 0x3d7b:$s9: 5C536F6674776172655C4D6963726F736F66745C57696E646F77735C43757272656E7456657273696F6E

00000000.00000002.581223960.00000000033A0000.00000004.00000001.sdmp



Florian Roth 0x15d73:$s9: 5C536F6674776172655C4D6963726F736F66745C57696E646F77735C43757272656E7456657273696F6E


CloudAccounts

Cron NetworkLogon Script

Network LogonScript

Process Injection 1 LSA Secrets Application WindowDiscovery 1 1

SSH Keylogging DataTransferSize Limits

FallbackChannels

ManipulateDeviceCommunication

ReplicationThroughRemovableMedia

Launchd Rc.common Rc.common Deobfuscate/DecodeFiles or Information 1

CachedDomainCredentials

File and DirectoryDiscovery 3

VNC GUI InputCapture

ExfiltrationOver C2Channel

MultibandCommunication

Jamming orDenial ofService

ExternalRemoteServices

ScheduledTask

StartupItems

Startup Items Obfuscated Files orInformation 2

DCSync System InformationDiscovery 1 4

WindowsRemoteManagement

Web PortalCapture

ExfiltrationOverAlternativeProtocol

CommonlyUsed Port

Rogue Wi-FiAccess Points

InitialAccess Execution Persistence

PrivilegeEscalation Defense Evasion

CredentialAccess Discovery

LateralMovement Collection Exfiltration

Commandand Control

NetworkEffects

Behavior Graph

ID: 333806

Sample: DefenderControl.exe

Startdate: 24/12/2020

Architecture: WINDOWS

Score: 36

DefenderControl.exe

3

started

Found stalling executionending in API Sleep

call

Legend:

Process

Signature

Created File

DNS/IP Info

Is Dropped

Is Windows Process

Number of created Registry Values

Number of created Files

Visual Basic

Delphi

Java

.Net C# or VB.NET

C, C++ or other language

Is malicious

Internet

Hide Legend

ThumbnailsThis section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Graph

Screenshots


No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version

No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version

No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version

No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample


General Information

Joe Sandbox Version: 31.0.0 Red Diamond

Analysis ID: 333806

Start date: 24.12.2020

Start time: 00:40:46

Joe Sandbox Product: CloudBasic

Overall analysis duration: 0h 6m 33s

Hypervisor based Inspection enabled: false

Report type: light

Sample file name: DefenderControl.exe

Cookbook file name: default.jbs

Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

Source Detection Scanner Label Link

DefenderControl.exe 6% Virustotal Browse

DefenderControl.exe 6% Metadefender Browse

DefenderControl.exe 7% ReversingLabs Win32.PUA.DefenderControl

No Antivirus matches



Source Detection Scanner Label Link

ocsp.thawte.com0 0% URL Reputation safe




No contacted domains info

Name Source Malicious Antivirus Detection Reputation

crl.thawte.com/ThawteTimestampingCA.crl0 DefenderControl.exe false high

ocsp.thawte.com0 DefenderControl.exe false URL Reputation: safeURL Reputation: safeURL Reputation: safeURL Reputation: safe

unknown

No contacted IP infos

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs


https://www.virustotal.com/gui/file/a201f7f81277e28c0bdd680427b979aee70e42e8a98c67f11e7c83d02f8fe7ae/detection/f-a201f7f81277e28c0bdd680427b979aee70e42e8a98c67f11e7c83d02f8fe7ae-1608691376

https://www.metadefender.com/#!/results/file/YnpJd01USXhOazVQVkdVeVVERmpRMHNST1FmdnRzYVc/regular/analysis

Number of analysed new started processes analysed: 32

Number of new started drivers analysed: 0

Number of existing processes analysed: 0

Number of existing drivers analysed: 0

Number of injected processes analysed: 0

Technologies: HCA enabledEGA enabledHDC enabledAMSI enabled

Analysis Mode: default

Analysis stop reason: Timeout

Detection: SUS

Classification: sus36.evad.winEXE@1/3@0/0

EGA Information: Successful, ratio: 100%

HDC Information: Failed

HCA Information: Failed

Cookbook Comments: Adjust boot timeEnable AMSIFound application associated with file extension: .exe

Warnings:Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exeReport size getting too big, too many NtOpenKeyEx calls found.

