windefender.exe

Defend Center

The executable windefender.exe, “Windows Defender Service” has been detected as malware by 1 anti-virus scanner. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Msiexec’. While running, it connects to the Internet address srv2.ampyazilim.com.tr on port 80 using the HTTP protocol.
Product:
Defend Center

Description:
Windows Defender Service

Version:
1, 0, 0, 0

MD5:
d5972ce78231aec3b2325452e1fe26b3

SHA-1:
65d5a3b9036ba0f0ef49de12870982cce28fc965

SHA-256:
382fcb110e7e5a2cbaebd6eaeb0caed18246d7bb0e8d7eaa0e6b0ab297577f5a

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
11/14/2024 5:25:43 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Trojan.WinDefend (M)
17.3.4.10

File size:
550.5 KB (563,712 bytes)

Product version:
1, 0, 0, 0

Copyright:
Copyright (C) 2014

File type:
Executable application (Win32 EXE)

Language:
English

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\windefender.exe

File PE Metadata
Compilation timestamp:
4/25/2007 11:09:45 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

Entry address:
0x19158

Entry point:
0F, BE, C2, 81, F2, C0, 10, 00, 43, 41, B1, 9B, F3, BB, 24, 53, 3F, 49, 32, DD, 2B, CA, 81, FF, 48, CF, 00, 00, 76, 06, 69, E8, AD, 3D, 66, C8, E8, 1A, 00, 00, 00, B3, 5F, 8B, C0, 48, 85, D7, 72, 06, F7, C1, 57, 82, 95, 33, 0F, B7, CB, 8B, C1, 81, FE, A6, 62, 00, 00, 0F, BE, F1, B0, C3, 3C, 58, 0F, B6, FD, 69, D3, D7, F0, 71, E6, 81, DD, BD, 82, C0, 59, 0F, BE, C9, 81, FB, B0, F3, 00, 00, 5A, 46, 53, 68, 76, E9, 22, 00, 45, 84, FC, 29, DD, 87, F7, F7, C1, 17, 27, 47, 90, 38, F7, 10, DB, F2, F7, C2, CD, 5C...
 
[+]

Entropy:
6.9233

Code size:
170.5 KB (174,592 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Msiexec

Command:
C:\users\{user}\appdata\local\temp\{random}.tmp\windefender.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to srv2.ampyazilim.com.tr  (37.230.104.89:80)

TCP (HTTP):

TCP (HTTP):
Connects to 93-89-226-17.fbs.com.tr  (93.89.226.17:80)

TCP (HTTP):
Connects to CHHOSTW03.net4.com  (118.67.248.123:80)

TCP (HTTP):
Connects to a72-247-177-190.deploy.akamaitechnologies.com  (72.247.177.190:80)

Remove windefender.exe - Powered by Reason Core Security