Overview
overview
10Static
static
7Fake AV/An...09.exe
windows7-x64
7Fake AV/An...09.exe
windows10-2004-x64
7Fake AV/Ana.exe
windows7-x64
8Fake AV/Ana.exe
windows10-2004-x64
7Fake AV/Antivirus.exe
windows7-x64
7Fake AV/Antivirus.exe
windows10-2004-x64
7Fake AV/An...10.exe
windows7-x64
10Fake AV/An...10.exe
windows10-2004-x64
7Fake AV/An...um.exe
windows7-x64
10Fake AV/An...um.exe
windows10-2004-x64
10Fake AV/An...17.exe
windows7-x64
7Fake AV/An...17.exe
windows10-2004-x64
7Fake AV/CleanThis.exe
windows7-x64
Fake AV/CleanThis.exe
windows10-2004-x64
Fake AV/Fa...er.exe
windows7-x64
7Fake AV/Fa...er.exe
windows10-2004-x64
76AdwCleaner.exe
windows7-x64
66AdwCleaner.exe
windows10-2004-x64
6Fake AV/Fi...ll.exe
windows7-x64
7Fake AV/Fi...ll.exe
windows10-2004-x64
7Fake AV/Ha...us.exe
windows7-x64
1Fake AV/Ha...us.exe
windows10-2004-x64
1Fake AV/In...rd.exe
windows7-x64
10Fake AV/In...rd.exe
windows10-2004-x64
9Fake AV/LPS2019.exe
windows7-x64
7Fake AV/LPS2019.exe
windows10-2004-x64
7Fake AV/Mo...eg.exe
windows7-x64
7Fake AV/Mo...eg.exe
windows10-2004-x64
3Fake AV/Na...ld.exe
windows7-x64
7Fake AV/Na...ld.exe
windows10-2004-x64
7Fake AV/PC...er.exe
windows7-x64
10Fake AV/PC...er.exe
windows10-2004-x64
10Analysis
-
max time kernel
148s -
max time network
159s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/03/2024, 22:34
Behavioral task
behavioral1
Sample
Fake AV/AnViPC2009.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Fake AV/AnViPC2009.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Fake AV/Ana.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Fake AV/Ana.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Fake AV/Antivirus.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Fake AV/Antivirus.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Fake AV/Antivirus2010.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Fake AV/Antivirus2010.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
Fake AV/AntivirusPlatinum.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
Fake AV/AntivirusPlatinum.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
Fake AV/AntivirusPro2017.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
Fake AV/AntivirusPro2017.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
Fake AV/CleanThis.exe
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
Fake AV/CleanThis.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
Fake AV/FakeAdwCleaner.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
Fake AV/FakeAdwCleaner.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
6AdwCleaner.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
6AdwCleaner.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
Fake AV/FileFixPro/FFProInstall.exe
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
Fake AV/FileFixPro/FFProInstall.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
Fake AV/HappyAntivirus.exe
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
Fake AV/HappyAntivirus.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
Fake AV/InternetSecurityGuard.exe
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
Fake AV/InternetSecurityGuard.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
Fake AV/LPS2019.exe
Resource
win7-20240220-en
Behavioral task
behavioral26
Sample
Fake AV/LPS2019.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
Fake AV/Movie.mpeg.exe
Resource
win7-20240215-en
Behavioral task
behavioral28
Sample
Fake AV/Movie.mpeg.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
Fake AV/NavaShield.exe
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
Fake AV/NavaShield.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
Fake AV/PCDefender.exe
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
