f1bbcc5c678d174d858ae089f4494e3ea8bcfc418098d61804a15e437f08aff7

Target

Endermanch@PCDefenderv2.msi
Size

860KB
MD5

b3dce5c3f95a18fd076fad0f73bb9e39
SHA1

e80cc285a77302ee221f47e4e94823d4b2eba368
SHA256

df2e3b2222dcdbb5e0dbdd1200ec8fd5f67fcbea99e0023df54307eab60030ff
SHA512

c184436055cf74884ad0d2bd5ca00bcd5a62d6be46253fe8c71b4daaa5c710b9df34af1b6e41f6d1af94bcdec0d33679a6a1b34bf9755678b4e177f368c11d4c

Score

10^/10

persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

MsiExec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,\"C:\\Program Files (x86)\\Def Group\\PC Defender\\pcdef.exe\""	MsiExec.exe

Executes dropped EXE 2 IoCs

Processes:

rundelay.exerundelay.exe

pid process

4320 rundelay.exe
4444 rundelay.exe

pid	process
4320	rundelay.exe
4444	rundelay.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

Drops file in Program Files directory 6 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\Def Group\PC Defender\uninstall.bat	msiexec.exe
File created	C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe	msiexec.exe
File created	C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe	msiexec.exe
File created	C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe	msiexec.exe
File created	C:\Program Files (x86)\Def Group\PC Defender\prockill32.exe	msiexec.exe
File created	C:\Program Files (x86)\Def Group\PC Defender\pcdef.exe	msiexec.exe

Drops file in Windows directory 12 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\f74e46a.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\_FC03FB89D84E75F2C05EA5.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\_FC03FB89D84E75F2C05EA5.exe	msiexec.exe
File created	C:\Windows\Installer\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\_368235FAFDAA3CD0178CB7.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\_368235FAFDAA3CD0178CB7.exe	msiexec.exe
File created	C:\Windows\Installer\f74e46a.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE620.tmp	msiexec.exe
File created	C:\Windows\Installer\f74e46d.msi	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 96 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe

Modifies data under HKEY_USERS 23 IoCs

Processes:

rundelay.exeMsiExec.exemsiexec.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	rundelay.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0"	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce\delrstrui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JDOJEKPGGATGSYFWE.bat"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	rundelay.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\16\52C64B7E	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	rundelay.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rundelay.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	rundelay.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	MsiExec.exe

Modifies registry class 80 IoCs

Processes:

msiexec.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\AdvertiseFlags = "388"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Media	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Net	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\AuthorizedLUAApp = "0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\PackageName = "Endermanch@PCDefenderv2.msi"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Media\1 = ";"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Assignment = "1"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\PackageCode = "793E8A3EDC915D546911442ABED08716"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Net	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\PackageCode = "793E8A3EDC915D546911442ABED08716"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\AuthorizedLUAApp = "0"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList\Net	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Version = "33554432"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Assignment = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\21B3A6546EF8EA14E9C5E5550F17C290	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\ProductName = "PC Defender"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\InstanceType = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Language = "1033"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\AdvertiseFlags = "388"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\InstanceType = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\AuthorizedLUAApp = "0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Language = "1033"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\DeploymentFlags = "3"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList\Media	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList\PackageName = "Endermanch@PCDefenderv2.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\ProductName = "PC Defender"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\DeploymentFlags = "3"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\PackageName = "Endermanch@PCDefenderv2.msi"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\PackageName = "Endermanch@PCDefenderv2.msi"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\21B3A6546EF8EA14E9C5E5550F17C290\DefaultFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\Version = "33554432"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Version = "33554432"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Assignment = "1"	reg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Clients = 3a0000000000	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Media\1 = ";"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\ProductName = "PC Defender"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Media\1 = ";"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\ProductName = "PC Defender"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Media	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Version = "33554432"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Net	reg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

