Overview
overview
10Static
static
7Fake AV/An...09.exe
windows7-x64
7Fake AV/An...09.exe
windows10-2004-x64
7Fake AV/Ana.exe
windows7-x64
8Fake AV/Ana.exe
windows10-2004-x64
7Fake AV/Antivirus.exe
windows7-x64
7Fake AV/Antivirus.exe
windows10-2004-x64
7Fake AV/An...10.exe
windows7-x64
10Fake AV/An...10.exe
windows10-2004-x64
7Fake AV/An...um.exe
windows7-x64
10Fake AV/An...um.exe
windows10-2004-x64
10Fake AV/An...17.exe
windows7-x64
7Fake AV/An...17.exe
windows10-2004-x64
7Fake AV/CleanThis.exe
windows7-x64
Fake AV/CleanThis.exe
windows10-2004-x64
Fake AV/Fa...er.exe
windows7-x64
7Fake AV/Fa...er.exe
windows10-2004-x64
76AdwCleaner.exe
windows7-x64
66AdwCleaner.exe
windows10-2004-x64
6Fake AV/Fi...ll.exe
windows7-x64
7Fake AV/Fi...ll.exe
windows10-2004-x64
7Fake AV/Ha...us.exe
windows7-x64
1Fake AV/Ha...us.exe
windows10-2004-x64
1Fake AV/In...rd.exe
windows7-x64
10Fake AV/In...rd.exe
windows10-2004-x64
9Fake AV/LPS2019.exe
windows7-x64
7Fake AV/LPS2019.exe
windows10-2004-x64
7Fake AV/Mo...eg.exe
windows7-x64
7Fake AV/Mo...eg.exe
windows10-2004-x64
3Fake AV/Na...ld.exe
windows7-x64
7Fake AV/Na...ld.exe
windows10-2004-x64
7Fake AV/PC...er.exe
windows7-x64
10Fake AV/PC...er.exe
windows10-2004-x64
10Analysis
-
max time kernel
152s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/03/2024, 22:34
Behavioral task
behavioral1
Sample
Fake AV/AnViPC2009.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Fake AV/AnViPC2009.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Fake AV/Ana.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Fake AV/Ana.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Fake AV/Antivirus.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Fake AV/Antivirus.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Fake AV/Antivirus2010.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Fake AV/Antivirus2010.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
Fake AV/AntivirusPlatinum.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
Fake AV/AntivirusPlatinum.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
Fake AV/AntivirusPro2017.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
Fake AV/AntivirusPro2017.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
Fake AV/CleanThis.exe
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
Fake AV/CleanThis.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
Fake AV/FakeAdwCleaner.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
Fake AV/FakeAdwCleaner.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
6AdwCleaner.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
6AdwCleaner.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
Fake AV/FileFixPro/FFProInstall.exe
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
Fake AV/FileFixPro/FFProInstall.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
Fake AV/HappyAntivirus.exe
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
Fake AV/HappyAntivirus.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
Fake AV/InternetSecurityGuard.exe
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
Fake AV/InternetSecurityGuard.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
Fake AV/LPS2019.exe
Resource
win7-20240220-en
Behavioral task
behavioral26
Sample
Fake AV/LPS2019.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
Fake AV/Movie.mpeg.exe
Resource
win7-20240215-en
Behavioral task
behavioral28
Sample
Fake AV/Movie.mpeg.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
Fake AV/NavaShield.exe
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
Fake AV/NavaShield.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
Fake AV/PCDefender.exe
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
Fake AV/PCDefender.exe
Resource
win10v2004-20240226-en
General
-
Target
Fake AV/PCDefender.exe
-
Size
878KB
-
MD5
e4d4a59494265949993e26dee7b077d1
