File name:	WindowsDefender.exe
Full analysis:	https://app.any.run/tasks/a0cb78bc-04c7-4364-af19-e2720862badb
Verdict:	Malicious activity
Threats:	Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	December 14, 2024, 03:01:45
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	remote sheetrat rat
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	EF758B7EC3526C95A6195F7D3D923422
SHA1:	4E99A4B29AFC091D7919AE8DB21E9652AA777D58
SHA256:	6048A15418290F575C2C1304E759E1657BD5464D5C2DC8B932E8E72769C231AD
SSDEEP:	3072:GnrZNA9MXLWIdTUh6g17ruavtxye+biKruljxBe6e:stS9o+6g1WqyJbpuNe

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (72.2)
.scr	\|	Windows screen saver (12.9)
.dll	\|	Win32 Dynamic Link Library (generic) (6.4)
.exe	\|	Win32 Executable (generic) (4.4)
.exe	\|	Generic Win/DOS Executable (1.9)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2100:10:13 03:20:15+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32
LinkerVersion:	48
CodeSize:	330752
InitializedDataSize:	2560
UninitializedDataSize:	-
EntryPoint:	0x52afe
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	21.86.6.79
ProductVersionNumber:	259.41.258.69
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	-
CompanyName:	Microsoft Money
FileDescription:	QuickBooks Upgrade
FileVersion:	21.86.6.79
InternalName:	Inkscape Upgrade.exe
LegalCopyright:	Microsoft Visual Studio
LegalTrademarks:	Avast Antivirus
OriginalFileName:	Inkscape Upgrade.exe
ProductName:	F.lux
ProductVersion:	259.41.258.69
AssemblyVersion:	259.41.258.69


(PID) Process:	(5432) WindowsDefender.exe	Key:	HKEY_CURRENT_USER\SOFTWARE
Operation:	write	Name:	hwid
Value: MUFFQ0EyRTVDODhDMzgzNkJFQkZBM0M=
(PID) Process:	(6092) WindowsDefender.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:	write	Name:	Userinit
Value: C:\Windows\System32\userinit.exe,C:\WINDOWS\Registry
(PID) Process:	(6092) WindowsDefender.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Windows Defender
Value: C:\WINDOWS\Registry
(PID) Process:	(6092) WindowsDefender.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NET Memory Cache 4.0\Linkage
Operation:	write	Name:	Export
Value: .NET Memory Cache 4.0
(PID) Process:	(6092) WindowsDefender.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSDTC Bridge 3.0.0.0\Linkage
Operation:	write	Name:	Export
Value: MSDTC Bridge 3.0.0.0
(PID) Process:	(6092) WindowsDefender.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSDTC Bridge 4.0.0.0\Linkage
Operation:	write	Name:	Export
Value: MSDTC Bridge 4.0.0.0
(PID) Process:	(6092) WindowsDefender.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ServiceModelEndpoint 3.0.0.0\Linkage
Operation:	write	Name:	Export
Value: ServiceModelEndpoint 3.0.0.0
(PID) Process:	(6092) WindowsDefender.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ServiceModelOperation 3.0.0.0\Linkage
Operation:	write	Name:	Export
Value: ServiceModelOperation 3.0.0.0
(PID) Process:	(6092) WindowsDefender.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ServiceModelService 3.0.0.0\Linkage
Operation:	write	Name:	Export
Value: ServiceModelService 3.0.0.0
(PID) Process:	(6092) WindowsDefender.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SMSvcHost 3.0.0.0\Linkage
Operation:	write	Name:	Export
Value: SMSvcHost 3.0.0.0

PID	Process	Filename		Type
6092	WindowsDefender.exe	C:\Windows\Registry		executable
		MD5:EF758B7EC3526C95A6195F7D3D923422	SHA256:6048A15418290F575C2C1304E759E1657BD5464D5C2DC8B932E8E72769C231AD

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4536	svchost.exe	GET	200	2.20.245.137:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4536	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	192.168.100.255:137	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4536	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4536	svchost.exe	2.20.245.137:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
4536	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
4712	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
4712	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4536	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 20.73.194.208	whitelisted
google.com	142.250.185.110	whitelisted
crl.microsoft.com	2.20.245.137 2.20.245.138	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
self.events.data.microsoft.com	13.69.239.79	whitelisted

General Info

WindowsDefender.exe

EF758B7EC3526C95A6195F7D3D923422

4E99A4B29AFC091D7919AE8DB21E9652AA777D58

6048A15418290F575C2C1304E759E1657BD5464D5C2DC8B932E8E72769C231AD

3072:GnrZNA9MXLWIdTUh6g17ruavtxye+biKruljxBe6e:stS9o+6g1WqyJbpuNe

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

Changes the login/logoff helper path in the registry

SHEETRAT has been detected (SURICATA)

SUSPICIOUS

Reads the date of Windows installation

Executable content was dropped or overwritten

Application launched itself

Reads security settings of Internet Explorer

Connects to unusual port

Executes as Windows Service

The process checks if it is being run in the virtual environment

Contacting a server suspected of hosting an CnC

INFO

Reads the computer name

Checks supported languages

The process uses the downloaded file

Reads the machine GUID from the registry

Process checks computer location settings

Reads CPU info

Reads the time zone

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings