badrabbit | f1bbcc5c678d174d858ae089f4494e3ea8bcfc418098d61804a15e437f08aff7

Target

Endermanch@PCDefender.exe
Size

878KB
MD5

e4d4a59494265949993e26dee7b077d1
SHA1

83e3d0c7e544117d6054e7d55932a7d2dbaf1163
SHA256

5ae57d8750822c203f5bf5e241c7132377b250df36a215dff2f396c8440b82dd
SHA512

efd176555415e0771a22a6ca6f15a82aec14ca090d2599959612db9d8e07065e38a7b82e2bf7be67cbe1494733344879782f5516bb502e0177e7b540c96fa718

Score

10^/10

badrabbit bootkit evasion persistence ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Deletes NTFS Change Journal 2 TTPs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
ransomware

Inhibit System Recovery
T1490

Data Destruction
T1485

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

MsiExec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,\"C:\\Program Files (x86)\\Def Group\\PC Defender\\Antispyware.exe\""	MsiExec.exe

Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070
Executes dropped EXE 1 IoCs

Processes:

CC5F.tmp

pid process

3120 CC5F.tmp
Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
ransomware bootkit

Winlogon Helper DLL
T1004

Modify Registry
T1112

Processes:

LogonUI.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe

pid	process
3120	CC5F.tmp

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked	LogonUI.exe

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ImportConvertTo.tiff	rundll32.exe
File opened for modification	C:\Users\Admin\Pictures\ConnectStart.tiff	rundll32.exe
File opened for modification	C:\Users\Admin\Pictures\ExportConvertTo.tiff	rundll32.exe
File opened for modification	C:\Users\Admin\Pictures\FindMove.tiff	rundll32.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

JavaScript code in executable 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PCDefenderSilentSetup.msi	js

Modifies service 2 TTPs 161 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