-
SHA1
83e3d0c7e544117d6054e7d55932a7d2dbaf1163
-
SHA256
5ae57d8750822c203f5bf5e241c7132377b250df36a215dff2f396c8440b82dd
-
SHA512
efd176555415e0771a22a6ca6f15a82aec14ca090d2599959612db9d8e07065e38a7b82e2bf7be67cbe1494733344879782f5516bb502e0177e7b540c96fa718
-
SSDEEP
24576:bUWqistOB98g0Z1hPLX2jOmsQl3eW0a92Vdcvd7wR:bUUZ98g0FPLIRl3sa92Hcvd8R
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,\"C:\\Program Files (x86)\\Def Group\\PC Defender\\Antispyware.exe\"" MsiExec.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation PCDefender.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe msiexec.exe File created C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe msiexec.exe File created C:\Program Files (x86)\Def Group\PC Defender\hook.dll msiexec.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_3F16219B047CF8432B7ADA.exe msiexec.exe File opened for modification C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_3F16219B047CF8432B7ADA.exe msiexec.exe File created C:\Windows\Installer\e5811dd.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI1335.tmp msiexec.exe File opened for modification C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_966CD4ED37489844400D0C.exe msiexec.exe File opened for modification C:\Windows\Installer\e5811dd.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{FC2ABC8E-3715-4A32-B8B5-559380F45282} msiexec.exe File created C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_966CD4ED37489844400D0C.exe msiexec.exe File created C:\Windows\Installer\e5811e1.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f85275ef8222787e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f85275ef0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f85275ef000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df85275ef000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f85275ef00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 9 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\24 msiexec.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133538927103019166" chrome.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" MsiExec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\23 msiexec.exe -
Modifies registry class 31 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings PCDefender.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\PackageCode = "18627594958587344B2B3984171915B1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C73BCE36FA1AA0E45AB2649A3FA0D390 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Media msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8CBA2CF517323A48B5B5539084F2528\DefaultFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\AuthorizedLUAApp = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C73BCE36FA1AA0E45AB2649A3FA0D390\E8CBA2CF517323A48B5B5539084F2528 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\PackageName = "PCDefenderSilentSetup.msi" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Net msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\Version = "16777216" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Net msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\Clients = 3a0000000000 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8CBA2CF517323A48B5B5539084F2528 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C73BCE36FA1AA0E45AB2649A3FA0D390 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8CBA2CF517323A48B5B5539084F2528 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\ProductName = "PC Defender" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Media msiexec.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2856 msiexec.exe 2856 msiexec.exe 4212 chrome.exe 4212 chrome.exe -
Suspicious behavior: LoadsDriver 10 IoCs