No simulations

No context

No context

No context

No context

No context

Show All

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped FilesCopyright null 2020 of 20

C:\Users\user\AppData\Local\Temp\autB6B9.tmpProcess: C:\Users\user\Desktop\DefenderControl.exe

File Type: data

Category: dropped

Size (bytes): 31960

Entropy (8bit): 7.8027030456872515

Encrypted: false

SSDEEP: 768:YPDaQsGEvu69FJ7TeKG9ZxGC7zPnSDnj5cf8Bk65vyhdB:0EZ9CFoC7O3C8i

MD5: 446A845A0963C84E6B7F1C6B648ADF62

SHA1: CB1CBE37E07A838BB5B1232FFFEB0A1CE4C33473

SHA-256: 950BD3BF22CA0BF4DAA3B12AF5EB6356F0810E93AE1E86FB419646C3AAB588DB

SHA-512: E755AFC61913A9841E83A17F417ACAF3F802C44C09ACC8DE87F54630AFEEC437CD0EEAB21A572C41941B38632B0A7CD7A4CB34ACBCC2FED00A1064FBC9CB1B1C

Malicious: false

Reputation: low

Preview:$%....}..Q&.Y..o4.M&.Y..mC.Lf.)..k6..f.:M..4..f.I...1....Y..k7.......o2.L.............)..'@....H....Y..j.0.&[email protected]..#.i..o4.X(.j..a7.L.3*,.l.ZL..* ..1..&..`..2.M.Sy...2.P..Y..iC.f.....m4.J.ft....Pp..@[email protected]..' %..m4....&(.I.......z.5.... .2p.a.Mg.9.../.%%....?.a`.P.$.M.........D..$..&.7....a..p...V(..l.r.8..p......y..97.. [email protected]..@........&3j,.n..Q.E......:.@...)1.=@...`..mB.n@1I.........}.@..)f.`....\....P....g...f.P._.i8.P..9.../S9....t....J...z...j....o..;...i....Q&.`.<........+3..S W8... O...'.M.?..".4....>..>`A/...S....5..............`[email protected]............./. .I4.f...5...?..h.w.0....Qf.p..l.@.:.&d.. ..........(.7.M.*I.../SP..j.{[email protected].)p..f.5..h.H...4......+I.%.7...$....O........1.j' ...(....3pb....1(.!y...@.~..8...Lf.................e4....I..T.......@.,......B.x.\.... ..M..`[email protected].!.(..6...0.../......`.......h......=........L.0.....z.%

C:\Users\user\AppData\Local\Temp\wnbclmkProcess: C:\Users\user\Desktop\DefenderControl.exe

File Type: ASCII text, with very long lines, with no line terminators

Category: dropped

Size (bytes): 97701

Entropy (8bit): 3.3666524462666927

Encrypted: false

SSDEEP: 1536:o+UDnC6oEkfiiwxholIq3BgbXli0FxIVzJGrrLps6oWNcV:ek1whoeqF

MD5: B9B96CDCEF855AB98EE55AF4EC32C96A

SHA1: 010C784F9FD1D97B45C2D5F0DEB8A3F9CEC13F5C

SHA-256: 2721F4949FDF46A89A1454E4EDBC3BC178F764F58955BEFA74BCBA57F7B0FA45

SHA-512: 7483E7F4A93891BAF12B60523DDB9731731C9E29B58AAC8D21743D171D51A89B8674179F29F55AF633CBE505A5BBA4F647C6A0757A434284BEB09376913BA7F0

Malicious: false

Yara Hits: Rule: MAL_Sednit_DelphiDownloader_Apr18_2, Description: Detects malware from Sednit Delphi Downloader report, Source: C:\Users\user\AppData\Local\Temp\wnbclmk, Author: Florian Roth

Reputation: low

Preview:4D7573744465636C61726556617273IC]47554944617461536570617261746F7243686172IC]57696E44657465637448696464656E54657874IC]446566656E64657220436F6E74726F6C2076312E36IC]202D20417574686F7220627920426C75654C696665IC]64436F6E74726F6C3A76312E36IC]57696E446566656E64IC]323031352D32303139IC]2040557365724E616D6520IC]2040436F6D70696C656420IC]20404175746F497445786520IC]20404F534172636820IC]20404175746F497458363420IC]546F20737461727420736F66747761726520796F75206D75737420686176652041646D696E6973747261746F722072696768747321IC]204057696E646F777344697220IC]7573657233322E646C6CIC]4572726F72IC]43616E2774206F70656E207573657233322E646C6CIC]61647661706933322E646C6CIC]4572726F72IC]43616E2774206F70656E2061647661706933322E646C6CIC]6B65726E656C33322E646C6CIC]4572726F72IC]43616E2774206F70656E206B65726E656C33322E646C6CIC]55736572656E762E646C6CIC]55736572656E762E646C6CIC]7368656C6C33322E646C6CIC]7368656C6C33322E646C6CIC]6F6C6533322E646C6CIC]6F6C6533322E646C6CIC]484B4C4DIC]484B4355IC]3634IC]3634IC]2040536372697074446972

C:\Users\user\Desktop\DefenderControl.iniProcess: C:\Users\user\Desktop\DefenderControl.exe