Fake AV/PCDefender.exe
Resource
win10v2004-20240226-en
General
-
Target
Fake AV/PCDefender.exe
-
Size
878KB
-
MD5
e4d4a59494265949993e26dee7b077d1
-
SHA1
83e3d0c7e544117d6054e7d55932a7d2dbaf1163
-
SHA256
5ae57d8750822c203f5bf5e241c7132377b250df36a215dff2f396c8440b82dd
-
SHA512
efd176555415e0771a22a6ca6f15a82aec14ca090d2599959612db9d8e07065e38a7b82e2bf7be67cbe1494733344879782f5516bb502e0177e7b540c96fa718
-
SSDEEP
24576:bUWqistOB98g0Z1hPLX2jOmsQl3eW0a92Vdcvd7wR:bUUZ98g0FPLIRl3sa92Hcvd8R
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,\"C:\\Program Files (x86)\\Def Group\\PC Defender\\Antispyware.exe\"" MsiExec.exe -
Executes dropped EXE 2 IoCs
pid Process 2824 Antispyware.exe 1148 proccheck.exe -
Loads dropped DLL 3 IoCs
pid Process 1660 MsiExec.exe 2824 Antispyware.exe 2824 Antispyware.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Antispyware.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini iexplore.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe msiexec.exe File created C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe msiexec.exe File created C:\Program Files (x86)\Def Group\PC Defender\hook.dll msiexec.exe -
Drops file in Windows directory 14 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIC504.tmp msiexec.exe File created C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_966CD4ED37489844400D0C.exe msiexec.exe File opened for modification C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_3F16219B047CF8432B7ADA.exe msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\Installer\f76c19a.msi msiexec.exe File created C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_3F16219B047CF8432B7ADA.exe msiexec.exe File opened for modification C:\Windows\Installer\f76c19d.ipi msiexec.exe File created C:\Windows\Installer\f76c19a.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_966CD4ED37489844400D0C.exe msiexec.exe File created C:\Windows\Installer\f76c19f.msi msiexec.exe File created C:\Windows\Installer\f76c19d.ipi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-70-d1-5d-21-ee Antispyware.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\scanSchedulerDaily = "0" Antispyware.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Count = "1" iexplore.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections IEXPLORE.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\updateSchedulerDaily = "0" Antispyware.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\updateSchedulerDayOfWeek = "0" Antispyware.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\Found\C:\Windows\System32\more.com = "Backdoor.Win32.ProRat.gej" Antispyware.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad iexplore.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} iexplore.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\Found\C:\Windows\Fonts\arabtype.ttf = "Trojan.Win32.Llac.bia" Antispyware.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar IEXPLORE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Suggested Sites\DataStreamEnabledState = "0" iexplore.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\Found Antispyware.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections iexplore.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "1" iexplore.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7DB14485-0BDA-4E05-ABC4-CA60423FADA5}\8a-70-d1-5d-21-ee Antispyware.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7DB14485-0BDA-4E05-ABC4-CA60423FADA5}\WpadNetworkName = "Network 3" iexplore.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Antispyware.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\LowRegistry iexplore.