File name:

DefenderControl.rar

Full analysis: https://app.any.run/tasks/5ba7a12b-b1f0-40fb-947d-939bdd5ce3c0
Verdict: Malicious activity
Analysis date: July 05, 2021, 16:56:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

129CB66AA2DDC0364F56B763B51032F4

SHA1:

8D25B35DB52CC7BFCA9AF2C18BE51BACD142EE74

SHA256:

B010766AF2DED9570BD0B51CE9632EC09FED56E558B4A1F013D6F830E53B88F5

SSDEEP:

12288:eKj+WjRekNyl/sejpHWMr7bDN0/hmCUts0gAc9To2Rm:Zjw/Rsk77F0/AFtc9TnI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • DefenderControl.exe (PID: 2984)
      • DefenderControl.exe (PID: 3264)
      • DefenderControl.exe (PID: 1392)
      • DefenderControl.exe (PID: 1772)
      • DefenderControl.exe (PID: 284)
      • DefenderControl.exe (PID: 3184)
      • DefenderControl.exe (PID: 2304)
      • DefenderControl.exe (PID: 2760)
      • DefenderControl.exe (PID: 824)
      • DefenderControl.exe (PID: 3708)

    • Disables Windows Defender

      • DefenderControl.exe (PID: 3264)
      • DefenderControl.exe (PID: 1392)
      • DefenderControl.exe (PID: 1772)
      • DefenderControl.exe (PID: 2304)
      • DefenderControl.exe (PID: 824)
      • DefenderControl.exe (PID: 3708)

    • Modifies Windows Defender service settings

      • DefenderControl.exe (PID: 3264)
      • DefenderControl.exe (PID: 1392)
      • DefenderControl.exe (PID: 3184)
      • DefenderControl.exe (PID: 1772)
      • DefenderControl.exe (PID: 284)
      • DefenderControl.exe (PID: 2304)
      • DefenderControl.exe (PID: 824)
      • DefenderControl.exe (PID: 3708)
      • DefenderControl.exe (PID: 2760)

  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 720)
      • DefenderControl.exe (PID: 3264)
      • DefenderControl.exe (PID: 1392)
      • DefenderControl.exe (PID: 3184)
      • DefenderControl.exe (PID: 1772)
      • MSASCui.exe (PID: 3680)
      • DefenderControl.exe (PID: 284)
      • DefenderControl.exe (PID: 2304)
      • DefenderControl.exe (PID: 2760)
      • DefenderControl.exe (PID: 824)
      • DefenderControl.exe (PID: 3708)

    • Checks supported languages

      • WinRAR.exe (PID: 720)
      • DefenderControl.exe (PID: 3264)
      • DefenderControl.exe (PID: 1392)
      • DefenderControl.exe (PID: 3184)
      • DefenderControl.exe (PID: 1772)
      • MSASCui.exe (PID: 3680)
      • DefenderControl.exe (PID: 2304)
      • DefenderControl.exe (PID: 2760)
      • DefenderControl.exe (PID: 284)
      • DefenderControl.exe (PID: 824)
      • DefenderControl.exe (PID: 3708)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 720)

    • Reads mouse settings

      • DefenderControl.exe (PID: 3264)
      • DefenderControl.exe (PID: 1392)
      • DefenderControl.exe (PID: 3184)
      • DefenderControl.exe (PID: 1772)
      • DefenderControl.exe (PID: 2304)
      • DefenderControl.exe (PID: 2760)
      • DefenderControl.exe (PID: 284)
      • DefenderControl.exe (PID: 824)
      • DefenderControl.exe (PID: 3708)

    • Creates files in the Windows directory

      • DefenderControl.exe (PID: 1392)
      • DefenderControl.exe (PID: 3184)
      • DefenderControl.exe (PID: 1772)
      • DefenderControl.exe (PID: 284)
      • DefenderControl.exe (PID: 2304)
      • DefenderControl.exe (PID: 2760)
      • DefenderControl.exe (PID: 824)
      • DefenderControl.exe (PID: 3708)

    • Application launched itself

      • DefenderControl.exe (PID: 3264)