File Type: Little-endian UTF-16 Unicode text, with CRLF, CR line terminators

Category: dropped

Size (bytes): 1492

Entropy (8bit): 3.565830734144656

Encrypted: false

SSDEEP: 24:QlCnP1w7T5dMqMNYhLeBFEH5Ec75+CMrFUja17B1MoiP2lGikpzCpsBa:oCnNw3zMqWYhLlWc7DMnzMlCGi2CpsBa

MD5: DD767ACA837C4FAF45D40661B336A9B6

SHA1: C8BAEB0A7DAEC87B7F91B997A031AB687E046F76

SHA-256: E4AA54DF2ADD232F66CF72F7C9826E7AD3AAAF930109D187B6D5E00806D49B2B

SHA-512: A3562E2958E63E33C952B7A0514DB84909735213F8E2E1AD9912E7EA108DEBAE016FB37EDAD973BC5AF368E90C117D07B539607DEFF8BAB59D6EAE7FEBBF05F1

Malicious: false

Reputation: low

Preview:..;. .G.e.n.e.r.a.t.e.d. .(.2.4...1.2...2.0.2.0. .0.0.:.4.1.:.3.5.). .b.y. .D.e.f.e.n.d.e.r. .C.o.n.t.r.o.l. .v.1...6.....;. .w.w.w...s.o.r.d.u.m...o.r.g.........[.M.a.i.n.].....L.a.n.g.u.a.g.e.=.A.u.t.o.....H.i.d.e.W.i.n.d.o.w.O.n.S.t.a.r.t.u.p.=.0.....H.i.d.e.W.h.e.n.M.i.n.i.m.i.z.e.d.=.0.........[.L.a.n.g.u.a.g.e._.E.n.g.l.i.s.h.].....0.1.=.".B.l.u.e.L.i.f.e.".....0.2.=.".W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r. .i.s. .r.u.n.n.i.n.g.".....0.3.=.".W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r. .i.s. .t.u.r.n.e.d. .o.f.f.".....0.4.=.".W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r. .c.a.n.n.o.t. .b.e. .s.t.a.r.t.e.d.".....0.5.=.".W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r. .s.e.r.v.i.c.e. .n.o.t. .f.o.u.n.d.".....0.6.=.".R.e.a.l.-.t.i.m.e. .p.r.o.t.e.c.t.i.o.n. .i.s. .t.u.r.n.e.d. .o.f.f.".....0.7.=.".&.D.i.s.a.b.l.e. .W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.".....0.8.=.".&.E.n.a.b.l.e. .W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.".....0.9.=.".&.O.p.e.n. .S.e.c.u.r.i.t.y. .C.e.n.t.e.r.".....1.0.=.".&.M.e.n.u. .......".....1.1.=.".&.D.e.f.e.n.d.e.r. .


Static File Info

GeneralFile type: PE32 executable (GUI) Intel 80386, for MS Windows

Entropy (8bit): 6.961449290934527

TrID: Win32 Executable (generic) a (10002005/4) 99.96%Generic Win/DOS Executable (2004/3) 0.02%DOS Executable Generic (2002/1) 0.02%Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%

File name: DefenderControl.exe

File size: 846008

MD5: 3a24a7b7c1ba74a5afa50f88ba81d550

SHA1: 5da4de1dbba55774891497297396fd2e5c306cf5

SHA256: a201f7f81277e28c0bdd680427b979aee70e42e8a98c67f11e7c83d02f8fe7ae

SHA512: 2f882ddc039ba0f3526b05a499a6ec1e7d47fca259fa48dcf0a5f345168c07f815273b8e702b0cfd396063da0dc55ad8ad62b91015d2157deae5457ba34754a9

SSDEEP: 12288:baWzgMg7v3qnCi3ErQohh0F4JCJ8lnydQ79QudhzYOejoiQv2ju8S0c/J:uaHMv6CDrjRnydQu+ejMZ1R

File Content Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i.....9.k...`.:.w...`.,.....`.+.P...N%..c...N%..H...i...d...`. ./...w.:.k...w.;.h...i.8.h...`.>.h...Richi..........

File Icon

Icon Hash: 16dada9cacc8c082

GeneralEntrypoint: 0x416310

Entrypoint Section: .text

Digitally signed: true

Imagebase: 0x400000

Subsystem: windows gui

Image File Characteristics: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, RELOCS_STRIPPED

DLL Characteristics: TERMINAL_SERVER_AWARE

Time Stamp: 0x4BC81615 [Fri Apr 16 07:47:33 2010 UTC]

TLS Callbacks:

CLR (.Net) Version:

OS Version Major: 5

OS Version Minor: 0

File Version Major: 5

File Version Minor: 0

Subsystem Version Major: 5

Subsystem Version Minor: 0

Import Hash: aaaa8913c89c8aa4a5d93f06853894da

Signature Valid: false

Signature Issuer: CN=Sordum Software

Signature Validation Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider

Error Number: -2146762487

Not Before, Not After 12/31/2005 1:00:00 PM 12/31/2025 1:00:00 PM

Subject Chain CN=Sordum Software

Version: 3

Thumbprint MD5: 741DC74545C1BA662CD721D502AEC85C

Static PE Info

Authenticode Signature


Thumbprint SHA-1: F5E71628A478A248353BF0177395223D2C5A0E43

Thumbprint SHA-256: 9333E2DFEE836F88AF7A81A5F80C19798D39234F1AF98EEECA661E13BB45BDAB

Serial: C2CBBD946BC3FDB944D522931D61D51A

Instruction

call 00007FDBDC7F1D8Ch

jmp 00007FDBDC7E5B5Eh

int3

int3

int3

int3

int3

int3

push ebp

mov ebp, esp

push edi

push esi

mov esi, dword ptr [ebp+0Ch]

mov ecx, dword ptr [ebp+10h]

mov edi, dword ptr [ebp+08h]

mov eax, ecx

mov edx, ecx

add eax, esi

cmp edi, esi

jbe 00007FDBDC7E5CEAh

cmp edi, eax

jc 00007FDBDC7E5E8Ah

cmp ecx, 00000100h

jc 00007FDBDC7E5D01h

cmp dword ptr [004A94E0h], 00000000h

je 00007FDBDC7E5CF8h

push edi

push esi

and edi, 0Fh

and esi, 0Fh

cmp edi, esi

pop esi

pop edi

jne 00007FDBDC7E5CEAh

pop esi

pop edi

pop ebp

jmp 00007FDBDC7E614Ah

test edi, 00000003h

jne 00007FDBDC7E5CF7h

shr ecx, 02h

and edx, 03h

cmp ecx, 08h

jc 00007FDBDC7E5D0Ch

rep movsd

jmp dword ptr [00416494h+edx*4]

nop

mov eax, edi

mov edx, 00000003h

sub ecx, 04h

jc 00007FDBDC7E5CEEh

and eax, 03h

add ecx, eax

jmp dword ptr [004163A8h+eax*4]

jmp dword ptr [004164A4h+ecx*4]

nop

jmp dword ptr [00416428h+ecx*4]

nop

Entrypoint Preview


mov eax, E4004163h

arpl word ptr [ecx+00h], ax

or byte ptr [ecx+eax*2+00h], ah

and edx, ecx

mov al, byte ptr [esi]

mov byte ptr [edi], al

mov al, byte ptr [esi+01h]

mov byte ptr [edi+01h], al

mov al, byte ptr [esi+02h]

shr ecx, 02h

mov byte ptr [edi+02h], al

add esi, 03h

add edi, 03h

cmp ecx, 08h

jc 00007FDBDC7E5CAEh

Instruction

Programming Language: [ASM] VS2008 SP1 build 30729[ C ] VS2008 SP1 build 30729[ C ] VS2005 build 50727[ASM] VS2008 build 21022[IMP] VS2005 build 50727[RES] VS2008 build 21022[LNK] VS2008 SP1 build 30729[C++] VS2008 SP1 build 30729

Name Virtual Address Virtual Size Is in Section

IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0

IMAGE_DIRECTORY_ENTRY_IMPORT 0x8cd3c 0x154 .rdata

IMAGE_DIRECTORY_ENTRY_RESOURCE 0xab000 0x1fc98 .rsrc

IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0

IMAGE_DIRECTORY_ENTRY_SECURITY 0xcd9d8 0xee0

IMAGE_DIRECTORY_ENTRY_BASERELOC 0x0 0x0

IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0

IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0

IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0

IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0

IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0

IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0

IMAGE_DIRECTORY_ENTRY_IAT 0x82000 0x840 .rdata

IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0

IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0

IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics

.text 0x1000 0x80017 0x80200 False 0.56034679878 data 6.63488377319 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

.rdata 0x82000 0xd95c 0xda00 False 0.36141771789 data 4.86709160512 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

.data 0x90000 0x1a518 0x6800 False 0.160006009615 data 2.20177062077 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

.rsrc 0xab000 0x1fc98 0x1fe00 False 0.820932904412 data 7.30035107712 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name RVA Size Type Language Country