1368 msiexec.exe
1368 msiexec.exe

pid	process
1368	msiexec.exe
1368	msiexec.exe

Suspicious use of AdjustPrivilegeToken 83 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	2092	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2092	msiexec.exe
Token: SeSecurityPrivilege	1368	msiexec.exe
Token: SeCreateTokenPrivilege	2092	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2092	msiexec.exe
Token: SeLockMemoryPrivilege	2092	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2092	msiexec.exe
Token: SeMachineAccountPrivilege	2092	msiexec.exe
Token: SeTcbPrivilege	2092	msiexec.exe
Token: SeSecurityPrivilege	2092	msiexec.exe
Token: SeTakeOwnershipPrivilege	2092	msiexec.exe
Token: SeLoadDriverPrivilege	2092	msiexec.exe
Token: SeSystemProfilePrivilege	2092	msiexec.exe
Token: SeSystemtimePrivilege	2092	msiexec.exe
Token: SeProfSingleProcessPrivilege	2092	msiexec.exe
Token: SeIncBasePriorityPrivilege	2092	msiexec.exe
Token: SeCreatePagefilePrivilege	2092	msiexec.exe
Token: SeCreatePermanentPrivilege	2092	msiexec.exe
Token: SeBackupPrivilege	2092	msiexec.exe
Token: SeRestorePrivilege	2092	msiexec.exe
Token: SeShutdownPrivilege	2092	msiexec.exe
Token: SeDebugPrivilege	2092	msiexec.exe
Token: SeAuditPrivilege	2092	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2092	msiexec.exe
Token: SeChangeNotifyPrivilege	2092	msiexec.exe
Token: SeRemoteShutdownPrivilege	2092	msiexec.exe
Token: SeUndockPrivilege	2092	msiexec.exe
Token: SeSyncAgentPrivilege	2092	msiexec.exe
Token: SeEnableDelegationPrivilege	2092	msiexec.exe
Token: SeManageVolumePrivilege	2092	msiexec.exe
Token: SeImpersonatePrivilege	2092	msiexec.exe
Token: SeCreateGlobalPrivilege	2092	msiexec.exe
Token: SeBackupPrivilege	2844	vssvc.exe
Token: SeRestorePrivilege	2844	vssvc.exe
Token: SeAuditPrivilege	2844	vssvc.exe
Token: SeBackupPrivilege	1368	msiexec.exe
Token: SeRestorePrivilege	1368	msiexec.exe
Token: SeRestorePrivilege	1368	msiexec.exe
Token: SeTakeOwnershipPrivilege	1368	msiexec.exe
Token: SeRestorePrivilege	1368	msiexec.exe
Token: SeTakeOwnershipPrivilege	1368	msiexec.exe
Token: SeRestorePrivilege	1368	msiexec.exe
Token: SeTakeOwnershipPrivilege	1368	msiexec.exe
Token: SeRestorePrivilege	1368	msiexec.exe
Token: SeTakeOwnershipPrivilege	1368	msiexec.exe
Token: SeRestorePrivilege	1368	msiexec.exe
Token: SeTakeOwnershipPrivilege	1368	msiexec.exe
Token: SeRestorePrivilege	1368	msiexec.exe
Token: SeTakeOwnershipPrivilege	1368	msiexec.exe
Token: SeRestorePrivilege	1368	msiexec.exe
Token: SeTakeOwnershipPrivilege	1368	msiexec.exe
Token: SeRestorePrivilege	1368	msiexec.exe
Token: SeTakeOwnershipPrivilege	1368	msiexec.exe
Token: SeRestorePrivilege	1368	msiexec.exe
Token: SeTakeOwnershipPrivilege	1368	msiexec.exe
Token: SeRestorePrivilege	1368	msiexec.exe
Token: SeTakeOwnershipPrivilege	1368	msiexec.exe
Token: SeRestorePrivilege	1368	msiexec.exe
Token: SeTakeOwnershipPrivilege	1368	msiexec.exe
Token: SeRestorePrivilege	1368	msiexec.exe
Token: SeTakeOwnershipPrivilege	1368	msiexec.exe
Token: SeRestorePrivilege	1368	msiexec.exe
Token: SeTakeOwnershipPrivilege	1368	msiexec.exe
Token: SeRestorePrivilege	1368	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

2092 msiexec.exe
2092 msiexec.exe

pid	process
2092	msiexec.exe
2092	msiexec.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

msiexec.exeMsiExec.exerundelay.exe

description	pid	process	target process
PID 1368 wrote to memory of 2028	1368	msiexec.exe	srtasks.exe
PID 1368 wrote to memory of 2028	1368	msiexec.exe	srtasks.exe
PID 1368 wrote to memory of 184	1368	msiexec.exe	MsiExec.exe
PID 1368 wrote to memory of 184	1368	msiexec.exe	MsiExec.exe
PID 1368 wrote to memory of 184	1368	msiexec.exe	MsiExec.exe
PID 184 wrote to memory of 192	184	MsiExec.exe	reg.exe
PID 184 wrote to memory of 192	184	MsiExec.exe	reg.exe
PID 184 wrote to memory of 192	184	MsiExec.exe	reg.exe
PID 184 wrote to memory of 216	184	MsiExec.exe	reg.exe
PID 184 wrote to memory of 216	184	MsiExec.exe	reg.exe
PID 184 wrote to memory of 216	184	MsiExec.exe	reg.exe
PID 184 wrote to memory of 4140	184	MsiExec.exe	reg.exe
PID 184 wrote to memory of 4140	184	MsiExec.exe	reg.exe
PID 184 wrote to memory of 4140	184	MsiExec.exe	reg.exe
PID 184 wrote to memory of 4196	184	MsiExec.exe	reg.exe
PID 184 wrote to memory of 4196	184	MsiExec.exe	reg.exe
PID 184 wrote to memory of 4196	184	MsiExec.exe	reg.exe
PID 184 wrote to memory of 4268	184	MsiExec.exe	cmd.exe
PID 184 wrote to memory of 4268	184	MsiExec.exe	cmd.exe
PID 184 wrote to memory of 4268	184	MsiExec.exe	cmd.exe
PID 184 wrote to memory of 4320	184	MsiExec.exe	rundelay.exe
PID 184 wrote to memory of 4320	184	MsiExec.exe	rundelay.exe
PID 184 wrote to memory of 4320	184	MsiExec.exe	rundelay.exe
PID 4320 wrote to memory of 4444	4320	rundelay.exe	rundelay.exe
PID 4320 wrote to memory of 4444	4320	rundelay.exe	rundelay.exe
PID 4320 wrote to memory of 4444	4320	rundelay.exe	rundelay.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Endermanch@PCDefenderv2.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2092