pid Process 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 664 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2500 msiexec.exe Token: SeIncreaseQuotaPrivilege 2500 msiexec.exe Token: SeSecurityPrivilege 2856 msiexec.exe Token: SeCreateTokenPrivilege 2500 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2500 msiexec.exe Token: SeLockMemoryPrivilege 2500 msiexec.exe Token: SeIncreaseQuotaPrivilege 2500 msiexec.exe Token: SeMachineAccountPrivilege 2500 msiexec.exe Token: SeTcbPrivilege 2500 msiexec.exe Token: SeSecurityPrivilege 2500 msiexec.exe Token: SeTakeOwnershipPrivilege 2500 msiexec.exe Token: SeLoadDriverPrivilege 2500 msiexec.exe Token: SeSystemProfilePrivilege 2500 msiexec.exe Token: SeSystemtimePrivilege 2500 msiexec.exe Token: SeProfSingleProcessPrivilege 2500 msiexec.exe Token: SeIncBasePriorityPrivilege 2500 msiexec.exe Token: SeCreatePagefilePrivilege 2500 msiexec.exe Token: SeCreatePermanentPrivilege 2500 msiexec.exe Token: SeBackupPrivilege 2500 msiexec.exe Token: SeRestorePrivilege 2500 msiexec.exe Token: SeShutdownPrivilege 2500 msiexec.exe Token: SeDebugPrivilege 2500 msiexec.exe Token: SeAuditPrivilege 2500 msiexec.exe Token: SeSystemEnvironmentPrivilege 2500 msiexec.exe Token: SeChangeNotifyPrivilege 2500 msiexec.exe Token: SeRemoteShutdownPrivilege 2500 msiexec.exe Token: SeUndockPrivilege 2500 msiexec.exe Token: SeSyncAgentPrivilege 2500 msiexec.exe Token: SeEnableDelegationPrivilege 2500 msiexec.exe Token: SeManageVolumePrivilege 2500 msiexec.exe Token: SeImpersonatePrivilege 2500 msiexec.exe Token: SeCreateGlobalPrivilege 2500 msiexec.exe Token: SeBackupPrivilege 4540 vssvc.exe Token: SeRestorePrivilege 4540 vssvc.exe Token: SeAuditPrivilege 4540 vssvc.exe Token: SeBackupPrivilege 2856 msiexec.exe Token: SeRestorePrivilege 2856 msiexec.exe Token: SeRestorePrivilege 2856 msiexec.exe Token: SeTakeOwnershipPrivilege 2856 msiexec.exe Token: SeRestorePrivilege 2856 msiexec.exe Token: SeTakeOwnershipPrivilege 2856 msiexec.exe Token: SeRestorePrivilege 2856 msiexec.exe Token: SeTakeOwnershipPrivilege 2856 msiexec.exe Token: SeRestorePrivilege 2856 msiexec.exe Token: SeTakeOwnershipPrivilege 2856 msiexec.exe Token: SeRestorePrivilege 2856 msiexec.exe Token: SeTakeOwnershipPrivilege 2856 msiexec.exe Token: SeRestorePrivilege 2856 msiexec.exe Token: SeTakeOwnershipPrivilege 2856 msiexec.exe Token: SeRestorePrivilege 2856 msiexec.exe Token: SeTakeOwnershipPrivilege 2856 msiexec.exe Token: SeRestorePrivilege 2856 msiexec.exe Token: SeTakeOwnershipPrivilege 2856 msiexec.exe Token: SeRestorePrivilege 2856 msiexec.exe Token: SeTakeOwnershipPrivilege 2856 msiexec.exe Token: SeRestorePrivilege 2856 msiexec.exe Token: SeTakeOwnershipPrivilege 2856 msiexec.exe Token: SeRestorePrivilege 2856 msiexec.exe Token: SeTakeOwnershipPrivilege 2856 msiexec.exe Token: SeRestorePrivilege 2856 msiexec.exe Token: SeTakeOwnershipPrivilege 2856 msiexec.exe Token: SeRestorePrivilege 2856 msiexec.exe Token: SeTakeOwnershipPrivilege 2856 msiexec.exe Token: SeRestorePrivilege 2856 msiexec.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 2500 msiexec.exe 2500 msiexec.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe 4212 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4372 wrote to memory of 2500 4372 PCDefender.exe 86 PID 4372 wrote to memory of 2500 4372 PCDefender.exe 86 PID 4372 wrote to memory of 2500 4372 PCDefender.exe 86 PID 2856 wrote to memory of 1468 2856 msiexec.exe 96 PID 2856 wrote to memory of 1468 2856 msiexec.exe 96 PID 2856 wrote to memory of 1220 2856 msiexec.exe 99 PID 2856 wrote to memory of 1220 2856 msiexec.exe 99 PID 2856 wrote to memory of 1220 2856 msiexec.exe 99 PID 4212 wrote to memory of 3724 4212 chrome.exe 123 PID 4212 wrote to memory of 3724 4212 chrome.exe 123 PID 4212 wrote to memory of 920 4212 chrome.exe 125 PID 4212 wrote to memory of 920 4212 chrome.exe 125 PID 4212 wrote to memory of 920 4212 chrome.exe 125 PID 4212 