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time = e807030006000200160026002300a302 iexplore.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\scanSchedulerSecond = "0" Antispyware.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" iexplore.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{2916C86E-86A6-43FE-8112-43ABE6BF8DCC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 010000000000000020cb685cf26cda01 Antispyware.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings iexplore.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites iexplore.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Suggested Sites\MigrationTime = c0beb45ef26cda01 iexplore.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\Software\Microsoft iexplore.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\scanSchedulerDayOfWeek = "0" Antispyware.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\OperationalData = "4" iexplore.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer iexplore.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore iexplore.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\scanSchedulerMinute = "0" Antispyware.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\Found\C:\Windows\ehome\mstvcapn.dll = "Trojan.Win32.Agent.dfki" Antispyware.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000004000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main Antispyware.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Suggested Sites iexplore.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" Antispyware.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\DiscardLoadTimes = 403cf55cf26cda01 iexplore.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7DB14485-0BDA-4E05-ABC4-CA60423FADA5}\8a-70-d1-5d-21-ee iexplore.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE iexplore.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} iexplore.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" IEXPLORE.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Time = e807030006000200160026002300e102 iexplore.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group Antispyware.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{08244EE6-92F0-47F2-9FC9-929BAA2E7235} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 010000000000000020cb685cf26cda01 Antispyware.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" Antispyware.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Antispyware.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C73BCE36FA1AA0E45AB2649A3FA0D390\E8CBA2CF517323A48B5B5539084F2528 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\PackageName = "PCDefenderSilentSetup.msi" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\Clients = 3a0000000000 reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\Net reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\Media\1 = ";" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\Language = "1033" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8CBA2CF517323A48B5B5539084F2528 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\AdvertiseFlags = "388" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\AdvertiseFlags = "388" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\InstanceType = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Net msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\Version = "16777216" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Media\1 = ";" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\Language = "1033" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\InstanceType = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_ reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\AuthorizedLUAApp = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\ProductName = "PC Defender" reg.