msiexec.exevssvc.exesrtasks.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppGatherWriterMetadata (Leave) = 480000000000000045d9d5829ac0d601e40c00001c0c0000d30700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_ENDPREPARE (Enter) = 48000000000000001c69cb839ac0d601e01000007c07000002040000010000000000000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\PREPARESNAPSHOT (Enter) = 48000000000000006e2b0e849ac0d601e01000007c070000ea030000010000000000000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\BACKUPSHUTDOWN (Leave) = 4800000000000000b4f6c3869ac0d601e0100000e0090000fb030000000000000500000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppEnumGroups (Enter) = 48000000000000006507f6869ac0d601680a0000640b0000d10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	srtasks.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace(__?_Volume{f994966a-0000-0000-0000-500600000000}_)	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\FREEZE (Enter) = 4800000000000000f8acb2849ac0d601e0100000e8080000eb030000010000000200000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\BKGND_FREEZE_THREAD (Leave) = 48000000000000002eeef6859ac0d601e0100000d00a0000fc030000000000000300000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\BACKUPSHUTDOWN (Leave) = 4800000000000000b4f6c3869ac0d601e0100000f8080000fb030000000000000500000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppEnumGroups (Leave) = 48000000000000006507f6869ac0d601680a0000640b0000d10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000	srtasks.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\PREPAREBACKUP (Leave) = 4800000000000000eea869839ac0d601e010000008020000e9030000000000000100000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace(__?_Volume{f994966a-0000-0000-0000-500600000000}_)\IOCTL_FLUSH_AND_HOLD (Leave) = 480000000000000034eed7859ac0d601e0100000240a0000fe030000000000000000000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore\SrCreateRp (Leave) = 480000000000000021d9e3859ac0d601e40c00001c0c0000d50700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE_SYSTEM (Enter) = 480000000000000072e7cc849ac0d601e01000007c070000ee030000010000000000000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\BACKUPSHUTDOWN (Leave) = 4800000000000000b4f6c3869ac0d601e0100000f8080000fb030000000000000500000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppGetSnapshots (Leave) = 4800000000000000db5f287c9ac0d601e40c00001c0c0000d20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer\IDENTIFY (Leave) = 480000000000000005234c7c9ac0d601e010000010020000e80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\VSS_WS_WAITING_FOR_THAW (SetCurrentState) = 4800000000000000f8acb2849ac0d601e0100000e808000003000000010000000200000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppCreate (Enter) = 4800000000000000d7c22a7c9ac0d601e40c00001c0c0000d00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppGatherWriterMetadata (Enter) = 48000000000000007fe9317c9ac0d601e40c00001c0c0000d30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher\GETSTATE (Leave) = 48000000000000006e30b1839ac0d601e40c00004c070000f9030000000000000000000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\PREPARESNAPSHOT (Enter) = 4800000000000000565215849ac0d601e010000008090000ea030000010000000100000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\FREEZE (Enter) = 48000000000000006849cf849ac0d601e0100000e0090000eb030000010000000200000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\FREEZE (Leave) = 48000000000000006849cf849ac0d601e0100000e0090000eb030000000000000200000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\BKGND_FREEZE_THREAD (Enter) = 48000000000000006849cf849ac0d601e0100000000a0000fc030000010000000300000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace\IOCTL_FLUSH_AND_HOLD (Enter) = 48000000000000001b54bb859ac0d601e01000007c070000fe030000010000000000000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\THAW (Leave) = 480000000000000057c6ef859ac0d601e010000008090000f2030000000000000300000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\THAW (Leave) = 4800000000000000d64ef9859ac0d601e01000007c070000f2030000000000000000000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppEnumGroups (Leave) = 4800000000000000db5f287c9ac0d601e40c00001c0c0000d10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\GETSTATE (Leave) = 48000000000000006e30b1839ac0d601e010000008020000f9030000000000000100000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE (Enter) = 4800000000000000f8acb2849ac0d601e01000007c070000eb030000010000000000000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_PRECOMMIT (Leave) = 4800000000000000249178859ac0d601e01000007c07000003040000000000000000000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\THAW_KTM (Leave) = 4800000000000000b651da859ac0d601e01000007c070000f4030000000000000000000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\THAW (Enter) = 48000000000000002eeef6859ac0d601e0100000e0090000f2030000010000000300000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\BACKUPSHUTDOWN (Enter) = 4800000000000000b4f6c3869ac0d601e0100000f8080000fb030000010000000500000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\BACKUPSHUTDOWN (Leave) = 48000000000000002ae4cf869ac0d601e01000007c070000fb030000000000000000000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher\PREPAREBACKUP (Leave) = 480000000000000055a5a7839ac0d601e40c000034070000e9030000000000000000000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher\DOSNAPSHOT (Enter) = 48000000000000001c69cb839ac0d601e40c00001c0c00000a040000010000000000000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\POSTSNAPSHOT (Enter) = 4800000000000000313924869ac0d601e0100000f8080000f5030000010000000400000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_BEGINPREPARE (Enter) = 48000000000000004a2060839ac0d601e01000001002000001040000010000000000000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\GETSTATE (Enter) = 48000000000000006e30b1839ac0d601e010000040020000f9030000010000000100000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE_FRONT (Enter) = 4800000000000000f8acb2849ac0d601e01000007c070000ec030000010000000000000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\FREEZE (Leave) = 4800000000000000249178859ac0d601e010000008090000eb030000000000000200000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE_RM (Leave) = 4800000000000000249178859ac0d601e01000007c070000ef030000000000000000000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE (Leave) = 4800000000000000249178859ac0d601e01000007c070000eb030000000000000000000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\POSTSNAPSHOT (Leave) = 4800000000000000313924869ac0d601e0100000f8080000f5030000000000000400000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace(__?_Volume{f994966a-0000-0000-0000-500600000000}_)\OPEN_VOLUME_HANDLE (Leave) = 48000000000000001b54bb859ac0d601e0100000240a0000fd030000000000000000000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_COMMIT (Leave) = 480000000000000034eed7859ac0d601e0100000140a000004040000000000000000000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\BKGND_FREEZE_THREAD (Leave) = 480000000000000057c6ef859ac0d601e0100000000a0000fc030000000000000300000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\GETSTATE (Enter) = 48000000000000006e30b1839ac0d601e010000008020000f9030000010000000100000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE_KTM (Leave) = 48000000000000004970d6849ac0d601e01000007c070000f0030000000000000000000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace\IOCTL_FLUSH_AND_HOLD (Leave) = 480000000000000034eed7859ac0d601e01000007c070000fe030000000000000000000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState) = 4800000000000000489b26869ac0d601e0100000f808000005000000010000000400000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore\SrCreateRp (Enter) = 48000000000000005414fb7b9ac0d601e40c00001c0c0000d50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_ENDPREPARE (Leave) = 48000000000000008bcb0b849ac0d601e01000007c07000002040000000000000000000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace\IOCTL_RELEASE (Enter) = 480000000000000034eed7859ac0d601e01000007c070000ff0300000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppCreate (Leave) = 480000000000000021d9e3859ac0d601e40c00001c0c0000d00700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher\PREPAREBACKUP (Enter) = 4800000000000000b08162839ac0d601e40c000034070000e9030000010000000000000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\PREPAREBACKUP (Enter) = 480000000000000064e464839ac0d601e010000040020000e9030000010000000100000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\THAW_KTM (Enter) = 4800000000000000b651da859ac0d601e01000007c070000f4030000010000000000000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState) = 480000000000000057c6ef859ac0d601e0100000f808000004000000010000000300000000000000c701cdde0534924389195d2d3418749900000000000000000000000000000000	vssvc.exe