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:2028

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 35172627D05D2B123A6EEE05FDD5AA72 E Global\MSI0000
2⤵
- Modifies WinLogon for persistence
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:184

C:\Windows\SysWOW64\reg.exe
"C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_ /s /f
3⤵
- Modifies registry class
PID:192

C:\Windows\SysWOW64\reg.exe
"C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_ /s /f
3⤵
- Modifies registry class
PID:216

C:\Windows\SysWOW64\reg.exe
"C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_ /s /f
3⤵
- Modifies registry class
PID:4140

C:\Windows\SysWOW64\reg.exe
"C:\Windows\SysWOW64\reg.exe" DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290 /f
3⤵
- Modifies registry class
PID:4196

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C "DEL /F /Q C:\Windows\Prefetch\pcdef*"
3⤵
PID:4268

C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe
"C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe" "shutdown -r -t 0"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4320

C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe
"C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe" "shutdown -r -t 0" 1
4⤵
- Executes dropped EXE
PID:4444

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2844

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3848

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe
MD5
c05ccc260692e8bfb5b6ba7238dbb943

SHA1
4ad185a7acb1c4ffcb3c03daa77cc77a833ae7e6

SHA256
0d58d2b03e3f6d5f32216e74badae8ad0d7f94cc4f207d06883ba953a1594cba

SHA512
7707d1c3f9085a710527e2d1559c8268ca3a1fb70fca9f1cf391a02cd81002193c6971cefd7b00b371e14adf5ae7b83b63206b88ead13b04a20ad08c7154ac22

Download Submit
C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe
MD5
c05ccc260692e8bfb5b6ba7238dbb943

SHA1
4ad185a7acb1c4ffcb3c03daa77cc77a833ae7e6

SHA256
0d58d2b03e3f6d5f32216e74badae8ad0d7f94cc4f207d06883ba953a1594cba

SHA512
7707d1c3f9085a710527e2d1559c8268ca3a1fb70fca9f1cf391a02cd81002193c6971cefd7b00b371e14adf5ae7b83b63206b88ead13b04a20ad08c7154ac22

Download Submit
C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe
MD5
c05ccc260692e8bfb5b6ba7238dbb943

SHA1
4ad185a7acb1c4ffcb3c03daa77cc77a833ae7e6

SHA256
0d58d2b03e3f6d5f32216e74badae8ad0d7f94cc4f207d06883ba953a1594cba

SHA512
7707d1c3f9085a710527e2d1559c8268ca3a1fb70fca9f1cf391a02cd81002193c6971cefd7b00b371e14adf5ae7b83b63206b88ead13b04a20ad08c7154ac22

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
MD5
e8fba70fe2ec9d1c54eb3e0c387d29b9

SHA1
854b744f70d21649a48c6c2072b579180d0e9598

SHA256
72c15a0a4fcf3c60bd21ba9ae72c1db76ee67defb23437ffd153eff939bdb5d4

SHA512
0915112f6724cc2b8af0a996079d692d8874ee4f18ca8c5955501b294fbd25bda184de828963e203e997648727d81604794c98ec048ef5ce91335eb0f804751e

Download Submit
\??\Volume{f994966a-0000-0000-0000-500600000000}\System Volume Information\SPP\OnlineMetadataCache\{cba68c1d-1bda-4170-855c-095fbedf0345}_OnDiskSnapshotProp
MD5
aa70f8283c4c389bd7085f7eb803e965

SHA1
a94b1b3b3920d03ec2ebaa5fa937290d1e356e92

SHA256
b0a2cbb8917a9758b7f3ceb941b3e638a5526fd9bd6a34b9f420a0c9a7c10095

SHA512
c64a68021cb1eff24bdb956320de0f38380ac3a7921099f031440d18cb317ea1a48b66f20b74df0cfd4d0739bc44af757e2da69ebc78766cf342d59fa62569bd

Download Submit
memory/184-3-0x0000000000000000-mapping.dmp

Download
memory/192-4-0x0000000000000000-mapping.dmp

Download
memory/216-5-0x0000000000000000-mapping.dmp

Download
memory/2028-2-0x0000000000000000-mapping.dmp

Download
memory/2092-12-0x000001C2978C0000-0x000001C2978C4000-memory.dmp

Filesize
16KB

Download
memory/4140-6-0x0000000000000000-mapping.dmp

Download
memory/4196-7-0x0000000000000000-mapping.dmp

Download
memory/4268-8-0x0000000000000000-mapping.dmp

Download
memory/4320-10-0x0000000000000000-mapping.dmp

Download
memory/4444-13-0x0000000000000000-mapping.dmp

Download