    • Removes files from Windows directory

      • DefenderControl.exe (PID: 1392)
      • DefenderControl.exe (PID: 3184)
      • DefenderControl.exe (PID: 1772)
      • DefenderControl.exe (PID: 284)
      • DefenderControl.exe (PID: 2304)
      • DefenderControl.exe (PID: 824)
      • DefenderControl.exe (PID: 3708)
      • DefenderControl.exe (PID: 2760)

  • INFO

    • Manual execution by user

      • DefenderControl.exe (PID: 2984)
      • DefenderControl.exe (PID: 3264)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
57
Monitored processes
12
Malicious processes
10
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe defendercontrol.exe no specs defendercontrol.exe defendercontrol.exe defendercontrol.exe defendercontrol.exe msascui.exe no specs defendercontrol.exe defendercontrol.exe defendercontrol.exe defendercontrol.exe defendercontrol.exe

Process information

PID
CMD
Path
Indicators
Parent process
284"C:\Users\admin\Desktop\DefenderControl\DefenderControl.exe" /SYS 0C:\Users\admin\Desktop\DefenderControl\DefenderControl.exe
DefenderControl.exe
User:
SYSTEM
Company:
www.sordum.org
Integrity Level:
SYSTEM
Description:
Windows Defender Control
Exit code:
0
Version:
1.6.0.0
Modules
Images
c:\users\admin\desktop\defendercontrol\defendercontrol.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
720"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\DefenderControl.rar"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
824"C:\Users\admin\Desktop\DefenderControl\DefenderControl.exe" /SYS 1C:\Users\admin\Desktop\DefenderControl\DefenderControl.exe
DefenderControl.exe
User:
SYSTEM
Company:
www.sordum.org
Integrity Level:
SYSTEM
Description:
Windows Defender Control
Exit code:
0
Version:
1.6.0.0
Modules
Images
c:\users\admin\desktop\defendercontrol\defendercontrol.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\nsi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
1392"C:\Users\admin\Desktop\DefenderControl\DefenderControl.exe" /SYS 1C:\Users\admin\Desktop\DefenderControl\DefenderControl.exe
DefenderControl.exe
User:
SYSTEM
Company:
www.sordum.org
Integrity Level:
SYSTEM
Description:
Windows Defender Control
Exit code:
0
Version:
1.6.0.0
Modules
Images
c:\users\admin\desktop\defendercontrol\defendercontrol.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
1772"C:\Users\admin\Desktop\DefenderControl\DefenderControl.exe" /SYS 1C:\Users\admin\Desktop\DefenderControl\DefenderControl.exe
DefenderControl.exe
User:
SYSTEM
Company:
www.sordum.org
Integrity Level:
SYSTEM
Description:
Windows Defender Control
Exit code:
0
Version:
1.6.0.0
Modules
Images
c:\users\admin\desktop\defendercontrol\defendercontrol.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\version.dll
2304"C:\Users\admin\Desktop\DefenderControl\DefenderControl.exe" /SYS 1C:\Users\admin\Desktop\DefenderControl\DefenderControl.exe
DefenderControl.exe
User:
SYSTEM
Company:
www.sordum.org
Integrity Level:
SYSTEM
Description:
Windows Defender Control
Exit code:
0
Version:
1.6.0.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\desktop\defendercontrol\defendercontrol.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
2760"C:\Users\admin\Desktop\DefenderControl\DefenderControl.exe" /SYS 0C:\Users\admin\Desktop\DefenderControl\DefenderControl.exe
DefenderControl.exe
User:
SYSTEM
Company:
www.sordum.org
Integrity Level:
SYSTEM
Description:
Windows Defender Control
Exit code:
0
Version:
1.6.0.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\desktop\defendercontrol\defendercontrol.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winmm.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\user32.dll
2984"C:\Users\admin\Desktop\DefenderControl\DefenderControl.exe" C:\Users\admin\Desktop\DefenderControl\DefenderControl.exeExplorer.EXE
User:
admin
Company:
www.sordum.org
Integrity Level:
MEDIUM
Description:
Windows Defender Control
Exit code:
3221226540
Version:
1.6.0.0
Modules
Images
c:\users\admin\desktop\defendercontrol\defendercontrol.exe
c:\windows\system32\ntdll.dll
3184"C:\Users\admin\Desktop\DefenderControl\DefenderControl.exe" /SYS 0C:\Users\admin\Desktop\DefenderControl\DefenderControl.exe
DefenderControl.exe
User:
SYSTEM
Company:
www.sordum.org
Integrity Level:
SYSTEM
Description:
Windows Defender Control
Exit code:
0
Version:
1.6.0.0
Modules
Images
c:\users\admin\desktop\defendercontrol\defendercontrol.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
3264"C:\Users\admin\Desktop\DefenderControl\DefenderControl.exe" C:\Users\admin\Desktop\DefenderControl\DefenderControl.exe
Explorer.EXE
User:
admin
Company:
www.sordum.org
Integrity Level:
HIGH
Description:
Windows Defender Control
Exit code:
0
Version:
1.6.0.0
Modules
Images
c:\users\admin\desktop\defendercontrol\defendercontrol.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
Total events
1 674
Read events
1 594
Write events
71
Delete events
9

Modification events

(PID) Process:(720) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(720) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(720) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(720) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(720) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\DefenderControl.rar
(PID) Process:(720) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(720) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(720) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(720) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(720) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
Executable files
1
Suspicious files
10
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
720WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa720.4181\DefenderControl\DefenderControl.initext
MD5:436BA365F9847A17824226930A0A8C7D
SHA256:294C26956691C3512FFC20C621AD95125341042683BBCE806EEAA33C12E8BBEE
3264DefenderControl.exeC:\Windows\System32\GroupPolicy\Machine\Registry.polbinary
MD5:D15A332CBA4FC6D5062F42728CF751B4
SHA256:9C064D5E80AB78FF046430CB6A6CA1B32266AF43500313CC13AD092534EE4A6F
720WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa720.4181\DefenderControl\DefenderControl.exeexecutable
MD5:3A24A7B7C1BA74A5AFA50F88BA81D550
SHA256:A201F7F81277E28C0BDD680427B979AEE70E42E8A98C67F11E7C83D02F8FE7AE
3264DefenderControl.exeC:\Windows\System32\GroupPolicy\gpt.initext
MD5:18BD917DCFE60A77F3BDA05E1A35B407
SHA256:657581D7C48DDB8643C3396C49A00C7177ACD7B4922CEC22D6F45F30A606DB7A
1392DefenderControl.exeC:\Windows\TEMP\mhnjrrbtext
MD5:B9B96CDCEF855AB98EE55AF4EC32C96A
SHA256:2721F4949FDF46A89A1454E4EDBC3BC178F764F58955BEFA74BCBA57F7B0FA45
1772DefenderControl.exeC:\Windows\TEMP\aut442E.tmpbinary
MD5:446A845A0963C84E6B7F1C6B648ADF62
SHA256:950BD3BF22CA0BF4DAA3B12AF5EB6356F0810E93AE1E86FB419646C3AAB588DB
3264DefenderControl.exeC:\Users\admin\AppData\Local\Temp\tfahfaxtext
MD5:B9B96CDCEF855AB98EE55AF4EC32C96A
SHA256:2721F4949FDF46A89A1454E4EDBC3BC178F764F58955BEFA74BCBA57F7B0FA45
3264DefenderControl.exeC:\Users\admin\AppData\Local\Temp\autE6DC.tmpbinary
MD5:446A845A0963C84E6B7F1C6B648ADF62
SHA256:950BD3BF22CA0BF4DAA3B12AF5EB6356F0810E93AE1E86FB419646C3AAB588DB
3184DefenderControl.exeC:\Windows\TEMP\aut3450.tmpbinary
MD5:446A845A0963C84E6B7F1C6B648ADF62
SHA256:950BD3BF22CA0BF4DAA3B12AF5EB6356F0810E93AE1E86FB419646C3AAB588DB
284DefenderControl.exeC:\Windows\TEMP\dhofgautext
MD5:B9B96CDCEF855AB98EE55AF4EC32C96A
SHA256:2721F4949FDF46A89A1454E4EDBC3BC178F764F58955BEFA74BCBA57F7B0FA45
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
DefenderControl.rar