Drops file in Program Files directory 3 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe	msiexec.exe
File created	C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe	msiexec.exe
File created	C:\Program Files (x86)\Def Group\PC Defender\hook.dll	msiexec.exe

Drops file in Windows directory 16 IoCs

Processes:

msiexec.exerundll32.exe

description	ioc	process
File created	C:\Windows\Installer\f74fa05.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f74fa05.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_3F16219B047CF8432B7ADA.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_3F16219B047CF8432B7ADA.exe	msiexec.exe
File created	C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_966CD4ED37489844400D0C.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_966CD4ED37489844400D0C.exe	msiexec.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File opened for modification	C:\Windows\CC5F.tmp	rundll32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{FC2ABC8E-3715-4A32-B8B5-559380F45282}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFBF9.tmp	msiexec.exe
File created	C:\Windows\Installer\f74fa08.msi	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 96 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4364 schtasks.exe
5028 schtasks.exe

pid	process
4364	schtasks.exe
5028	schtasks.exe

Modifies data under HKEY_USERS 27 IoCs

Processes:

msiexec.exeMsiExec.exeLogonUI.exesvchost.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\17	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\16\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0"	MsiExec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

Modifies registry class 31 IoCs

Processes:

msiexec.exeEndermanch@PCDefender.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C73BCE36FA1AA0E45AB2649A3FA0D390\E8CBA2CF517323A48B5B5539084F2528	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8CBA2CF517323A48B5B5539084F2528	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\Version = "16777216"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C73BCE36FA1AA0E45AB2649A3FA0D390	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8CBA2CF517323A48B5B5539084F2528\DefaultFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	Endermanch@PCDefender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\PackageCode = "18627594958587344B2B3984171915B1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8CBA2CF517323A48B5B5539084F2528	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\ProductName = "PC Defender"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C73BCE36FA1AA0E45AB2649A3FA0D390	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\PackageName = "PCDefenderSilentSetup.msi"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

msiexec.exerundll32.exeCC5F.tmp

pid	process
3300	msiexec.exe
3300	msiexec.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
3120	CC5F.tmp
3120	CC5F.tmp
3120	CC5F.tmp
3120	CC5F.tmp
3120	CC5F.tmp
3120	CC5F.tmp
2632	rundll32.exe
2632	rundll32.exe