RT_ICON 0xab4f0 0x128 GLS_BINARY_LSB_FIRST English Great Britain

RT_ICON 0xab618 0x128 GLS_BINARY_LSB_FIRST English Great Britain

RT_ICON 0xab740 0x568 GLS_BINARY_LSB_FIRST English Great Britain

RT_ICON 0xabca8 0x14edd PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

English Great Britain

RT_ICON 0xc0b88 0x4228 data English Great Britain

Rich Headers

Data Directories

Sections

Resources


RT_ICON 0xc4db0 0x25a8 data English Great Britain

RT_ICON 0xc7358 0xb0 GLS_BINARY_LSB_FIRST English Great Britain

RT_ICON 0xc7408 0x10a8 data English Great Britain

RT_ICON 0xc84b0 0x988 data English Great Britain

RT_ICON 0xc8e38 0x468 GLS_BINARY_LSB_FIRST English Great Britain

RT_ICON 0xc92a0 0x468 GLS_BINARY_LSB_FIRST English Great Britain

RT_ICON 0xc9708 0x468 GLS_BINARY_LSB_FIRST English Great Britain

RT_ICON 0xc9b70 0x468 GLS_BINARY_LSB_FIRST English Great Britain

RT_ICON 0xc9fd8 0x468 GLS_BINARY_LSB_FIRST English Great Britain

RT_GROUP_ICON 0xca440 0x5a data English Great Britain

RT_GROUP_ICON 0xca49c 0x14 data English Great Britain

RT_GROUP_ICON 0xca4b0 0x14 data English Great Britain

RT_GROUP_ICON 0xca4c4 0x22 data English Great Britain

RT_GROUP_ICON 0xca4e8 0x14 data English Great Britain

RT_GROUP_ICON 0xca4fc 0x14 data English Great Britain

RT_GROUP_ICON 0xca510 0x14 data English Great Britain

RT_GROUP_ICON 0xca524 0x14 data English Great Britain

RT_VERSION 0xca538 0x2c0 data English Great Britain

RT_MANIFEST 0xca7f8 0x49e XML 1.0 document, ASCII text, with CRLF line terminators


Name RVA Size Type Language Country

DLL Import

WSOCK32.dll __WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv

VERSION.dll VerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW

WINMM.dll timeGetTime, waveOutSetVolume, mciSendStringW

COMCTL32.dll ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy

MPR.dll WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW

WININET.dll InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable

PSAPI.DLL EnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules

USERENV.dll CreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW

KERNEL32.dll HeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, MultiByteToWideChar, WideCharToMultiByte, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, lstrcmpiW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, GetProcessHeap, OutputDebugStringW, GetLocalTime, CompareStringW, CompareStringA, InterlockedIncrement, InterlockedDecrement, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetComputerNameW, GetWindowsDirectoryW, GetSystemDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ResumeThread, GetStartupInfoW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleFileNameA, HeapReAlloc, HeapCreate, SetHandleCount, GetFileType, GetStartupInfoA, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, LCMapStringA, RtlUnwind, SetFilePointer, GetTimeZoneInformation, GetTimeFormatA, GetDateFormatA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetTickCount, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetModuleHandleA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, SetEndOfFile, EnumResourceNamesW, SetEnvironmentVariableA

Imports


No network behavior found

USER32.dll SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, CopyImage, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, PeekMessageW, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, MoveWindow, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, GetMenuItemID, TranslateMessage, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, UnregisterHotKey, CharLowerBuffW, MonitorFromRect, keybd_event, LoadImageW, GetWindowLongW

GDI32.dll DeleteObject, GetObjectW, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, PolyDraw, BeginPath, Rectangle, GetDeviceCaps, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, SetViewportOrgEx

COMDLG32.dll GetSaveFileNameW, GetOpenFileNameW

ADVAPI32.dll RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, RegEnumKeyExW, CloseServiceHandle, UnlockServiceDatabase, LockServiceDatabase, OpenSCManagerW, InitiateSystemShutdownExW, AdjustTokenPrivileges, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, SetSecurityDescriptorDacl, CopySid, LogonUserW, GetTokenInformation, GetAclInformation, GetAce, AddAce, GetSecurityDescriptorDacl

SHELL32.dll DragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish

ole32.dll OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, StringFromCLSID, IIDFromString, StringFromIID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize

OLEAUT32.dll SafeArrayAllocData, SafeArrayAllocDescriptorEx, SysAllocString, OleLoadPicture, SafeArrayGetVartype, SafeArrayDestroyData, SafeArrayAccessData, VarR8FromDec, VariantTimeToSystemTime, VariantClear, VariantCopy, VariantInit, SafeArrayDestroyDescriptor, LoadRegTypeLib, GetActiveObject, SafeArrayUnaccessData

DLL Import

Description Data

LegalCopyright Copyright 2015-2019 www.sordum.org All Rights Reserved.

Coder By BlueLife

FileVersion 1.6.0.0

CompanyName www.sordum.org

Comments Windows Defender Control v1.6

FileDescription Windows Defender Control

Translation 0x0809 0x04b0

Language of compilation system Country where language is spoken Map


Network Behavior

Version Infos

Possible Origin


Code Manipulations

Statistics

System Behavior

File ActivitiesFile Activities

Start time: 00:41:34

Start date: 24/12/2020

Path: C:\Users\user\Desktop\DefenderControl.exe

Wow64 process (32bit): true

Commandline: 'C:\Users\user\Desktop\DefenderControl.exe'

Imagebase: 0x400000

File size: 846008 bytes

MD5 hash: 3A24A7B7C1BA74A5AFA50F88BA81D550

Has elevated privileges: true

Has administrator privileges: true

Programmed in: C, C++ or other language

Yara matches: Rule: MAL_Sednit_DelphiDownloader_Apr18_2, Description: Detects malware from Sednit Delphi Downloader report, Source: 00000000.00000002.579588699.00000000008BD000.00000004.00000001.sdmp, Author: Florian RothRule: MAL_Sednit_DelphiDownloader_Apr18_2, Description: Detects malware from Sednit Delphi Downloader report, Source: 00000000.00000003.204202979.00000000033A4000.00000004.00000001.sdmp, Author: Florian RothRule: MAL_Sednit_DelphiDownloader_Apr18_2, Description: Detects malware from Sednit Delphi Downloader report, Source: 00000000.00000002.581223960.00000000033A0000.00000004.00000001.sdmp, Author: Florian Roth

Reputation: low

File Path Access Attributes Options Completion CountSourceAddress Symbol

C:\Users\user\AppData\Local\Temp\autB6B9.tmp read attributes | synchronize | generic read

device synchronous io non alert | non directory file

success or wait 1 434FD8 GetTempFileNameW

C:\Users\user\AppData\Local\Temp\wnbclmk read attributes | synchronize | generic read | generic write


success or wait 1 4257F5 CreateFileW

C:\Users\user\Desktop\DefenderControl.ini read attributes | synchronize | generic read | generic write


success or wait 1 40F010 CreateFileW

File Path Completion CountSourceAddress Symbol

C:\Users\user\AppData\Local\Temp\autB6B9.tmp success or wait 1 452BAE DeleteFileW

C:\Users\user\AppData\Local\Temp\wnbclmk success or wait 1 44C069 DeleteFileW

Analysis Process: DefenderControl.exe PID: 3504 Parent PID: 5760Analysis Process: DefenderControl.exe PID: 3504 Parent PID: 5760

General

File CreatedFile Created

File DeletedFile Deleted

File WrittenFile Written


File Path Offset Length Value Ascii Completion CountSourceAddress Symbol

C:\Users\user\AppData\Local\Temp\autB6B9.tmp unknown 28672 24 25 dc e2 00 01 7d a5 9a 51 26 f3 59 bc ce 6f 34 9a 4d 26 d3 59 b4 ce 6d 43 9b 4c 66 f3 29 b4 d6 6b 36 00 08 66 f3 3a 4d 0e bb 34 9b cd 66 b3 49 c8 00 f9 31 9b 80 02 13 59 9c da 6b 37 98 00 12 c0 02 0d 1a 6f 32 9a 4c e6 d3 80 01 04 00 ac 9a cd e6 d3 99 b5 14 01 29 9b 80 27 40 0a c4 e0 00 48 9a 00 01 13 59 b5 16 6a 00 30 ce 26 f3 40 05 44 00 45 9b 00 0a a0 03 6c de 65 32 98 00 23 14 69 b5 16 6f 34 00 58 28 d3 6a 1c ca 61 37 9b 4c e6 33 2a 2c ce 6c 00 5a 4c a6 13 2a 20 01 09 31 00 a8 26 80 0d 60 03 99 32 98 4d a6 53 79 c8 00 a1 32 9b 50 e6 f3 59 b4 d6 69 43 00 66 00 13 c0 02 d2 6d 34 00 4a f8 66 74 10 04 ae 80 50 70 01 f7 40 02 a4 ce 65 33 98 4c e6 33 39 ac ca 88 00 15 99 c8 03 a5 34 98 4d 40 46 00 09 d6 69 45 9b 4c 66 d4 49 b4 d6 65 30 00 19 c8 03 15 44

$%....}..Q&.Y..o4.M&.Y..mC.Lf.)..k6..f.:M..4..f.I...1....Y..k7.......o2.L...............)..'@....H....Y..j.0.&[email protected]..#.i..o4.X(.j..a7.L.3*,.l.ZL..* ..1..&..`..2.M.Sy...2.P..Y..iC.f.....m4.J.ft....Pp..@[email protected]

success or wait 1 41C31A WriteFile

C:\Users\user\AppData\Local\Temp\autB6B9.tmp unknown 3288 a0 07 db 59 fc ca 5d 26 66 cb 82 7b 4e 71 d2 f4 96 26 42 d4 5a 14 88 c0 66 74 26 c5 85 bd ed 0a 24 e1 5b 93 53 74 c2 ac 83 5e 61 b3 5b 13 90 32 cd 4e 4b b8 b6 35 95 99 99 a0 96 a7 03 de 3a 00 18 c8 ed 06 a6 81 f4 9e 39 14 e0 8a 06 41 95 31 31 0c c0 d8 74 86 1b fa f2 85 43 95 9e 0d 4d 85 6c 74 9d 35 94 86 6d 22 96 60 16 97 0b ad 98 4d 7a d0 bd f6 26 0b 75 9a 10 7a cc d8 65 83 2b fb 19 01 0a d2 d8 e6 51 ad 32 3c 6d 81 53 dc 91 c7 ec 19 93 08 80 78 9b bd 83 e4 12 a3 27 a0 7a 5c f2 c1 d1 8e 67 23 22 19 02 ee c4 c4 b4 47 41 00 d9 7d 33 e0 62 fe 00 62 b0 10 1d 89 83 6c 8e 4a b1 30 06 d5 82 bc 9c 2c 35 61 27 57 07 55 d9 37 46 c4 d1 bc 2b 42 ed 1a 05 63 cc c0 69 6b 33 87 da 8c 92 6d e0 58 eb 13 30 46 6c cc 48 8d 76 c1 eb 81 ca 0f 86 6a ae d7 c0 b4 ec 84 71 e0 8e

...Y..]&f..{Nq...&B.Z...ft&...

..$.[.St...^a.[..2.NK..5......

..:.........9....A.11...t.....C...M.lt.5..m".`.....Mz...&.u..z..e.+.......Q.2<m.S........x......'.z\....g#"......GA..}3.b..b.....l.J.0.....,5a'W.U.7F...+B...c..ik3....m.X..0Fl.H.v......j......q..



C:\Users\user\AppData\Local\Temp\wnbclmk unknown 65536 34 44 37 35 37 33 37 34 34 34 36 35 36 33 36 43 36 31 37 32 36 35 35 36 36 31 37 32 37 33 49 43 5d 34 37 35 35 34 39 34 34 36 31 37 34 36 31 35 33 36 35 37 30 36 31 37 32 36 31 37 34 36 46 37 32 34 33 36 38 36 31 37 32 49 43 5d 35 37 36 39 36 45 34 34 36 35 37 34 36 35 36 33 37 34 34 38 36 39 36 34 36 34 36 35 36 45 35 34 36 35 37 38 37 34 49 43 5d 34 34 36 35 36 36 36 35 36 45 36 34 36 35 37 32 32 30 34 33 36 46 36 45 37 34 37 32 36 46 36 43 32 30 37 36 33 31 32 45 33 36 49 43 5d 32 30 32 44 32 30 34 31 37 35 37 34 36 38 36 46 37 32 32 30 36 32 37 39 32 30 34 32 36 43 37 35 36 35 34 43 36 39 36 36 36 35 49 43 5d 36 34 34 33 36 46 36 45 37 34 37 32 36 46 36 43 33 41 37 36 33 31 32 45 33 36 49 43 5d 35 37 36 39 36 45 34 34 36 35 36 36 36 35 36 45 36 34 49

4D7573744465636C61726556617273IC]47554944617461536570617261746F7243686172IC]57696E44657465637448696464656E54657874IC]446566656E64657220436F6E74726F6C2076312E36IC]202D20417574686F7220627920426C75654C696665IC]64436F6E74726F6C3A76312E36IC]57696E446566656E64I


C:\Users\user\AppData\Local\Temp\wnbclmk unknown 28672 36 33 39 33 33 34 36 33 36 33 31 34 31 33 39 33 37 33 32 33 32 33 34 33 36 33 31 33 30 33 36 33 37 33 34 34 34 33 39 33 32 33 39 33 30 33 32 33 30 33 30 33 38 33 33 33 32 34 33 34 32 34 33 33 35 33 38 33 32 33 30 33 34 34 34 34 32 34 31 33 38 33 37 33 39 34 35 34 36 33 31 33 38 34 33 33 39 33 39 33 30 33 36 33 35 34 33 33 33 34 33 33 34 33 33 33 30 34 36 33 35 33 30 34 35 33 32 33 31 33 30 33 34 33 32 34 35 34 33 33 31 33 35 33 30 33 34 33 31 34 33 33 32 49 43 5d 33 33 33 30 34 33 33 34 33 31 33 33 34 31 33 31 33 37 33 35 33 31 33 39 33 31 33 36 33 38 34 33 33 37 33 38 33 36 33 32 33 36 33 38 33 30 33 33 33 38 33 32 34 31 33 32 33 34 33 33 33 39 33 36 34 31 33 35 33 31 34 35 33 33 33 32 34 33 34 31 33 31 33 38 33 36 33 32 33 39 34 31 33 34 34 35 33 30 34

639334636314139373232343631303637344439323930323030383332434243353832303444424138373945463138433939303635433343343330463530453231303432454331353034314332IC]333043343133413137353139313638433738363236383033383241323433393641353145333243413138363239413445304