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\Clients = 3a0000000000 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\ProductName = "PC Defender" reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Media reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\Media\1 = ";" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\InstanceType = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\AuthorizedLUAApp = "0" reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Net reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\Media reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\" reg.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\Clients = 3a0000000000 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C73BCE36FA1AA0E45AB2649A3FA0D390 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\ProductName = "PC Defender" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\Assignment = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\DeploymentFlags = "3" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\PackageCode = "18627594958587344B2B3984171915B1" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\PackageName = "PCDefenderSilentSetup.msi" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\PackageCode = "18627594958587344B2B3984171915B1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Media msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\AuthorizedLUAApp = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\PackageCode = "18627594958587344B2B3984171915B1" reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\ProductName = "PC Defender" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_ reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\AdvertiseFlags = "388" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\Version = "16777216" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\PackageName = "PCDefenderSilentSetup.msi" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\DeploymentFlags = "3" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\Media reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8CBA2CF517323A48B5B5539084F2528\DefaultFeature msiexec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2660 msiexec.exe 2660 msiexec.exe 2824 Antispyware.exe 2824 Antispyware.exe 1148 proccheck.exe 1148 proccheck.exe 2824 Antispyware.exe 2824 Antispyware.exe 1148 proccheck.exe 1148 proccheck.exe 2824 Antispyware.exe 2824 Antispyware.exe 1148 proccheck.exe 1148 proccheck.exe 2824 Antispyware.exe 2824 Antispyware.exe 1148 proccheck.exe 1148 proccheck.exe 2824 Antispyware.exe 2824 Antispyware.exe 1148 proccheck.exe 1148 proccheck.exe 2824 Antispyware.exe 2824 Antispyware.exe 1148 proccheck.exe 1148 proccheck.exe 2824 Antispyware.exe 2824 Antispyware.exe 1148 proccheck.exe 1148 proccheck.exe 2824 Antispyware.exe 2824 Antispyware.exe 1148 proccheck.exe 1148 proccheck.exe 2824 Antispyware.exe 2824 Antispyware.exe 1148 proccheck.exe 1148 proccheck.exe 2824 Antispyware.exe 2824 Antispyware.exe 1148 proccheck.exe 1148 proccheck.exe 2824 Antispyware.exe 2824 Antispyware.exe 1148 proccheck.exe 1148 proccheck.exe 2824 Antispyware.exe 2824 Antispyware.exe 1148 proccheck.exe 1148 proccheck.exe 2824 Antispyware.exe 2824 Antispyware.exe 1148 proccheck.exe 1148 proccheck.exe 2824 Antispyware.exe 2824 Antispyware.exe 1148 proccheck.exe 1148 proccheck.exe 2824 Antispyware.exe 2824 Antispyware.exe 1148 proccheck.exe 1148 proccheck.exe 2824 Antispyware.exe 2824 Antispyware.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1636 msiexec.exe Token: SeIncreaseQuotaPrivilege 1636 msiexec.exe Token: SeRestorePrivilege 2660 msiexec.exe Token: SeTakeOwnershipPrivilege 2660 msiexec.exe Token: SeSecurityPrivilege 2660 msiexec.exe Token: SeCreateTokenPrivilege 1636 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1636 msiexec.exe Token: SeLockMemoryPrivilege 1636 msiexec.exe Token: SeIncreaseQuotaPrivilege 1636 msiexec.exe Token: SeMachineAccountPrivilege 1636 msiexec.exe Token: SeTcbPrivilege 1636 msiexec.exe Token: SeSecurityPrivilege 1636 msiexec.exe Token: SeTakeOwnershipPrivilege 1636 msiexec.exe Token: SeLoadDriverPrivilege 1636 msiexec.exe Token: SeSystemProfilePrivilege 1636 msiexec.exe Token: SeSystemtimePrivilege 1636 msiexec.exe Token: SeProfSingleProcessPrivilege 1636 msiexec.exe Token: SeIncBasePriorityPrivilege 1636 msiexec.exe Token: SeCreatePagefilePrivilege 1636 msiexec.exe Token: SeCreatePermanentPrivilege 1636 msiexec.exe Token: SeBackupPrivilege 1636 msiexec.exe Token: SeRestorePrivilege 1636 msiexec.exe Token: SeShutdownPrivilege 1636 msiexec.exe Token: SeDebugPrivilege 1636 msiexec.exe Token: SeAuditPrivilege 1636 msiexec.exe Token: SeSystemEnvironmentPrivilege 1636 msiexec.exe Token: SeChangeNotifyPrivilege 1636 msiexec.exe Token: SeRemoteShutdownPrivilege 1636 msiexec.exe Token: SeUndockPrivilege 1636 msiexec.exe Token: SeSyncAgentPrivilege 1636 msiexec.exe Token: SeEnableDelegationPrivilege 1636 msiexec.exe Token: SeManageVolumePrivilege 1636 msiexec.exe Token: SeImpersonatePrivilege 1636 msiexec.exe Token: SeCreateGlobalPrivilege 1636 msiexec.exe Token: SeBackupPrivilege 2520 vssvc.exe Token: SeRestorePrivilege 2520 vssvc.exe Token: SeAuditPrivilege 2520 vssvc.exe Token: SeBackupPrivilege 2660 msiexec.exe Token: SeRestorePrivilege 2660 msiexec.exe Token: SeRestorePrivilege 2896 DrvInst.exe Token: SeRestorePrivilege 2896 DrvInst.exe Token: SeRestorePrivilege 2896 DrvInst.exe Token: SeRestorePrivilege 2896 DrvInst.exe Token: SeRestorePrivilege 2896 DrvInst.exe Token: SeRestorePrivilege 2896 DrvInst.exe Token: SeRestorePrivilege 2896 DrvInst.exe Token: SeLoadDriverPrivilege 2896 DrvInst.exe Token: SeLoadDriverPrivilege 2896 DrvInst.exe Token: SeLoadDriverPrivilege 2896 DrvInst.exe Token: SeRestorePrivilege 2660 msiexec.exe Token: SeTakeOwnershipPrivilege 2660 msiexec.exe Token: SeRestorePrivilege 2660 msiexec.exe Token: SeTakeOwnershipPrivilege 2660 msiexec.exe Token: SeRestorePrivilege 2660 msiexec.exe Token: SeTakeOwnershipPrivilege 2660 msiexec.exe Token: SeRestorePrivilege 2660 msiexec.exe Token: SeTakeOwnershipPrivilege 2660 msiexec.exe Token: SeRestorePrivilege 2660 msiexec.exe Token: SeTakeOwnershipPrivilege 2660 msiexec.exe Token: SeRestorePrivilege 2660 msiexec.exe Token: SeTakeOwnershipPrivilege 2660 msiexec.exe Token: SeRestorePrivilege 2660 msiexec.exe Token: SeTakeOwnershipPrivilege 2660 msiexec.exe Token: SeRestorePrivilege 2660 msiexec.exe -
Suspicious use of FindShellTrayWindow 9 IoCs
pid Process 1636 msiexec.exe 1636 msiexec.exe 2824 Antispyware.exe 2824 Antispyware.exe 2824 Antispyware.exe 2824 Antispyware.exe 2824 Antispyware.exe 2824 Antispyware.exe 1752 iexplore.exe -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 2824 Antispyware.exe 2824 Antispyware.exe 2824 Antispyware.exe 2824 Antispyware.exe 2824 Antispyware.exe 2824 Antispyware.exe -
Suspicious use of SetWindowsHookEx 22 IoCs
pid Process 2824 Antispyware.exe 2824 Antispyware.exe 2824 Antispyware.exe 2824 Antispyware.exe 2824 Antispyware.exe 2824 Antispyware.exe 2824 Antispyware.exe 2824 Antispyware.exe 2824 Antispyware.exe 2824 Antispyware.exe 2824 Antispyware.exe 2824 Antispyware.exe 2824 Antispyware.exe 2824 Antispyware.exe 2824 Antispyware.exe 2824 Antispyware.exe 2824 Antispyware.exe 2824 Antispyware.exe 1752 iexplore.exe 1752 iexplore.exe 2144 IEXPLORE.EXE 2144 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 45 IoCs
description pid Process procid_target PID 2292 wrote to memory of 1636 2292 PCDefender.exe 28 PID 2292 wrote to memory of 1636 2292 PCDefender.exe 28 PID 2292 wrote to memory of 1636 2292 PCDefender.exe 28 PID 2292 wrote to memory of 1636 2292 PCDefender.exe 28 PID 2292 wrote to memory of 1636 2292 PCDefender.exe 28 PID 2292 wrote to memory of 1636 2292 PCDefender.exe 28 PID 2292 wrote to memory of 1636 2292 PCDefender.exe 28 PID 2660 wrote to memory of 1660 2660 msiexec.exe 34 PID 2660 wrote to memory of 1660 2660 msiexec.exe 34 PID 2660 wrote to memory of 1660 2660 msiexec.exe 34 PID 2660 wrote to memory of 1660 2660 msiexec.exe 34 PID 2660 wrote to memory of 1660 2660 msiexec.exe 34 PID 2660 wrote to memory of 1660 2660 msiexec.exe 34 PID 2660 wrote to memory of 1660 2660 msiexec.exe 34 PID 1660 wrote to memory of 344 1660 MsiExec.exe 36 PID 1660 wrote to memory of 344 1660 MsiExec.exe 36 PID 1660 wrote to memory of 344 1660 MsiExec.exe 36 PID 1660 wrote to memory of 344 1660 MsiExec.exe 36 PID 1660 wrote to memory of 1500 1660 MsiExec.exe 38 PID 1660 wrote to memory of 1500 1660 MsiExec.exe 38 PID 1660 wrote to memory of 1500 1660 MsiExec.exe 38 PID 1660 wrote to memory of 1500 1660 MsiExec.exe 38 PID 1660 wrote to memory of 820 1660 MsiExec.exe 40 PID 1660 wrote to memory of 820 1660 MsiExec.exe 40 PID 1660 wrote to memory of 820 1660 MsiExec.exe 40 PID 1660 wrote to memory of 820 1660 MsiExec.exe 40 PID 1660 wrote to memory of 3032 1660 MsiExec.exe 42 PID 1660 wrote to memory of 3032 1660 MsiExec.exe 42 PID 1660 wrote to memory of 3032 1660 MsiExec.exe 42 PID 1660 wrote to memory of 3032 1660 MsiExec.exe 42 PID 1660 wrote to memory of 2824 1660 MsiExec.exe 44 PID 1660 wrote to memory of 2824 1660 MsiExec.exe 44 PID 1660 wrote to memory of 2824 1660 MsiExec.exe 44 PID 1660 wrote to memory of 2824 1660 MsiExec.exe 44 PID 2824 wrote to memory of 1148 2824 Antispyware.exe 45 PID 2824 wrote to memory of 1148 2824 Antispyware.exe 45 PID 2824 wrote to memory of 1148 2824 Antispyware.exe 45 PID 2824 wrote to memory of 1148 2824 Antispyware.exe 45 PID 1752 wrote to memory of 1700 1752 iexplore.exe 50 PID 1752 wrote to memory of 1700 1752 iexplore.exe 50 PID 1752 wrote to memory of 1700 1752 iexplore.exe 50 PID 1752 wrote to memory of 2144 1752 iexplore.exe 51 PID 1752 wrote to memory of 2144 1752 iexplore.exe 51 PID 1752 wrote to memory of 2144 1752 iexplore.exe 51 PID 1752 wrote to memory of 2144 1752 iexplore.exe 51 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fake AV\PCDefender.exe"C:\Users\Admin\AppData\Local\Temp\Fake AV\PCDefender.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PCDefenderSilentSetup.msi"2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1636
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D03C52A3A4BAC024271885A7D74981C4 M Global\MSI00002⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_ /s /f3⤵
- Modifies registry class
PID:344
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_ /s /f3⤵
- Modifies registry class
PID:1500
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_ /s /f3⤵
- Modifies registry class
PID:820
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\SysWOW64\reg.exe" DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528 /f3⤵
- Modifies registry class
PID:3032
-
-
C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe"C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe"C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe" Antispyware.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1148
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2520
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005BC" "00000000000004A0"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -startmediumtab -Embedding1⤵
- Drops desktop.ini file(s)
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\System32\ie4uinit.exe"C:\Windows\System32\ie4uinit.exe" -ShowQLIcon2⤵PID:1700
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1752 CREDAT:275457 /prefetch:22⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2144
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1752 CREDAT:537612 /prefetch:22⤵PID:2560
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1752 CREDAT:275482 /prefetch:22⤵PID:2128
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD5c156397be71b0387833fa5ee82450c83
SHA1f64696065ed78ecb6527c5c2bc14531b24283358
SHA25624b9d981a3d19e77963e826656db1ef21f0d15caa89d2a5575c3c6a56d43162f
SHA512ada3559e0c9a18acfd92c97af42dd037a4b2138afde8f12f5d719365ccfbeb8d4e0facd2f6268f5540fa05982d64d0c59626547e15b0ea4afc1f27ee5def122f
-
Filesize
1.4MB
MD5af4761437567f84ffbec44c978ac2634
SHA1488e27e01b629f3c2cd274a3c6572cdb040fc137
SHA25641922380e3a419fea5a794a16e7abe3364c08da6c66fca0ce8f37c20e21ede68
SHA51282694af3458a01040b9753f133e446c32fef105d4d36dfe8a5fa944080f4b6736dc8e4fbe2abb3db6f79ff24f8e1b9f07543c1193410cfa0a3faafd3e1ce096d
-
Filesize
88KB
MD5c2514c216b4b6dac1a4d740126177f29
SHA1c25d7b051339c9d0b1ee109abfb12724a24f130d
SHA2568212f98e9caedd00bab3c3d561055507cd617cc2b2151c956968caeccde66e11
SHA512dfe6dab9e14b539e50eea2b8314f3937f650eded149d1264763ee4d0d045bf1959569cb31e9e7d5bf602e49c68401cde02e2e552ef3d0baca2e4d48c53d78692
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
Filesize
870KB
MD57f728acab22868ca02cc1ba0a14f5d64
SHA19e3e82b152447b8bcd27583fbdab7aa91ca4739d
SHA256586f9a9af50b2a3321e77d2b4583741cc4842967af9429cc371534f7179caec4
SHA5129bc8bb97e6d4f18ec484fcd792466cb5df0bf0447cbaa19a41258ef80e599e8a2b2c83c700f32f30bef578b03614af1b554844d051435dc9f510ccbd56686800
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B
Filesize2KB
MD5fc9ac26379524208bd455b861448bbeb
SHA154430990d0189a6b039e1daae7b374b55c88466a
SHA25606afcdd746b7d79c8929ae2f1dd7b5ce521bd7becd1fdfe221c9474627239c5f
SHA5123c78c5bd1ce833307144707b5c10839fd90ce66450c1e1e4dd6b60ac0a701b3db3b3ea2d3eb1c8db2424f2527e003e768cf59b4c720294ada2338c12ba262097
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize1KB
MD5e9117b246600d04457dc58825bdc8b8c
SHA170ca6ff576281391cf7a0e86d2a6a0ef9205d919
SHA256b2a94ad1cd5e92532171096eeeeda1a01a2408ebf0d636cba969338a8ee67edf
SHA512ba29bb9c0b691e0d09208426a1cb17a74e8c9dca9cfd9dca1bed15fb3dd1cf476a28efee0237db1d23ef4ddbf0e30c74597524c003a568e509ba2c2eee0ad507
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize1KB
MD5e3aa453a55638bcecc11958b116dc597
SHA1224fa7cbc8bd7364894bf00532eb0f4ca6468e3f
SHA25641f0a1b15dd35c2d25442b17bf16602cdaddbea176765b01e8633b20c7edd544
SHA512443e0543e35b120062cd2cee9d9a96caa042c3c90870a537ae10ae39c6527d78d32824b5b5a1e84db394ce3d7e16d3880a705e74b461f108af5315413ea89970
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B
Filesize488B
MD5681abe65c2221b4836728a7675abcbc4
SHA1be6e7dd30b388dd128497623bbf7371868a4623d
SHA2568869fdd49509413447a06499efdc58e1275fc968fa58a04a1af642673d549a3e
SHA51256dabd6426ddd43ff8889db2298d25c5d015332338c499cb0e06dc4a31fe305cf59e86405e2a37f06c66a6cac309615c0f9aabd0ccb6f1063a1b2b225670ad65
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B
Filesize488B
MD5db09bd2b07eaf44f25aebcf9e35fffc7
SHA1ee5620e85bcc2709fd42f8b0881da980d04d19b5
SHA25619210beb9db1cae789065cffbd767bbf5c932b031d15a51bca1e4fd602009020
SHA5122e790f721bb7d607ab20b7733d8ac2a3bdd992ef8c449a60239fb19d30f3478087d83f31f02c001f9e21e1be6afc9ceafc59f27f9fabbcd533f8e1e43ae444c0
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize408B
MD5477111e39ebd454644e9c32e5b1f6f83
SHA13cc96bc51579e43cbaeeed1c3d1b10522ab64e62
SHA2561ccfe9d47acaf0038f8dc13d214d23dccbbe48e0b8c5461c903443fb1e644402
SHA51288f188f54704d021f02db1056876c04c9ceed337f8b595ad87700c971d4b124ae0c70d773a7ad84e8dad3968952e44cbe58c8e7387c4ad5a808fd7a85d3cccac
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize408B
MD5a359c2feb92e48101aecfbc2acd9d9f1
SHA1cc138b30159b47d5e5c05ac35c9834ffb9472cbd
SHA256ba5d5e0bfb584469b6a710ad8a6dbff91f88aa53f4a74049cfad16f3e1d365d8
SHA512d36ab594e1ff1967b7b6b7d750b2225eec8633c4debe07d085cbc232ecca0fd57b6e45db297b67415a2db61657178e0d0831fe1edcb533afb636ff4716d40b02
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ece29a6d223a9b0606015e0edaca2274
SHA17cb5496f3fddf20006215bf4d3db56c86a9f9f3d
SHA256993e4ed452681c71c09a020f6dc286d31874775fb9adbc98728bc20827e6cf0e
SHA5122964fb5ba228e5bb1c96cb90a477cfde43e85dacccc284d1394f2e19a4ad44c779d9ab48fc973abdccbbf0ecb22af26937776081e543dbaa4e65870a74b2aa42
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5178c69ff569642a29d7e3e0d769ed1b6
SHA1a132d6d0aa2d8b571ca6ae4d6edcc28ea13a8fa7
SHA256f5e4ffe7bb46407aaee8789b6428dbbf0311957f63a23500b21bc6217f018d68
SHA5126fc609ce963cf59889aca27ccbb592293b3b2d76cb1b1120e47598c1ff3974ece69fc402eb11a795bb7205faa2091a3518869f0c931b068d60bceb26653a0301
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD53ce7c53aeb9eab187048331c272f93f8
SHA10117ce4f2fca2c639b9dd8660ced380e1378075d
SHA2567b2270e1167fc804237a32fad034394a785b1a406fcc13e1643f072a5de28dc7
SHA512cb8bf524e32387eff7b1a6f4c7c828a3aa0aa7d3eaa006b6cbc0ec1381b23e972d122b490196448ea4c088150bd48fa5187bea70db5c15ebc41a0e36b8582abd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD59ea0503fd3c3bef899992de41094a480
SHA13e5b1ac4f18d0cbefd9f1a2a631e6592c6cb248d
SHA256b128cc5ab1bd55d27d9a6675cd7e61fa59f65e4181946104775a4bb2295c4f21
SHA512c95b794bffef19b55d475aee50bba3bf41bb7ff5ee2b45b28a0578911cb01bfd8a6a1db9ff35006b823409fcdcd3f94d5b6e8ca454803e04c2803134d4536bc0
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d481bfbddb70443c28cb2a9f0fa61e7e
SHA18846dc9a93edceafaf079bf70dcd8cf5f00abb42
SHA256135ede8e1351c764b4a381687f8203ea86432a1ba072e81297c80675edc4c1cd
SHA512754ebc8df2dc7ce253678070f7b14da4903ac79c0ba67b58c1603adaeb0ab90e49466a4f1883f9bc3c4b984c9d7d861fdd6a73f0e57ec979abe97e0d16e6de4a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD511d92e1a68d26a59956082b62c2eafaf
SHA104cd9cb01e414161e5bb0d21899c99dc6291d7ac
SHA25618fa8a791d338e48d2eb17759be9dc042a312909f3a6ac90e43afb931d47a87d
SHA5123a97943d2143159453faab900c6083cc9c563cb8e251c3a72a0a3091a2ae9429c5a2f547c972e89f7b2595b80e5fbfb028e3d5e73c54e188a9e15a874572d70b
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize482B
MD55efd3ae592c00b1af85f29d01ea68ede
SHA16026df67033828a93f8aca97185740ec268c39c5
SHA256ab0a0626af2d84239698869118d3302d8184c421094c1ebbf38fa9475ee9bb47
SHA5127a39a47da47627478a0365d8751d824e990b470cceed7c2e46f44de70751191e85744e38331673fd3c0c3bf86f68b958b252c84ba0099c6079d66fb88f34287c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD5f214c493fcdf1d0d7846f0e333dfd429
SHA16328cd1f245c473a710622f271dbc23958e8b36f
SHA256b115366d00d960c96f2c54ce06f7b8af704cb2566182cdf75e29cf9576661dc5
SHA51259200140399a99311b8eb5f4948a7569a568eb14449e05d2d4ddf1004de96ed52f8d970dcd6854ddfdbe08827f61467cfc2905549dfe90381b25b5395be5c38e
-
Filesize
41KB
MD5dc973050688bfd27a2d47e0ac2e21abb
SHA13ff84e8c292051aa7e57439aa44b7beac68b2d71
SHA256e69c437e565390cbc0209e7934136cc68a7caa07cf7341c870dac35ca549b225
SHA5124123df1cb903bff54897e1edd8c8c877e3fff9b81de9919569b3096fac8d80d06f73f005ef1c63269f4b50d7ee1965deb13d473b32f365c8324880ab995a600c