Suspicious use of AdjustPrivilegeToken 153 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	768	msiexec.exe
Token: SeIncreaseQuotaPrivilege	768	msiexec.exe
Token: SeSecurityPrivilege	3300	msiexec.exe
Token: SeCreateTokenPrivilege	768	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	768	msiexec.exe
Token: SeLockMemoryPrivilege	768	msiexec.exe
Token: SeIncreaseQuotaPrivilege	768	msiexec.exe
Token: SeMachineAccountPrivilege	768	msiexec.exe
Token: SeTcbPrivilege	768	msiexec.exe
Token: SeSecurityPrivilege	768	msiexec.exe
Token: SeTakeOwnershipPrivilege	768	msiexec.exe
Token: SeLoadDriverPrivilege	768	msiexec.exe
Token: SeSystemProfilePrivilege	768	msiexec.exe
Token: SeSystemtimePrivilege	768	msiexec.exe
Token: SeProfSingleProcessPrivilege	768	msiexec.exe
Token: SeIncBasePriorityPrivilege	768	msiexec.exe
Token: SeCreatePagefilePrivilege	768	msiexec.exe
Token: SeCreatePermanentPrivilege	768	msiexec.exe
Token: SeBackupPrivilege	768	msiexec.exe
Token: SeRestorePrivilege	768	msiexec.exe
Token: SeShutdownPrivilege	768	msiexec.exe
Token: SeDebugPrivilege	768	msiexec.exe
Token: SeAuditPrivilege	768	msiexec.exe
Token: SeSystemEnvironmentPrivilege	768	msiexec.exe
Token: SeChangeNotifyPrivilege	768	msiexec.exe
Token: SeRemoteShutdownPrivilege	768	msiexec.exe
Token: SeUndockPrivilege	768	msiexec.exe
Token: SeSyncAgentPrivilege	768	msiexec.exe
Token: SeEnableDelegationPrivilege	768	msiexec.exe
Token: SeManageVolumePrivilege	768	msiexec.exe
Token: SeImpersonatePrivilege	768	msiexec.exe
Token: SeCreateGlobalPrivilege	768	msiexec.exe
Token: SeBackupPrivilege	4320	vssvc.exe
Token: SeRestorePrivilege	4320	vssvc.exe
Token: SeAuditPrivilege	4320	vssvc.exe
Token: SeBackupPrivilege	3300	msiexec.exe
Token: SeRestorePrivilege	3300	msiexec.exe
Token: SeRestorePrivilege	3300	msiexec.exe
Token: SeTakeOwnershipPrivilege	3300	msiexec.exe
Token: SeRestorePrivilege	3300	msiexec.exe
Token: SeTakeOwnershipPrivilege	3300	msiexec.exe
Token: SeRestorePrivilege	3300	msiexec.exe
Token: SeTakeOwnershipPrivilege	3300	msiexec.exe
Token: SeRestorePrivilege	3300	msiexec.exe
Token: SeTakeOwnershipPrivilege	3300	msiexec.exe
Token: SeRestorePrivilege	3300	msiexec.exe
Token: SeTakeOwnershipPrivilege	3300	msiexec.exe
Token: SeRestorePrivilege	3300	msiexec.exe
Token: SeTakeOwnershipPrivilege	3300	msiexec.exe
Token: SeRestorePrivilege	3300	msiexec.exe
Token: SeTakeOwnershipPrivilege	3300	msiexec.exe
Token: SeRestorePrivilege	3300	msiexec.exe
Token: SeTakeOwnershipPrivilege	3300	msiexec.exe
Token: SeRestorePrivilege	3300	msiexec.exe
Token: SeTakeOwnershipPrivilege	3300	msiexec.exe
Token: SeRestorePrivilege	3300	msiexec.exe
Token: SeTakeOwnershipPrivilege	3300	msiexec.exe
Token: SeRestorePrivilege	3300	msiexec.exe
Token: SeTakeOwnershipPrivilege	3300	msiexec.exe
Token: SeRestorePrivilege	3300	msiexec.exe
Token: SeTakeOwnershipPrivilege	3300	msiexec.exe
Token: SeRestorePrivilege	3300	msiexec.exe
Token: SeTakeOwnershipPrivilege	3300	msiexec.exe
Token: SeRestorePrivilege	3300	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