C:\Users\user\AppData\Local\Temp\wnbclmk unknown 3493 37 34 35 34 35 33 34 33 30 33 37 34 33 33 30 33 33 33 39 34 32 33 31 33 32 33 32 33 30 34 31 34 32 34 33 33 39 33 36 33 39 34 35 34 32 34 35 33 39 34 33 34 31 33 35 34 31 33 38 33 31 33 33 33 30 34 31 34 32 34 36 33 31 33 39 34 31 33 31 34 35 33 31 33 38 34 32 33 31 33 36 34 33 34 31 33 31 33 35 34 32 34 35 34 32 34 35 33 30 33 30 33 30 33 30 33 39 33 35 33 34 33 36 34 31 34 34 33 37 33 38 33 35 33 30 34 34 34 36 34 36 33 30 33 37 33 31 34 36 33 36 49 43 5d 33 39 34 36 33 31 34 33 34 31 34 35 33 35 33 32 33 38 34 36 34 34 34 34 33 33 33 37 34 32 33 39 33 33 34 31 33 33 33 33 33 37 33 33 34 31 33 36 33 30 34 33 33 33 33 38 33 30 33 34 33 38 33 32 33 35 34 33 34 31 33 37 33 38 34 35 33 38 34 34 34 36 33 31 33 35 33 32 34 31 33 39 34 34 33 35 33 30 33 30 33

7454534303743303339423132323041424339363945424539434135413831333041424631394131453138423136434131354245424530303030393534364144373835304446463037314636IC]39463143414535323846444433374239334133333733413630433338303438323543413738453844463135324139443530303


C:\Users\user\Desktop\DefenderControl.ini unknown 2 ff fe .. success or wait 1 444368 WriteFile

C:\Users\user\Desktop\DefenderControl.ini unknown 1490 3b 00 20 00 47 00 65 00 6e 00 65 00 72 00 61 00 74 00 65 00 64 00 20 00 28 00 32 00 34 00 2e 00 31 00 32 00 2e 00 32 00 30 00 32 00 30 00 20 00 30 00 30 00 3a 00 34 00 31 00 3a 00 33 00 35 00 29 00 20 00 62 00 79 00 20 00 44 00 65 00 66 00 65 00 6e 00 64 00 65 00 72 00 20 00 43 00 6f 00 6e 00 74 00 72 00 6f 00 6c 00 20 00 76 00 31 00 2e 00 36 00 0d 00 0a 00 3b 00 20 00 77 00 77 00 77 00 2e 00 73 00 6f 00 72 00 64 00 75 00 6d 00 2e 00 6f 00 72 00 67 00 0d 00 0a 00 0d 00 0a 00 5b 00 4d 00 61 00 69 00 6e 00 5d 00 0d 00 0a 00 4c 00 61 00 6e 00 67 00 75 00 61 00 67 00 65 00 3d 00 41 00 75 00 74 00 6f 00 0d 00 0a 00 48 00 69 00 64 00 65 00 57 00 69 00 6e 00 64 00 6f 00 77 00 4f 00 6e 00 53 00 74 00 61 00 72 00 74 00 75 00 70 00 3d 00 30 00 0d 00 0a 00 48 00 69

;. .G.e.n.e.r.a.t.e.d. .(.2.4...1.2...2.0.2.0. .0.0.:.4.1.:.3.5.). .b.y. .D.e.f.e.n.d.e.r. .C.o.n.t.r.o.l. .v.1...6.....;. .w.w.w...s.o.r.d.u.m...o.r.g.........[.M.a.i.n.].....L.a.n.g.u.a.g.e.=.A.u.t.o.....H.i.d.e.W.i.n.d.o.w.O.n.S.t.a.r.t.u.p.=.0.....H.i

success or wait 1 444368 WriteFile


File Path Offset Length Completion CountSourceAddress Symbol

C:\Users\user\Desktop\DefenderControl.exe unknown 65536 success or wait 1 41E9DF ReadFile




File ReadFile Read


Disassembly

Code Analysis



C:\Users\user\AppData\Local\Temp\autB6B9.tmp unknown 4096 success or wait 1 41E9DF ReadFile

C:\Users\user\AppData\Local\Temp\autB6B9.tmp unknown 61440 success or wait 1 41E9DF ReadFile

C:\Users\user\AppData\Local\Temp\autB6B9.tmp unknown 32768 end of file 1 41E9DF ReadFile

C:\Users\user\AppData\Local\Temp\wnbclmk unknown 65536 success or wait 1 403D95 ReadFile

C:\Users\user\AppData\Local\Temp\wnbclmk unknown 65536 success or wait 2 403D95 ReadFile

File Path Offset Length Completion CountSourceAddress Symbol


version: 31.0.0 red diamond

Documents