wrote to memory of 920 4212 chrome.exe 125 PID 4212 wrote to memory of 920 4212 chrome.exe 125 PID 4212 wrote to memory of 920 4212 chrome.exe 125 PID 4212 wrote to memory of 920 4212 chrome.exe 125 PID 4212 wrote to memory of 920 4212 chrome.exe 125 PID 4212 wrote to memory of 920 4212 chrome.exe 125 PID 4212 wrote to memory of 920 4212 chrome.exe 125 PID 4212 wrote to memory of 920 4212 chrome.exe 125 PID 4212 wrote to memory of 920 4212 chrome.exe 125 PID 4212 wrote to memory of 920 4212 chrome.exe 125 PID 4212 wrote to memory of 920 4212 chrome.exe 125 PID 4212 wrote to memory of 920 4212 chrome.exe 125 PID 4212 wrote to memory of 920 4212 chrome.exe 125 PID 4212 wrote to memory of 920 4212 chrome.exe 125 PID 4212 wrote to memory of 920 4212 chrome.exe 125 PID 4212 wrote to memory of 920 4212 chrome.exe 125 PID 4212 wrote to memory of 920 4212 chrome.exe 125 PID 4212 wrote to memory of 920 4212 chrome.exe 125 PID 4212 wrote to memory of 920 4212 chrome.exe 125 PID 4212 wrote to memory of 920 4212 chrome.exe 125 PID 4212 wrote to memory of 920 4212 chrome.exe 125 PID 4212 wrote to memory of 920 4212 chrome.exe 125 PID 4212 wrote to memory of 920 4212 chrome.exe 125 PID 4212 wrote to memory of 920 4212 chrome.exe 125 PID 4212 wrote to memory of 920 4212 chrome.exe 125 PID 4212 wrote to memory of 920 4212 chrome.exe 125 PID 4212 wrote to memory of 920 4212 chrome.exe 125 PID 4212 wrote to memory of 920 4212 chrome.exe 125 PID 4212 wrote to memory of 920 4212 chrome.exe 125 PID 4212 wrote to memory of 920 4212 chrome.exe 125 PID 4212 wrote to memory of 920 4212 chrome.exe 125 PID 4212 wrote to memory of 920 4212 chrome.exe 125 PID 4212 wrote to memory of 920 4212 chrome.exe 125 PID 4212 wrote to memory of 920 4212 chrome.exe 125 PID 4212 wrote to memory of 920 4212 chrome.exe 125 PID 4212 wrote to memory of 3804 4212 chrome.exe 126 PID 4212 wrote to memory of 3804 4212 chrome.exe 126 PID 4212 wrote to memory of 5024 4212 chrome.exe 127 PID 4212 wrote to memory of 5024 4212 chrome.exe 127 PID 4212 wrote to memory of 5024 4212 chrome.exe 127 PID 4212 wrote to memory of 5024 4212 chrome.exe 127 PID 4212 wrote to memory of 5024 4212 chrome.exe 127 PID 4212 wrote to memory of 5024 4212 chrome.exe 127 PID 4212 wrote to memory of 5024 4212 chrome.exe 127 PID 4212 wrote to memory of 5024 4212 chrome.exe 127 PID 4212 wrote to memory of 5024 4212 chrome.exe 127 PID 4212 wrote to memory of 5024 4212 chrome.exe 127 PID 4212 wrote to memory of 5024 4212 chrome.exe 127 PID 4212 wrote to memory of 5024 4212 chrome.exe 127 PID 4212 wrote to memory of 5024 4212 chrome.exe 127 PID 4212 wrote to memory of 5024 4212 chrome.exe 127 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fake AV\PCDefender.exe"C:\Users\Admin\AppData\Local\Temp\Fake AV\PCDefender.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PCDefenderSilentSetup.msi"2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2500
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:1468
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding EDB8E2C4D105E8B14E8F9980575AC7AF E Global\MSI00002⤵
- Modifies WinLogon for persistence
- Modifies data under HKEY_USERS
PID:1220
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4540
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffaa8489758,0x7ffaa8489768,0x7ffaa84897782⤵PID:3724
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1752 --field-trial-handle=1916,i,17749516175133300583,9419090901374229005,131072 /prefetch:22⤵PID:920
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1916,i,17749516175133300583,9419090901374229005,131072 /prefetch:82⤵PID:3804
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2264 --field-trial-handle=1916,i,17749516175133300583,9419090901374229005,131072 /prefetch:82⤵PID:5024
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3028 --field-trial-handle=1916,i,17749516175133300583,9419090901374229005,131072 /prefetch:12⤵PID:3120
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3036 --field-trial-handle=1916,i,17749516175133300583,9419090901374229005,131072 /prefetch:12⤵PID:4036
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4528 --field-trial-handle=1916,i,17749516175133300583,9419090901374229005,131072 /prefetch:12⤵PID:5284
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 --field-trial-handle=1916,i,17749516175133300583,9419090901374229005,131072 /prefetch:82⤵PID:5460
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5108 --field-trial-handle=1916,i,17749516175133300583,9419090901374229005,131072 /prefetch:82⤵PID:5504
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 --field-trial-handle=1916,i,17749516175133300583,9419090901374229005,131072 /prefetch:82⤵PID:5636
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:5128
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD5c94dabdd1e33f0a09652fa6bc7bfc184
SHA1b48183e017fc43e4abe2d999fd6ca9ccecccc66e
SHA2564b96540bbad8a7acca851013b6f35a5cb7ec3120c6ca5b9f3fd1e2fff5a68d5d
SHA512b6a3f2d4ab933255a19054974398825cfb217d6b160e976730333e854b58c415e8f2f5e525e65fcac433adf93e2e848f1557d82d6b5eeb771a70bbbe5c6e7db4
-
Filesize
371B
MD5b1339764e026ac9bdb7e673a0d2fb17a
SHA117bb45545722f681e29bb0542e03e8b9f4f41465
SHA2565ae84ac103d09ce26a77380e25b5c53ae6b0acf7825a4310aba4ec16a0a61698
SHA5123090f3e46d0d8e4cef31071592244e2b6a735d909c06f082dbe46e5643658198c8a1abcfcc1c359b0f834e8a1d32c646dd5f5da638fe9ee0112f0f877d930e4b
-
Filesize
6KB
MD53fb10993e95dad2c3ec354cea001108b
SHA1da42344fa918b69bbf488736bbb0dbc840098e4d
SHA2567e204a42441eb6c3f9f494acae2bcbbfc7bc474b799951471bc3b909c8d279f4
SHA512481c052abe31b61f1c48d8db91777ff6d55d4c749c543b8705aed0f35d92ac9a78d8f5c2bf5339812dfba25578c06b16eaa53db2b2757154bb87514b8fca4f65
-
Filesize
15KB
MD54a17848095bea25aecfa2687952c96c6
SHA1fd49f9400efcac4ed473c742f6851563e0ec1cde
SHA256ab3f4158cf1e2f64477e4e3b142ef5e6e056d07d4d336645127f70e1263d154c
SHA512143291ace88842560a5f0b24402f9301fcca2c4f6893762d5927520edad1d1618d87736f94ffacb91a346d20823274785cdbf46854f659b37a7862bdf0dc222a
-
Filesize
254KB
MD54b21c844fe63940cc4dc14c66f92416f
SHA1c08525bbfec0f1b168ea9d4f61b476e3d824308d
SHA2562b3264da95ba92c2cdafb5badcfc02f94db79953a008e08a8b659a8f9a65ea51
SHA51296adebf75b6af07e16881284374d0057bc6ebf0d605e866cc249493bd5b0f5a88c5a8b887d40e0bceb32ebb8a0a0e283b33ee7c5740ff59ef2f6043fcdcbfb51
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
870KB
MD57f728acab22868ca02cc1ba0a14f5d64
SHA19e3e82b152447b8bcd27583fbdab7aa91ca4739d
SHA256586f9a9af50b2a3321e77d2b4583741cc4842967af9429cc371534f7179caec4
SHA5129bc8bb97e6d4f18ec484fcd792466cb5df0bf0447cbaa19a41258ef80e599e8a2b2c83c700f32f30bef578b03614af1b554844d051435dc9f510ccbd56686800
-
Filesize
21KB
MD5b84df77564555c63c899fce0fcec7edb
SHA1e63e7560b3c583616102cad58b06433b1a9903b0
SHA256912ebab4ab2ea830b961df778dd854e555c89e05e25b7c02b3737429115405f9
SHA512857717981c44a6a5fbb1bd34308e981c448746e0ea2d5bea94516fea20d0186e00a3547ad0b948c10fd9493e3ca00c0899927b0fa51c240697faacbbecca033a
-
Filesize
22.9MB
MD56ef1fc6b1984c9bcd4ddf002e09be3d7
SHA105d0364bfc7d50d4d76ddf517156ecf1b1517125
SHA2565c5d5a681e552e8b003e8ec2711bd7ffec5c923bd529d7c8a16f7f440dd4a113
SHA5122ebfa5218479ea34f23c7fde15f86bf8447ebc798490d1b0029931c0f55c717119f5a8c47a6141a7c090f897cb45720f7910afb0e8e4b48f1513284d0739760f
-
\??\Volume{ef7552f8-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f2fc0da7-0319-4d25-a2d3-2d4826c35753}_OnDiskSnapshotProp
Filesize6KB
MD54938c71bd8c2422235e1fe2027f16d65
SHA1ee894facb01f9cd1d0764bc8bf4ac16c4ccd525e
SHA2560c36e793a2adf0d69a57705bfdf96c3ed1c31d71fcce2f558fb5e2284b1e416c
SHA512850db522ee1af1885815fec4eb67dc9bf7815314ab36eae4a6f6bee0535e1b75fd6924b0e574ea2b34906d78020c612d48091f06231a5253094ac0365009ff45