768 msiexec.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

4580 LogonUI.exe

pid	process
768	msiexec.exe

pid	process
4580	LogonUI.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

Endermanch@PCDefender.exemsiexec.exerundll32.exerundll32.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4760 wrote to memory of 768	4760	Endermanch@PCDefender.exe	msiexec.exe
PID 4760 wrote to memory of 768	4760	Endermanch@PCDefender.exe	msiexec.exe
PID 4760 wrote to memory of 768	4760	Endermanch@PCDefender.exe	msiexec.exe
PID 3300 wrote to memory of 2664	3300	msiexec.exe	srtasks.exe
PID 3300 wrote to memory of 2664	3300	msiexec.exe	srtasks.exe
PID 3300 wrote to memory of 4392	3300	msiexec.exe	MsiExec.exe
PID 3300 wrote to memory of 4392	3300	msiexec.exe	MsiExec.exe
PID 3300 wrote to memory of 4392	3300	msiexec.exe	MsiExec.exe
PID 388 wrote to memory of 2632	388	rundll32.exe	rundll32.exe
PID 388 wrote to memory of 2632	388	rundll32.exe	rundll32.exe
PID 388 wrote to memory of 2632	388	rundll32.exe	rundll32.exe
PID 2632 wrote to memory of 4668	2632	rundll32.exe	cmd.exe
PID 2632 wrote to memory of 4668	2632	rundll32.exe	cmd.exe
PID 2632 wrote to memory of 4668	2632	rundll32.exe	cmd.exe
PID 4668 wrote to memory of 1488	4668	cmd.exe	schtasks.exe
PID 4668 wrote to memory of 1488	4668	cmd.exe	schtasks.exe
PID 4668 wrote to memory of 1488	4668	cmd.exe	schtasks.exe
PID 2632 wrote to memory of 4468	2632	rundll32.exe	cmd.exe
PID 2632 wrote to memory of 4468	2632	rundll32.exe	cmd.exe
PID 2632 wrote to memory of 4468	2632	rundll32.exe	cmd.exe
PID 4468 wrote to memory of 4364	4468	cmd.exe	schtasks.exe
PID 4468 wrote to memory of 4364	4468	cmd.exe	schtasks.exe
PID 4468 wrote to memory of 4364	4468	cmd.exe	schtasks.exe
PID 2632 wrote to memory of 2208	2632	rundll32.exe	cmd.exe
PID 2632 wrote to memory of 2208	2632	rundll32.exe	cmd.exe
PID 2632 wrote to memory of 2208	2632	rundll32.exe	cmd.exe
PID 2632 wrote to memory of 3120	2632	rundll32.exe	CC5F.tmp
PID 2632 wrote to memory of 3120	2632	rundll32.exe	CC5F.tmp
PID 2208 wrote to memory of 5028	2208	cmd.exe	schtasks.exe
PID 2208 wrote to memory of 5028	2208	cmd.exe	schtasks.exe
PID 2208 wrote to memory of 5028	2208	cmd.exe	schtasks.exe
PID 2632 wrote to memory of 4588	2632	rundll32.exe	cmd.exe
PID 2632 wrote to memory of 4588	2632	rundll32.exe	cmd.exe
PID 2632 wrote to memory of 4588	2632	rundll32.exe	cmd.exe
PID 4588 wrote to memory of 4628	4588	cmd.exe	wevtutil.exe
PID 4588 wrote to memory of 4628	4588	cmd.exe	wevtutil.exe
PID 4588 wrote to memory of 4628	4588	cmd.exe	wevtutil.exe
PID 4588 wrote to memory of 4456	4588	cmd.exe	wevtutil.exe
PID 4588 wrote to memory of 4456	4588	cmd.exe	wevtutil.exe
PID 4588 wrote to memory of 4456	4588	cmd.exe	wevtutil.exe
PID 4588 wrote to memory of 2608	4588	cmd.exe	wevtutil.exe
PID 4588 wrote to memory of 2608	4588	cmd.exe	wevtutil.exe
PID 4588 wrote to memory of 2608	4588	cmd.exe	wevtutil.exe
PID 4588 wrote to memory of 2916	4588	cmd.exe	wevtutil.exe
PID 4588 wrote to memory of 2916	4588	cmd.exe	wevtutil.exe
PID 4588 wrote to memory of 2916	4588	cmd.exe	wevtutil.exe
PID 4588 wrote to memory of 228	4588	cmd.exe	fsutil.exe
PID 4588 wrote to memory of 228	4588	cmd.exe	fsutil.exe
PID 4588 wrote to memory of 228	4588	cmd.exe	fsutil.exe
PID 2632 wrote to memory of 224	2632	rundll32.exe	cmd.exe
PID 2632 wrote to memory of 224	2632	rundll32.exe	cmd.exe
PID 2632 wrote to memory of 224	2632	rundll32.exe	cmd.exe
PID 224 wrote to memory of 3968	224	cmd.exe	schtasks.exe
PID 224 wrote to memory of 3968	224	cmd.exe	schtasks.exe
PID 224 wrote to memory of 3968	224	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Endermanch@PCDefender.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@PCDefender.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4760

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PCDefenderSilentSetup.msi"
2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:768

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Modifies service
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3300

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
- Modifies service
PID:2664

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 1F79EE20C3059F2441123B4678BA2642 E Global\MSI0000
2⤵
- Modifies WinLogon for persistence
- Modifies data under HKEY_USERS
PID:4392

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:4320

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1136

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\infpub.dat",#2 15
1⤵
- Suspicious use of WriteProcessMemory
PID:388

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
2⤵
- Modifies extensions of user files
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Delete /F /TN rhaegal
3⤵
- Suspicious use of WriteProcessMemory
PID:4668

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /F /TN rhaegal
4⤵
PID:1488

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2333987964 && exit"
3⤵
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2333987964 && exit"
4⤵
- Creates scheduled task(s)
PID:4364

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 07:02:00
3⤵
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 07:02:00
4⤵
- Creates scheduled task(s)
PID:5028

C:\Windows\CC5F.tmp
"C:\Windows\CC5F.tmp" \\.\pipe\{717F4F2C-F49B-4686-BB05-5684ABD90307}
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3120

C:\Windows\SysWOW64\cmd.exe
/c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
3⤵
- Suspicious use of WriteProcessMemory
PID:4588

C:\Windows\SysWOW64\wevtutil.exe
wevtutil cl Setup
4⤵
PID:4628

C:\Windows\SysWOW64\wevtutil.exe
wevtutil cl System
4⤵
PID:4456

C:\Windows\SysWOW64\wevtutil.exe
wevtutil cl Security
4⤵
PID:2608

C:\Windows\SysWOW64\wevtutil.exe
wevtutil cl Application
4⤵
PID:2916

C:\Windows\SysWOW64\fsutil.exe
fsutil usn deletejournal /D C:
4⤵
PID:228

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Delete /F /TN drogon
3⤵
- Suspicious use of WriteProcessMemory
PID:224

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /F /TN drogon
4⤵
PID:3968

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ad8055 /state1:0x41c64e6d
1⤵
- Modifies WinLogon to allow AutoLogon
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4580

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Indicator Removal on Host

T1070

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Data Destruction

T1485

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PCDefenderSilentSetup.msi
MD5
7f728acab22868ca02cc1ba0a14f5d64

SHA1
9e3e82b152447b8bcd27583fbdab7aa91ca4739d

SHA256
586f9a9af50b2a3321e77d2b4583741cc4842967af9429cc371534f7179caec4

SHA512
9bc8bb97e6d4f18ec484fcd792466cb5df0bf0447cbaa19a41258ef80e599e8a2b2c83c700f32f30bef578b03614af1b554844d051435dc9f510ccbd56686800

Download Submit
C:\Windows\CC5F.tmp
MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\CC5F.tmp
MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
MD5
a6d6bd6aef748e56cf4a1266f705978b

SHA1
b195f66c142584ed23170ea7738d0b6a8a6cbadf

SHA256
82dcccd3dd717e2524eb254501bb2692ea2788f36abd0277bc73bcfc64f2931e

SHA512
4612682a427a75d67e7bf67d0002f5621b3a9d176d10c0977e157db7695dc67c8eb7951b060e4f2522127aa8ac7e73ab757912fcc36eb7c226997e1ff53ae0c0

Download Submit
\??\Volume{f994966a-0000-0000-0000-500600000000}\System Volume Information\SPP\OnlineMetadataCache\{decd01c7-3405-4392-8919-5d2d34187499}_OnDiskSnapshotProp
MD5
418f6ffa237c2a767e8734850fbf024a

SHA1
7bd8a5e3d902b0d7bdca745e494ec6aedd53ea3e

SHA256
dba8ab3972379fec6897ce58fea7a40c15474c84ce56ecd8ba376890a4be0c78

SHA512
e04cb544754f86b30cd9314693586b4817400bd7eed8a1e6e88e04eb4dd3c41eef83c333a1327480200756ed97652c8da40329bec8da8428dde7f8109ff1985f

Download Submit
memory/224-35-0x0000000000000000-mapping.dmp

Download
memory/228-34-0x0000000000000000-mapping.dmp

Download
memory/768-2-0x0000000000000000-mapping.dmp

Download
memory/1488-21-0x0000000000000000-mapping.dmp

Download
memory/2208-24-0x0000000000000000-mapping.dmp

Download
memory/2608-32-0x0000000000000000-mapping.dmp

Download
memory/2632-19-0x00000000032A0000-0x0000000003308000-memory.dmp

Filesize
416KB

Download
memory/2632-18-0x0000000000000000-mapping.dmp

Download
memory/2664-12-0x0000000000000000-mapping.dmp

Download
memory/2916-33-0x0000000000000000-mapping.dmp

Download
memory/3120-25-0x0000000000000000-mapping.dmp

Download
memory/3968-36-0x0000000000000000-mapping.dmp

Download
memory/4364-23-0x0000000000000000-mapping.dmp

Download
memory/4392-15-0x0000000000000000-mapping.dmp

Download
memory/4456-31-0x0000000000000000-mapping.dmp

Download
memory/4468-22-0x0000000000000000-mapping.dmp

Download
memory/4588-29-0x0000000000000000-mapping.dmp

Download
memory/4628-30-0x0000000000000000-mapping.dmp

Download
memory/4668-20-0x0000000000000000-mapping.dmp

Download
memory/4760-3-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/5028-28-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads