Analysis Overview
SHA256
aee69ef9040e902b7a6639d7594df47e0e73625143a671583db8b85be525a3e5
Threat Level: Known bad
The file Fake AV.zip was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Windows security bypass
UAC bypass
Modifies security service
Checks for common network interception software
Enumerates VirtualBox registry keys
Drops file in Drivers directory
Sets service image path in registry
Blocks application from running via registry modification
Sets file execution options in registry
Disables RegEdit via registry modification
Adds policy Run key to start application
Loads dropped DLL
Modifies system executable filetype association
Unexpected DNS network traffic destination
Executes dropped EXE
UPX packed file
Checks BIOS information in registry
Checks computer location settings
Windows security modification
Deletes itself
Reads user/profile data of web browsers
Maps connected drives based on registry
Checks registry for disk virtualization
Checks installed software on the system
Writes to the Master Boot Record (MBR)
Drops desktop.ini file(s)
Checks whether UAC is enabled
Enumerates connected drives
Checks for any installed AV software in registry
Adds Run key to start application
Suspicious use of SetThreadContext
Suspicious use of NtCreateThreadExHideFromDebugger
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Program crash
NSIS installer
Runs net.exe
Checks processor information in registry
Suspicious use of SetWindowsHookEx
Uses Volume Shadow Copy WMI provider
Runs ping.exe
System policy modification
Modifies Internet Explorer settings
Modifies Internet Explorer start page
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of SendNotifyMessage
Enumerates system info in registry
Views/modifies file attributes
Suspicious behavior: GetForegroundWindowSpam
Gathers network information
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: MapViewOfSection
Modifies data under HKEY_USERS
Script User-Agent
Suspicious use of FindShellTrayWindow
Kills process with taskkill
Uses Volume Shadow Copy service COM API
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Suspicious behavior: LoadsDriver
Suspicious use of UnmapMainImage
Uses Task Scheduler COM API
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-03-02 22:34
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral23
Detonation Overview
Submitted
2024-03-02 22:34
Reported
2024-03-02 22:38
Platform
win7-20240221-en
Max time kernel
146s
Max time network
122s
Command Line
Signatures
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "2" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "2" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
Checks for common network interception software
Enumerates VirtualBox registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
Blocks application from running via registry modification
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "avgscanx.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "avgcfgex.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "avgui.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\12 = "avgemc.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\13 = "avgchsvx.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\14 = "avgcmgr.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\15 = "avgwdsvc.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "egui.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "avgnt.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "avcenter.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "avscan.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "avgfrw.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "avgtray.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "MSASCui.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "ekrn.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\0 = "msseces.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| File created | C:\Windows\system32\drivers\etc\host_new | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
Sets file execution options in registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\support.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gav.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install[5].exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navwnt.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pspf.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fameh32.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntrtscan.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsSvc.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\livesrv.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avxmonitor9x.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\espwatch.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\teekids.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OLT.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lockdown2000.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvc95.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPFSrv.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icsuppnt.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kerio-wrp-421-en-win.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\realmon.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jdbgmrg.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kerio-wrl-421-en-win.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drweb32.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmain.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfpconfg.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav530wtbyb.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vscan40.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveArmor.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\istsvc.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwupd32.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htpatch.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sofi.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McSACore.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icsupp95.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\portdetective.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procdump.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bundle.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sahagent.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\system.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vnpc3000.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guard.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\signcheck.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSUNMain.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iedriver.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setupvameeval.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonealarm.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfinet32.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Anti-Virus Professional.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveArmor.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashQuick.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fp-win.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsgk32.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcfwallicon.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ray.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bootconf.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfgwiz.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lnetinfo.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WebProxy.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\escanv95.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navapsvc.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscfxav.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscfxas.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
Reads user/profile data of web browsers
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Internet Security Guard = "\"C:\\ProgramData\\950a2\\ISd8b.exe\" /s /d" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
Checks for any installed AV software in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Eset\Nod\ | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
Enumerates connected drives
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://findgala.com/?&uid=7&q={searchTerms}" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PRS = "http://127.0.0.1:27777/?inj=%ORIGINAL%" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IIL = "0" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\MSCompatibilityMode = "0" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\ltHI = "0" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\ltTST = "15831" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=7&q={searchTerms}" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=7&q={searchTerms}" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=7&q={searchTerms}" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ = "Implements DocHostUIHandler" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\InternetSecurityGuard.DocHostUIHandler\Clsid | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Internet Explorer\SearchScopes | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=7&q={searchTerms}" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FAKEAV~1\\INTERN~1.EXE" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\InternetSecurityGuard.DocHostUIHandler\ = "Implements DocHostUIHandler" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Software\Microsoft\Internet Explorer\SearchScopes | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Internet Explorer | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF} | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\InternetSecurityGuard.DocHostUIHandler\Clsid\ = "{3F2BBC05-40DF-11D2-9455-00104BC936FF}" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\ = "InternetSecurityGuard.DocHostUIHandler" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\InternetSecurityGuard.DocHostUIHandler | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\mofcomp.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "2" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "2" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe
"C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe"
C:\Windows\SysWOW64\Wbem\mofcomp.exe
mofcomp "C:\Users\Admin\AppData\Local\Temp\Fake AV\6268.mof"
C:\Windows\SysWOW64\netsh.exe
netsh "firewall" add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe" "Internet Security Guard" ENABLE
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt diinu560ubjjsv.com 8.8.8.8
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt diinu560ubjjsv.net 8.8.8.8
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt diinu560ubjjsv.com 208.67.222.222
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt diinu560ubjjsv.net 208.67.222.222
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt diinu560ubjjsv.com 8.8.4.4
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt diinu560ubjjsv.net 8.8.4.4
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt diinu560ubjjsv.com 208.67.220.220
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt diinu560ubjjsv.net 208.67.220.220
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt insssyfinr1275tc.com 8.8.8.8
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt insssyfinr1275tc.net 8.8.8.8
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt insssyfinr1275tc.com 208.67.222.222
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt insssyfinr1275tc.net 208.67.222.222
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt insssyfinr1275tc.com 8.8.4.4
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt insssyfinr1275tc.net 8.8.4.4
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt insssyfinr1275tc.com 208.67.220.220
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt insssyfinr1275tc.net 208.67.220.220
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt hppwycfjr1248swx.com 8.8.8.8
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt hppwycfjr1248swx.net 8.8.8.8
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt hppwycfjr1248swx.com 208.67.222.222
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt hppwycfjr1248swx.net 208.67.222.222
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt hppwycfjr1248swx.com 8.8.4.4
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt hppwycfjr1248swx.net 8.8.4.4
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt hppwycfjr1248swx.com 208.67.220.220
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt hppwycfjr1248swx.net 208.67.220.220
Network
| Country | Destination | Domain | Proto |
| US | 74.82.198.254:80 | tcp | |
| FR | 46.105.131.122:80 | report2.ogpertblethagahert.net | tcp |
| US | 8.8.8.8:53 | secure1.safe-scanerwas.com | udp |
| US | 8.8.8.8:53 | www5.internet-security-guard.com | udp |
| US | 8.8.8.8:53 | secure1.safe-scanerwas.com | udp |
| US | 8.8.8.8:53 | secure2.simplenetworkzqi.com | udp |
| US | 8.8.8.8:53 | secure2.simplenetworkzqi.com | udp |
| US | 74.82.198.254:80 | tcp | |
| SG | 76.73.19.181:80 | tcp | |
| FR | 46.105.131.122:80 | report2.ogpertblethagahert.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | diinu560ubjjsv.com | udp |
| US | 8.8.8.8:53 | diinu560ubjjsv.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | diinu560ubjjsv.net | udp |
| US | 8.8.8.8:53 | diinu560ubjjsv.net | udp |
| US | 208.67.222.222:53 | 222.222.67.208.in-addr.arpa | udp |
| US | 208.67.222.222:53 | diinu560ubjjsv.com | udp |
| US | 208.67.222.222:53 | diinu560ubjjsv.com | udp |
| US | 208.67.222.222:53 | 222.222.67.208.in-addr.arpa | udp |
| US | 208.67.222.222:53 | diinu560ubjjsv.net | udp |
| US | 208.67.222.222:53 | diinu560ubjjsv.net | udp |
| US | 8.8.4.4:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.4.4:53 | diinu560ubjjsv.com | udp |
| US | 8.8.4.4:53 | diinu560ubjjsv.com | udp |
| US | 8.8.4.4:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.4.4:53 | diinu560ubjjsv.net | udp |
| US | 8.8.4.4:53 | diinu560ubjjsv.net | udp |
| US | 208.67.220.220:53 | 220.220.67.208.in-addr.arpa | udp |
| US | 208.67.220.220:53 | diinu560ubjjsv.com | udp |
| US | 208.67.220.220:53 | diinu560ubjjsv.com | udp |
| US | 208.67.220.220:53 | 220.220.67.208.in-addr.arpa | udp |
| US | 208.67.220.220:53 | diinu560ubjjsv.net | udp |
| US | 208.67.220.220:53 | diinu560ubjjsv.net | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | insssyfinr1275tc.com | udp |
| US | 8.8.8.8:53 | insssyfinr1275tc.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | insssyfinr1275tc.net | udp |
| US | 8.8.8.8:53 | insssyfinr1275tc.net | udp |
| US | 208.67.222.222:53 | 222.222.67.208.in-addr.arpa | udp |
| US | 208.67.222.222:53 | insssyfinr1275tc.com | udp |
| US | 208.67.222.222:53 | insssyfinr1275tc.com | udp |
| US | 208.67.222.222:53 | 222.222.67.208.in-addr.arpa | udp |
| US | 208.67.222.222:53 | insssyfinr1275tc.net | udp |
| US | 208.67.222.222:53 | insssyfinr1275tc.net | udp |
| US | 8.8.4.4:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.4.4:53 | insssyfinr1275tc.com | udp |
| US | 8.8.4.4:53 | insssyfinr1275tc.com | udp |
| US | 8.8.4.4:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.4.4:53 | insssyfinr1275tc.net | udp |
| US | 8.8.4.4:53 | insssyfinr1275tc.net | udp |
| US | 208.67.220.220:53 | 220.220.67.208.in-addr.arpa | udp |
| US | 208.67.220.220:53 | insssyfinr1275tc.com | udp |
| US | 208.67.220.220:53 | insssyfinr1275tc.com | udp |
| US | 208.67.220.220:53 | 220.220.67.208.in-addr.arpa | udp |
| US | 208.67.220.220:53 | insssyfinr1275tc.net | udp |
| US | 208.67.220.220:53 | insssyfinr1275tc.net | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hppwycfjr1248swx.com | udp |
| US | 8.8.8.8:53 | hppwycfjr1248swx.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hppwycfjr1248swx.net | udp |
| US | 8.8.8.8:53 | hppwycfjr1248swx.net | udp |
| US | 208.67.222.222:53 | 222.222.67.208.in-addr.arpa | udp |
| US | 208.67.222.222:53 | hppwycfjr1248swx.com | udp |
| US | 208.67.222.222:53 | hppwycfjr1248swx.com | udp |
| US | 208.67.222.222:53 | 222.222.67.208.in-addr.arpa | udp |
| US | 208.67.222.222:53 | hppwycfjr1248swx.net | udp |
| US | 208.67.222.222:53 | hppwycfjr1248swx.net | udp |
| US | 8.8.4.4:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.4.4:53 | hppwycfjr1248swx.com | udp |
| US | 8.8.4.4:53 | hppwycfjr1248swx.com | udp |
| FR | 46.105.131.122:80 | report2.ogpertblethagahert.net | tcp |
| US | 8.8.4.4:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.4.4:53 | hppwycfjr1248swx.net | udp |
| US | 8.8.4.4:53 | hppwycfjr1248swx.net | udp |
| US | 208.67.220.220:53 | 220.220.67.208.in-addr.arpa | udp |
| US | 208.67.220.220:53 | hppwycfjr1248swx.com | udp |
| US | 208.67.220.220:53 | hppwycfjr1248swx.com | udp |
| US | 208.67.220.220:53 | 220.220.67.208.in-addr.arpa | udp |
| US | 208.67.220.220:53 | hppwycfjr1248swx.net | udp |
| US | 208.67.220.220:53 | hppwycfjr1248swx.net | udp |
| US | 74.82.198.253:80 | tcp | |
| US | 74.82.198.253:80 | tcp | |
| SG | 76.73.19.181:80 | tcp | |
| US | 74.82.198.254:80 | tcp | |
| US | 74.82.198.253:80 | tcp | |
| FR | 46.105.131.122:80 | report2.ogpertblethagahert.net | tcp |
| FR | 46.105.131.122:80 | report2.ogpertblethagahert.net | tcp |
| FR | 46.105.131.122:80 | report2.ogpertblethagahert.net | tcp |
| FR | 46.105.131.122:80 | report2.ogpertblethagahert.net | tcp |
| FR | 46.105.131.122:80 | report2.ogpertblethagahert.net | tcp |
| FR | 46.105.131.122:80 | report2.ogpertblethagahert.net | tcp |
| FR | 46.105.131.122:80 | report2.ogpertblethagahert.net | tcp |
| N/A | 127.0.0.1:27777 | tcp | |
| FR | 46.105.131.122:80 | report2.ogpertblethagahert.net | tcp |
| FR | 46.105.131.122:80 | report2.ogpertblethagahert.net | tcp |
| FR | 46.105.131.122:80 | report2.ogpertblethagahert.net | tcp |
| FR | 46.105.131.122:80 | report2.ogpertblethagahert.net | tcp |
| FR | 46.105.131.122:80 | report2.ogpertblethagahert.net | tcp |
| FR | 46.105.131.122:80 | report2.ogpertblethagahert.net | tcp |
| US | 74.82.198.254:80 | tcp | |
| US | 74.82.198.253:80 | tcp |
Files
memory/2528-0-0x0000000000240000-0x0000000000241000-memory.dmp
C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg
| MD5 | b8224e5293d4fad1927c751cc00c80e7 |
| SHA1 | 270b8c752c7e93ec5485361fe6ef7b37f0b4513b |
| SHA256 | c47da9be4fc4d757add73c49654c9179067af547d0cc758d6356e2955bbfcb61 |
| SHA512 | 8fed9a509e46319529145fa2159251e43040d26080af84e44badaab1dd339c767ff75a2c473bc0abfb448b03beb96718ee34ba6bc150ed3085322878b55a22f2 |
C:\Windows\System32\drivers\etc\host_new
| MD5 | 53316bc0c42b9d65743709021f1d03c7 |
| SHA1 | 44cfe377bf7fedee2ce8f888cfacefd283e924e6 |
| SHA256 | 600d914eb6b9ffb387be5b7300ca138192a4e86c4679c9bff36bcf0364e74b36 |
| SHA512 | 9b390f6d7955413c8d63d02dff6988442cf78bbfb72e12f7deab56b190c1a7f455c5af3344ee5a1f7477d383c24e567af4fb7639ab6d9f014935418bf1cf00f6 |
C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg
| MD5 | 6e86650ad96258b23f022605c5f202d5 |
| SHA1 | 321290e91871cb653441e3c87ee8b20ab5f008a0 |
| SHA256 | 8c39246796530ee7588fc16486335d00d5b7273ebb26efe5833e4cfc2bcfe223 |
| SHA512 | e8a7bdf4bd2fba233a1a6cdf977d57dcb37ae46bc52bf29b4d23c6294e769069e146bcb5f56c4edbc3f93d38a226a9349f604b54156696ccdef41106cc05060c |
C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg
| MD5 | d944553892495d3c37a6ac27016adbe4 |
| SHA1 | a7f277103566e68ae636a74f43d298f33bf05afe |
| SHA256 | 2e9257a23eb2a9573daabc180362244f10d0fd71801949c6415155681bad1054 |
| SHA512 | 2876bcda9af7f99c17295d31e018cbef8e7388a732bde8f4f14443f00e4c0a46f8e7bc970429cd20f28324711f154eb46c1e0c969f1e21bf2fb9aea32568b344 |
C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg
| MD5 | 1d7e870b93dbcde018a65e0847994515 |
| SHA1 | 73d94152ebe31691026195aa380fff5d26956665 |
| SHA256 | bd7a4a379cf704aae3bd94f3106339b06340ee5105d01b82439ecf2af49cbf83 |
| SHA512 | e6d0e99ffa92864a570d48a459c2dd90b8c1d261f55a1a9bda15ec0efc2c9d22a3ef8d6f603713daa51433711bf97fe6375f9e169f39533d0bd32a001681beae |
C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg
| MD5 | f6b24a890b206418b0e05f5a4888ea6f |
| SHA1 | 7aaacc6c7bcb1d6ffd440434db2f134f0ac25085 |
| SHA256 | 2378c709a4d7a83bc3a13c580423ef04cd5c3e661d19012b146e234a845317fd |
| SHA512 | 7a3d7e375938eb83607893f97af23f056c519b72340f3efbe283750c0d5a6fa70cd457b3da2d54658f8799c2a00dc32afd947c0dd72cd29c11633eebc9b0752a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\prefs.js
| MD5 | 5a0c148c31b3b650d47a2c460bba6a34 |
| SHA1 | 332e5f7054a9e72ac2abf344d9f0c715eb3bfb4d |
| SHA256 | 55a06c795d961bd867e893943bb44dbef56b30cb5bd1005cfb73cfd870f4586b |
| SHA512 | 63d0416d1a0e3093389d15578f05f157eba9e19a1a0f029432a8ef2db8a4806deafb130a757d7c72e6afc9213fbc141091c888d8aaf310a5cd8666479f557259 |
C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg
| MD5 | c6d4cf90d76826212a57b93f53f0565f |
| SHA1 | c554a9cebe37de9831074ababd56d252652572d2 |
| SHA256 | 49b4e777bef21024629618bb113a3961430946e89e93db710e27e2420136b69a |
| SHA512 | 81aa85b750fa1bd625207fe98155b2b5cf0957d3394782f236cf51fe1c6cc69e196cb58e0b03fb13882dc603453dabc1cd48e990fff168f7732b11a645159886 |
C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg
| MD5 | e47adef3332aa1283a55584b2a9c90cf |
| SHA1 | cf8efabf8e479fdbbb971e4c36fa07016bf68218 |
| SHA256 | d4c148fc0d6fdcdc0506257e2e6fd4a25fe94693cb39d82bcfbbbb01637a8c27 |
| SHA512 | 324c0122162f5ffc2077bd2e5cfab514338e308553db12072b48a4e6ce437603b0b7e7623d73f57f3c8855ad22797cd41585b41c90a3cd54268296252dc9bf6a |
C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg
| MD5 | a9f9d936c27f0b5b4c3e5ddbf07e1358 |
| SHA1 | e51da0e07b175563929045fbe07ae462e6d4cf49 |
| SHA256 | d68b2ca47a5c8fc9ccfa7e242f3bfd2e3ecb08fe732b37d73d3f87217e227b85 |
| SHA512 | f775c016fea0f99fe70fecaed4ebeacf9e82da66d606c3acdfc71c5c723c7d72f186ce4fa3afd1615d1da5cc22d1f35c95a5b4186d215844cd4d0e792400fdc4 |
C:\Users\Admin\AppData\Local\Temp\Fake AV\6268.mof
| MD5 | 3754f8f8abad5bad797085d0717a9766 |
| SHA1 | 48d92f36cb721b390e216aa03b27b41f25c563fc |
| SHA256 | 3c77f5f888d417a7a31284cb8c5e3bdb4d926c4a274cecac8a8b2920659d5927 |
| SHA512 | c59f322ece53c757767e52fe9bfbc3526a13afe9ec7503e3d1cae683eeb55cbb808a1bce720fd58f97f286756d314124bcf797c2167275e08ed93ba759bf3985 |
\ProgramData\950a2\ISd8b.exe
| MD5 | ecf9e501c84edb61b900636872b2460b |
| SHA1 | 9f021fc6f854c464114414b2b7be94d03e8f5527 |
| SHA256 | ae0c64f062dc58bb2fc49defde49ec237868b1e76eb58ef10638c1159e97bc35 |
| SHA512 | daecfa18f31d4537deb587ab1454dbc375834e9dc3d821941944af2507bcd43aeaf984aee0d1cd3dc678711a4671f66373a35c1e0bf0122f67f2c8e0bbf1d3c5 |
\ProgramData\950a2\ISd8b.exe
| MD5 | 7a1512578792b66929f21b15d6eef11f |
| SHA1 | 487ec823f377cc33b6d6f21b93a61a22f99ede93 |
| SHA256 | f6ff2170e4fe8480ce8ba96a279378a8113b4b860eda894ec0529bfdcbdd648c |
| SHA512 | e6dcf7225d7d3ab1b1a57ebf76acc9ed10d75ec2a3a53300b9fe4fe40f9434894ac166e95fc71df353f7cef18fc60c0bd6171a08b8add23f925588952e071b34 |
\ProgramData\950a2\ISd8b.exe
| MD5 | dbc1b5409b07406549df6d8c34157f5e |
| SHA1 | 121c8e1241dd7a75e3327ce6823a49b212b479dc |
| SHA256 | 40671c721a6aaa4e42350c8709b3aceccaf051ff568035d976e06b0278616d53 |
| SHA512 | 3a96d8a233e8e2d2d215298f57633e107162ca801e07b1c19ee84d15800e4a7d875248e2d26b5ce8d8e5dfadf87c79f503a798120b3379dc5ecdd5f629703280 |
C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg
| MD5 | c0210a2defb97ac1890800ab4b5af52b |
| SHA1 | 4067d186fa46058c5fa169f536a0e83666bd07c1 |
| SHA256 | 6f9baabbc7d1ef90d8c1128b3097d6e7ad72295e8d263e68f9be5fb90fe6ba93 |
| SHA512 | 1eda226b115fdee2af936cc0d7aa212f932aca69d7c85488f820d097399d765330bee7b9d4be43e83a609078d9b33d2ffcad969dccdf90c06fabd2918773170f |
C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg
| MD5 | 13135dc1279964a6aa92b46ab82d6279 |
| SHA1 | bd2936bbdd4118f8a3f48b8832603add454188ff |
| SHA256 | 1dc7e8e69aa900b0ba178b3ed723b0aed4251a17ea340b387289134b04059a99 |
| SHA512 | ad42cf2a927be5a0b0019b6549c2ac13ed70f2dfddb9eb43c6178eacd58456da50c3a438bfadcb2453bbf4295b8af5e6bdc83b00772c6cf973132a2d8b1a1142 |
C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg
| MD5 | 8ef69bb48614c47d4db2c50d9cb110e9 |
| SHA1 | 8517ede42a51a85e007ad6a8b7a5f31cb052a3a4 |
| SHA256 | 7fdbfb196a9a2a459dac40cfd64579023b6dd73f459a21f0cb9f6f31ef3e1acd |
| SHA512 | c0bc99c3d63d1078a1565fc4537a21d7f5192d15bffbfd24791c639a172cf21a437ba8a94af0b73205b9161da17d9a0705ee356e36051c9e1b33d95770b140ac |
C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg
| MD5 | 3c289ac5a115ba9586bf10dc16bd0980 |
| SHA1 | 94a5265ac997743d9be1151a570556647b69d42a |
| SHA256 | 5355fb173e76a2daa5fdcf282da294327a43b21437fc29d9fbdfcd82161dd9f5 |
| SHA512 | 18586d69f547aedb6e8748c0f19ad5ffa6f7331fd22f3d910faef1438cbdcd969425eabf33f4f76e2635868dff8c51de64731de2e93497c1a3564fb9559d4162 |
C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg
| MD5 | 3ad3f24bc189a45079baff6571151fe7 |
| SHA1 | b6bc2e3762188d61fa14c59b610c91590900017f |
| SHA256 | 5c6a09e9c9bceac624b6c93d9cd50ec9c3b38420c537bddd4f26dfbea9a008a5 |
| SHA512 | 8e81575e16453ef7310a597b045fb0d21997ce52c0557c9b0465571807e2316b6ef822b080b7254cbdcf75a741745d4257159974b449dd2cd9925a1f15bd0d16 |
memory/2528-416-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2528-418-0x0000000013140000-0x0000000013764000-memory.dmp
C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg
| MD5 | 9b64af85665c3a3e8ab5c06b9d303913 |
| SHA1 | 2ca045532485cd3581e0fca97687198f0c1bdd96 |
| SHA256 | f6fcd9c5ce5bc10d09975733d5a4880d4ec455d81f420c0dd4ee4a36b7010f5f |
| SHA512 | df2fe4591bc04de3807874df806fc5376a955599512964143879d305f4ddbaab7980496c002fd5354e8c4c12651b514cb4bc67fb2f607541ff60c49abc721d28 |
C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg
| MD5 | 2ad1ec31c50312fbbc0dd3e2910c7de2 |
| SHA1 | 21f54bd4ceff1d048e68602663b846f1f6a48934 |
| SHA256 | 6116afa74c49f0c797242bf7e9900f465518792fe86d2e678f2cf778166a0932 |
| SHA512 | 7c3004edcdc8c00ff1fb6c670fcfdecd145fc138978d934daf44ef1a8d50e179ef115735216383008e0d862eb6d3c74b1428b33245fd5bf86abec43b2d4bd311 |
memory/2528-439-0x0000000013140000-0x0000000013764000-memory.dmp
C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg
| MD5 | bc8c2d6f97728c77a8c825178eeb445e |
| SHA1 | 2ddb97581fe738ba490be337b82d70a192dd9630 |
| SHA256 | 5b22b82bf996cafba4ad5dd915b426f4f32c510bfe3b3136974b1e105941e8a3 |
| SHA512 | be836def9e8110c53513371a9ed44c67144bd00e428c7b430fbab68e31174d9a3524740538881d647475f582748d12793a688989c01c7c25861175974e759a21 |
C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg
| MD5 | db196ee1844f3950008bb86ec82acdb1 |
| SHA1 | 930ba07fa559690ee5d2ce91b8a5d20b05d6bec2 |
| SHA256 | 4e3b310576a8fa413f83e7068dfaacd1a82c9e720a5ccb143b758b827d0b996c |
| SHA512 | 7e19e93e059488c8863dcb7ea45a7a4278c289226d6c5ec2fa845b8174e2844bcb36926bdda6a04bf8411d2f7f0daef349a581ec47a78ab0c725daea1b400790 |
C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg
| MD5 | 2773e4086a9c57488c5992de32152777 |
| SHA1 | 56f42e7beb28ca2a4625c2b2467fc187c5ff6958 |
| SHA256 | 29c507e0d5eec9b50ce4a296ba88bc878603a432aeb6a4334f8013a1b1310510 |
| SHA512 | bdfd3ae11e184023a7206a8e79eb2db0cf0eb01f18464d94aa97d58152128974f686af05031afb4d9b58a9f9ad0c8a0a0dab4ae54ee8f274f3b1c6366f09b256 |
C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg
| MD5 | 77d2ba61309fa75c6b8849927a07e80b |
| SHA1 | a434e07347c11a6cac5818cbba8a744360ac90aa |
| SHA256 | 6a1aad4377df69a7311e45541f6cbec2e42177c37c7d1ff2a8340554673da411 |
| SHA512 | c6d76169bcbbcf07075eb1037b9adc7c77ba02a0d509138bc7ebd5e0c8bd85574196fea5ec084b77d6d1720abc5228380f914ecb6d717cc30393ba6f362894ef |
memory/2528-500-0x0000000013140000-0x0000000013764000-memory.dmp
C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg
| MD5 | 73270e88d6722cdffe3324da5d65c8e1 |
| SHA1 | 9e1ca64987a61adb268dba4ecbe60b2a78c48ba6 |
| SHA256 | 7af912c582b50346b5d0dabd6ec7ac61fcee539901f758ce2a9affab90a7f32e |
| SHA512 | 4f3f724f0f6b2cc351bc2ec7dad9cbf1db825c16e5b7c3fad327c71ce4daa37741ac288a57861785d29e05d859b546ce4813591c423a2ca8d67776e3220f0d61 |
C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg
| MD5 | 7358933b8c282d1ce7fad257a6eab201 |
| SHA1 | 9d6ed6def0c954dbe47e6a0c3732e1871d8eda37 |
| SHA256 | 573a65946722e64288bf7dedf5d3993754431371ed2d3b9914234e8eba655e8d |
| SHA512 | 9b827e9750f7ca5202226bd55dc0d03a280f7f1169a2a1deb078b4f59dca7629915274d51336d0a766577ab90d78c1ce50817912a0e98dd48c2761cba9d2d455 |
memory/2528-602-0x0000000013140000-0x0000000013764000-memory.dmp
memory/2528-604-0x0000000013140000-0x0000000013764000-memory.dmp
memory/2528-609-0x0000000013140000-0x0000000013764000-memory.dmp
C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg
| MD5 | 16f82047e7dcd74baaef57131aacd8e5 |
| SHA1 | 9f9717625d46d2613f86697d3c5e032409cde514 |
| SHA256 | 8a3c5ce4fa15e1f77fe557e82c64c191e99b4fc2555e3d4a6faf2a8ce7682140 |
| SHA512 | 309cde87652f4a74b07c440a58bbf332e89d0987a688b5efb5ed10a0546988c007a09cd0893da2713fd46625adbd9703e9d2d6afb0d491d04e04353c74cf5034 |
memory/2528-611-0x0000000013140000-0x0000000013764000-memory.dmp
memory/2528-614-0x0000000013140000-0x0000000013764000-memory.dmp
memory/2528-615-0x0000000013140000-0x0000000013764000-memory.dmp
memory/2528-616-0x0000000013140000-0x0000000013764000-memory.dmp
memory/2528-617-0x0000000013140000-0x0000000013764000-memory.dmp
memory/2528-618-0x0000000013140000-0x0000000013764000-memory.dmp
memory/2528-619-0x0000000013140000-0x0000000013764000-memory.dmp
memory/2528-620-0x0000000013140000-0x0000000013764000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-03-02 22:34
Reported
2024-03-02 22:38
Platform
win10v2004-20240226-en
Max time kernel
32s
Max time network
39s
Command Line
Signatures
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\DB.EXE | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AV.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AV2.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DB.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EN.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SB.EXE | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\DB.EXE | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\physicaldrive0 | C:\Users\Admin\AppData\Local\Temp\SB.EXE | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\authzi.exe | C:\Users\Admin\AppData\Local\Temp\DB.EXE | N/A |
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\30530A0C86EDB1CD5A2A5FE37EF3BF28E69BE16D | C:\Users\Admin\AppData\Local\Temp\AV.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\30530A0C86EDB1CD5A2A5FE37EF3BF28E69BE16D\Blob = 03000000010000001400000030530a0c86edb1cd5a2a5fe37ef3bf28e69be16d2000000001000000b3020000308202af308202180209009168978ee53f5964300d06092a864886f70d010105050030819b310b30090603550406130255533110300e06035504081307566972676e69613110300e060355040713074e65776275727931123010060355040a13094261636f72204c4c43312330210603550403131a746f74616c736f6c7574696f6e616e746976697275732e636f6d312f302d06092a864886f70d010901162061646d696e40746f74616c736f6c7574696f6e616e746976697275732e636f6d301e170d3131303931383131313834395a170d3132303931373131313834395a30819b310b30090603550406130255533110300e06035504081307566972676e69613110300e060355040713074e65776275727931123010060355040a13094261636f72204c4c43312330210603550403131a746f74616c736f6c7574696f6e616e746976697275732e636f6d312f302d06092a864886f70d010901162061646d696e40746f74616c736f6c7574696f6e616e746976697275732e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100cac8419346518527133fdefd7982ac3919f1d6e2f815ecab0b5d219ccf843885645cfd9c35cae2eff8e7506e690b52c587a59c8d667cb671454030bd370fa334b18afb5ea4f4f819a36685a705a8543f320af913ca680a1d32a402db6d3e42d93228e44ba230fda524d490ddc35b922f23d36d95417136ac50afa567e21359350203010001300d06092a864886f70d0101050500038181003c6a7f43ca2cee1caafee88b04777032a4c9d7794222537e3ebe57953198281bdbe0d3a58f7d3eb358f361848f30ad88a364cd0ae3376e6239dedb01497d52d3dd55e78e49375373419ad7e5e2e036f713bf4d96a552f2aa26b35b66d7a83fb2a9b6e317d162d8342f09ccc71b2a1c7d9474ca7872bfa4acd623d61c4491d740 | C:\Users\Admin\AppData\Local\Temp\AV.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DB.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DB.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DB.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DB.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DB.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SB.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe
"C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe"
C:\Users\Admin\AppData\Local\Temp\AV.EXE
"C:\Users\Admin\AppData\Local\Temp\AV.EXE"
C:\Users\Admin\AppData\Local\Temp\AV2.EXE
"C:\Users\Admin\AppData\Local\Temp\AV2.EXE"
C:\Users\Admin\AppData\Local\Temp\DB.EXE
"C:\Users\Admin\AppData\Local\Temp\DB.EXE"
C:\Users\Admin\AppData\Local\Temp\EN.EXE
"C:\Users\Admin\AppData\Local\Temp\EN.EXE"
C:\Users\Admin\AppData\Local\Temp\SB.EXE
"C:\Users\Admin\AppData\Local\Temp\SB.EXE"
C:\Windows\SysWOW64\cmd.exe
/c C:\Users\Admin\AppData\Local\Temp\~unins9125.bat "C:\Users\Admin\AppData\Local\Temp\DB.EXE"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aeravine.com | udp |
| US | 8.8.8.8:53 | middlechrist.com | udp |
| US | 8.8.8.8:53 | bemachin.com | udp |
| US | 66.96.162.135:80 | middlechrist.com | tcp |
| US | 8.8.8.8:53 | 135.162.96.66.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\AV.EXE
| MD5 | f284568010505119f479617a2e7dc189 |
| SHA1 | e23707625cce0035e3c1d2255af1ed326583a1ea |
| SHA256 | 26c8f13ea8dc17443a9fa005610537cb6700aebaf748e747e9278d504e416eb1 |
| SHA512 | ebe96e667dfde547c5a450b97cd7534b977f4073c7f4cbc123a0e00baaefeb3be725c1cafbfb5bb040b3359267954cd1b4e2094ef71fc273732016ee822064bf |
C:\Users\Admin\AppData\Local\Temp\AV.EXE
| MD5 | eb5969d607ba3ad6184210472583cc12 |
| SHA1 | 05fb52c38d2f5152c90a579f1aab317fcab5c570 |
| SHA256 | 2c54a179e28325875bbb092ea3519868462210cecf22726e460a8c9d2ef1695c |
| SHA512 | e6ccd02c2115863d95178e7c65018ab986d616f4cc96a5de143b8274af1dfbc336581836c3d1572edbe2d460c1addb18709466a190c31249b5172cdf60f79110 |
C:\Users\Admin\AppData\Local\Temp\AV2.EXE
| MD5 | 014578edb7da99e5ba8dd84f5d26dfd5 |
| SHA1 | df56d701165a480e925a153856cbc3ab799c5a04 |
| SHA256 | 4ce5e8b510895abb204f97e883d8cbaacc29ccef0844d9ae81f8666f234b0529 |
| SHA512 | bd5159af96d83fc7528956c5b1bd6f93847db18faa0680c6041f87bbebef5e3ba2de1f185d77ff28b8d7d78ec4f7bd54f48b37a16da39f43314ef022b4a36068 |
C:\Users\Admin\AppData\Local\Temp\DB.EXE
| MD5 | c6746a62feafcb4fca301f606f7101fa |
| SHA1 | e09cd1382f9ceec027083b40e35f5f3d184e485f |
| SHA256 | b5a255d0454853c8afc0b321e1d86dca22c3dbefb88e5d385d2d72f9bc0109e6 |
| SHA512 | ee5dfa08c86bf1524666f0851c729970dbf0b397db9595a2bae01516299344edb68123e976592a83e492f2982fafe8d350ba2d41368eb4ecf4e6fe12af8f5642 |
memory/4940-31-0x0000000000400000-0x0000000000445000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EN.EXE
| MD5 | 621f2279f69686e8547e476b642b6c46 |
| SHA1 | 66f486cd566f86ab16015fe74f50d4515decce88 |
| SHA256 | c17a18cf2c243303b8a6688aad83b3e6e9b727fcd89f69065785ef7f1a2a3e38 |
| SHA512 | 068402b02f1056b722f21b0a354b038f094d02e4a066b332553cd6b36e3640e8f35aa0499a2b057c566718c3593d3cea6bbabd961e04f0a001fd45d8be8e1c4e |
memory/4940-45-0x00000000001C0000-0x00000000001F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GB.EXE
| MD5 | fe731b4c6684d643eb5b55613ef9ed31 |
| SHA1 | cfafe2a14f5413278304920154eb467f7c103c80 |
| SHA256 | e7953daad7a68f8634ded31a21a31f0c2aa394ca9232e2f980321f7b69176496 |
| SHA512 | f7756d69138df6d3b0ffa47bdf274e5fd8aab4fff9d68abe403728c8497ac58e0f3d28d41710de715f57b7a2b5daa2dd7e04450f19c6d013a08f543bd6fc9c2e |
C:\Users\Admin\AppData\Local\Temp\SB.EXE
| MD5 | 9252e1be9776af202d6ad5c093637022 |
| SHA1 | 6cc686d837cd633d9c2e8bc1eaba5fc364bf71d8 |
| SHA256 | ce822ff86e584f15b6abd14c61453bd3b481d4ec3fdeb961787fceb52acd8bd6 |
| SHA512 | 98b1b3ce4d16d36f738478c6cf41e8f4a57d3a5ecfa8999d45592f79a469d8af8554bf4d5db34cb79cec71ce103f4fde1b41bd3cce30714f803e432e53da71ea |
memory/4940-48-0x0000000000590000-0x0000000000623000-memory.dmp
memory/1100-51-0x0000000000400000-0x000000000040A000-memory.dmp
memory/4380-59-0x0000000073BA0000-0x0000000074151000-memory.dmp
memory/4940-60-0x0000000000590000-0x0000000000623000-memory.dmp
memory/4940-61-0x0000000000590000-0x0000000000623000-memory.dmp
memory/668-64-0x0000000000400000-0x0000000000464000-memory.dmp
memory/4380-62-0x0000000073BA0000-0x0000000074151000-memory.dmp
memory/668-68-0x0000000000830000-0x0000000000894000-memory.dmp
memory/4940-67-0x0000000000590000-0x0000000000623000-memory.dmp
memory/668-69-0x000000000083B000-0x000000000083C000-memory.dmp
memory/668-70-0x0000000000400000-0x0000000000464000-memory.dmp
memory/4380-71-0x0000000000890000-0x00000000008A0000-memory.dmp
memory/4940-72-0x00000000008A0000-0x00000000008A1000-memory.dmp
memory/1100-74-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Fake AV\tsa.crt
| MD5 | 6e630504be525e953debd0ce831b9aa0 |
| SHA1 | edfa47b3edf98af94954b5b0850286a324608503 |
| SHA256 | 2563fe2f793f119a1bae5cca6eab9d8c20409aa1f1e0db341c623e1251244ef5 |
| SHA512 | bbcf285309a4d5605e19513c77ef077a4c451cbef04e3cbdfec6d15cc157a9800a7ff6f70964b0452ddb939ff50766e887904eda06a9999fdedf5b2e8776ebd2 |
memory/4764-86-0x0000000000560000-0x0000000000563000-memory.dmp
memory/4764-90-0x0000000000400000-0x00000000004C3000-memory.dmp
memory/4764-91-0x0000000000650000-0x0000000000651000-memory.dmp
memory/4940-92-0x0000000000590000-0x0000000000623000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-03-02 22:34
Reported
2024-03-02 22:38
Platform
win10v2004-20240226-en
Max time kernel
152s
Max time network
158s
Command Line
Signatures
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Antivirus = "\"C:\\Program Files (x86)\\AnVi\\avt.exe\" -noscan" | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\wbem\repository\MAPPING2.MAP | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\repository\MAPPING3.MAP | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\repository\OBJECTS.DATA | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\repository\INDEX.BTR | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\repository | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\repository\WRITABLE.TST | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\repository\MAPPING1.MAP | C:\Windows\system32\svchost.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\AnVi\splash.mp3 | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
| File created | C:\Program Files (x86)\AnVi\virus.mp3 | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use FormSuggest = "Yes" | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\mofcomp.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe
"C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe"
C:\Windows\SysWOW64\net.exe
net stop wscsvc
C:\Windows\SysWOW64\net.exe
net stop winmgmt /y
C:\Windows\SysWOW64\net.exe
net start winmgmt
C:\Windows\SysWOW64\net.exe
net start wscsvc
C:\Windows\SysWOW64\Wbem\mofcomp.exe
mofcomp C:\Users\Admin\AppData\Local\Temp\4otjesjty.mof
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wscsvc
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start wscsvc
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop winmgmt /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | highway-traffic.com | udp |
| US | 8.8.8.8:53 | searchdusty.com | udp |
| CA | 54.39.157.64:80 | searchdusty.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fastsofgeld.com | udp |
| US | 8.8.8.8:53 | frequentwin.com | udp |
| US | 8.8.8.8:53 | 64.157.39.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | highway-traffic.com | udp |
| CA | 54.39.157.64:80 | searchdusty.com | tcp |
| US | 8.8.8.8:53 | fastsofgeld.com | udp |
| US | 8.8.8.8:53 | frequentwin.com | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | highway-traffic.com | udp |
| CA | 54.39.157.64:80 | searchdusty.com | tcp |
| US | 8.8.8.8:53 | fastsofgeld.com | udp |
| US | 8.8.8.8:53 | frequentwin.com | udp |
| US | 8.8.8.8:53 | 252.15.104.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\4otjesjty.mof
| MD5 | 7fad92afda308dca8acfc6ff45c80c24 |
| SHA1 | a7fa35e7f90f772fc943c2e940737a48b654c295 |
| SHA256 | 76e19416eb826a27bdcf626c3877cf7812bbe9b62cc2ccc5c2f65461d644246f |
| SHA512 | 49eed1e1197401cb856064bf7fdbd9f3bc57f3c864d47f509346d44eed3b54757d8c6cdb6254990d21291065f0762d2a1588d09e43c5728f77a420f6a8dcd6ea |
Analysis: behavioral11
Detonation Overview
Submitted
2024-03-02 22:34
Reported
2024-03-02 22:38
Platform
win7-20240221-en
Max time kernel
144s
Max time network
124s
Command Line
Signatures
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiVirus Pro 2017 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Fake AV\\AntivirusPro2017.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe | N/A |
Enumerates connected drives
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe | N/A |
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe
"C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | twinkcam.net | udp |
| US | 103.224.212.215:80 | twinkcam.net | tcp |
| US | 8.8.8.8:53 | ww25.twinkcam.net | udp |
| US | 199.59.243.225:80 | ww25.twinkcam.net | tcp |
Files
memory/2484-0-0x0000000000400000-0x0000000000A06000-memory.dmp
memory/2484-2-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2484-1-0x0000000000400000-0x0000000000A06000-memory.dmp
memory/2484-4-0x0000000000400000-0x0000000000A06000-memory.dmp
memory/2484-6-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2484-5-0x0000000000400000-0x0000000000A06000-memory.dmp
memory/2484-7-0x0000000000400000-0x0000000000A06000-memory.dmp
memory/2484-8-0x0000000000400000-0x0000000000A06000-memory.dmp
memory/2484-9-0x0000000000400000-0x0000000000A06000-memory.dmp
memory/2484-11-0x0000000000400000-0x0000000000A06000-memory.dmp
memory/2484-10-0x0000000000400000-0x0000000000A06000-memory.dmp
memory/2484-12-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2484-13-0x0000000000400000-0x0000000000A06000-memory.dmp
memory/2484-15-0x0000000000400000-0x0000000000A06000-memory.dmp
memory/2484-16-0x0000000000400000-0x0000000000A06000-memory.dmp
memory/2484-17-0x0000000000400000-0x0000000000A06000-memory.dmp
memory/2484-20-0x0000000000400000-0x0000000000A06000-memory.dmp
memory/2484-21-0x0000000000400000-0x0000000000A06000-memory.dmp
memory/2484-22-0x0000000000400000-0x0000000000A06000-memory.dmp
memory/2484-23-0x0000000000400000-0x0000000000A06000-memory.dmp
memory/2484-24-0x0000000000400000-0x0000000000A06000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-03-02 22:34
Reported
2024-03-02 22:38
Platform
win7-20240221-en
Max time kernel
120s
Max time network
148s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdwCleaner = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\6AdwCleaner.exe\" -auto" | C:\Users\Admin\AppData\Local\Temp\6AdwCleaner.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46 | C:\Users\Admin\AppData\Local\Temp\6AdwCleaner.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 0f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d80b000000010000001400000055005300450052005400720075007300740000001d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d4620000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8 | C:\Users\Admin\AppData\Local\Temp\6AdwCleaner.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 190000000100000010000000e843ac3b52ec8c297fa948c9b1fb2819030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d461d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf67080b00000001000000140000005500530045005200540072007500730074000000140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d8090000000100000016000000301406082b0601050507030306082b060105050703080f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb20000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8 | C:\Users\Admin\AppData\Local\Temp\6AdwCleaner.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6AdwCleaner.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6AdwCleaner.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6AdwCleaner.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\6AdwCleaner.exe
"C:\Users\Admin\AppData\Local\Temp\6AdwCleaner.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.vikingwebscanner.com | udp |
Files
memory/2388-0-0x0000000000C70000-0x0000000000C9E000-memory.dmp
memory/2388-1-0x000007FEF5CA0000-0x000007FEF668C000-memory.dmp
memory/2388-2-0x000000001B260000-0x000000001B2E0000-memory.dmp
memory/2388-3-0x000000001B260000-0x000000001B2E0000-memory.dmp
memory/2388-4-0x000000001B260000-0x000000001B2E0000-memory.dmp
memory/2388-5-0x000000001B260000-0x000000001B2E0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\Tar9A24.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
memory/2388-104-0x000007FEF5CA0000-0x000007FEF668C000-memory.dmp
memory/2388-105-0x000000001B260000-0x000000001B2E0000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-03-02 22:34
Reported
2024-03-02 22:38
Platform
win7-20240221-en
Max time kernel
117s
Max time network
123s
Command Line
Signatures
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\HappyAntivirus.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\HappyAntivirus.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Fake AV\HappyAntivirus.exe
"C:\Users\Admin\AppData\Local\Temp\Fake AV\HappyAntivirus.exe"
Network
Files
memory/1784-0-0x0000000000EC0000-0x00000000010B2000-memory.dmp
memory/1784-1-0x0000000074D30000-0x000000007541E000-memory.dmp
memory/1784-2-0x0000000004CA0000-0x0000000004CE0000-memory.dmp
memory/1784-3-0x0000000004CA0000-0x0000000004CE0000-memory.dmp
memory/1784-4-0x0000000074D30000-0x000000007541E000-memory.dmp
memory/1784-5-0x0000000004CA0000-0x0000000004CE0000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-03-02 22:34
Reported
2024-03-02 22:38
Platform
win7-20240220-en
Max time kernel
142s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\LPS2019.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\LPS2019.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\LPS2019.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\LPS2019.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\SoftProz = "C:\\Program Files (x86)\\HjuTygFcvX\\lpsprt.exe" | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\HjuTygFcvX | C:\Users\Admin\AppData\Local\Temp\Fake AV\LPS2019.exe | N/A |
| File created | C:\Program Files (x86)\HjuTygFcvX\__tmp_rar_sfx_access_check_259398446 | C:\Users\Admin\AppData\Local\Temp\Fake AV\LPS2019.exe | N/A |
| File created | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\LPS2019.exe | N/A |
| File opened for modification | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\LPS2019.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2128 wrote to memory of 2580 | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\LPS2019.exe | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe |
| PID 2128 wrote to memory of 2580 | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\LPS2019.exe | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe |
| PID 2128 wrote to memory of 2580 | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\LPS2019.exe | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe |
| PID 2128 wrote to memory of 2580 | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\LPS2019.exe | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Fake AV\LPS2019.exe
"C:\Users\Admin\AppData\Local\Temp\Fake AV\LPS2019.exe"
C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe
"C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe"
Network
Files
\Program Files (x86)\HjuTygFcvX\lpsprt.exe
| MD5 | 2e6360eeebcafd207ad6f4cfc81afdb3 |
| SHA1 | 6d85d48c8c809ad0ee5f7b1b20ef79e871466072 |
| SHA256 | 3a31f386f4a68827d8cbfeb087c017f871d80ab4565a2266f692fbe6cfea9c3b |
| SHA512 | 36e1cadeff91158c0e96585d7550dc193a6470f5fccf3cf98845c4291becc6dae39609771cc8157493bc6cb405446ac55a1790108c6c213293bf4a56ecf381e4 |
memory/2580-18-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp
memory/2580-19-0x0000000000A10000-0x0000000000A90000-memory.dmp
memory/2580-20-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp
memory/2580-21-0x000000001AFD0000-0x000000001B16C000-memory.dmp
memory/2580-23-0x0000000000A10000-0x0000000000A90000-memory.dmp
memory/2580-22-0x0000000000A10000-0x0000000000A90000-memory.dmp
memory/2580-24-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp
memory/2580-25-0x0000000000A10000-0x0000000000A90000-memory.dmp
memory/2580-26-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp
memory/2580-27-0x0000000000A10000-0x0000000000A90000-memory.dmp
memory/2580-28-0x0000000000A10000-0x0000000000A90000-memory.dmp
memory/2580-29-0x0000000000A10000-0x0000000000A90000-memory.dmp
memory/2580-30-0x0000000000A10000-0x0000000000A90000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-02 22:34
Reported
2024-03-02 22:38
Platform
win7-20240221-en
Max time kernel
145s
Max time network
123s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\antiviruspc2009\avpc2009.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\antiviruspc2009\avpc2009.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\antiviruspc2009\avpc2009.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\antiviruspc2009\avpc2009.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\antiviruspc2009\libltdl3.dll | C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe | N/A |
| File opened for modification | C:\Program Files (x86)\antiviruspc2009\libltdl3.dll | C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe | N/A |
| File opened for modification | C:\Program Files (x86)\antiviruspc2009 | C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe | N/A |
| File opened for modification | C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll | C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe | N/A |
| File created | C:\Program Files (x86)\antiviruspc2009\bzip2.dll | C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe | N/A |
| File created | C:\Program Files (x86)\antiviruspc2009\avpc2009.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe | N/A |
| File opened for modification | C:\Program Files (x86)\antiviruspc2009\avpc2009.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe | N/A |
| File created | C:\Program Files (x86)\antiviruspc2009\__tmp_rar_sfx_access_check_259417073 | C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe | N/A |
| File created | C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll | C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe | N/A |
| File opened for modification | C:\Program Files (x86)\antiviruspc2009\bzip2.dll | C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe | N/A |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\antiviruspc2009\avpc2009.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\antiviruspc2009\avpc2009.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\antiviruspc2009\avpc2009.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\antiviruspc2009\avpc2009.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\antiviruspc2009\avpc2009.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe
"C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe"
C:\Program Files (x86)\antiviruspc2009\avpc2009.exe
"C:\Program Files (x86)\antiviruspc2009\avpc2009.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | yandex.ru | udp |
| US | 8.8.8.8:53 | google.ru | udp |
| RU | 5.255.255.70:80 | yandex.ru | tcp |
| GB | 216.58.213.3:80 | google.ru | tcp |
| RU | 5.255.255.70:443 | yandex.ru | tcp |
Files
\Program Files (x86)\antiviruspc2009\avpc2009.exe
| MD5 | c18a7323332b3292a8e0f1c81df65698 |
| SHA1 | bcb8f34cbe0137e888d06acbcb6508417851a087 |
| SHA256 | 9c42eca99e96a7402716fd865b57ea601fb9a18477fe2ab890bdbcd3052f68f8 |
| SHA512 | 4d48d11f3d0a740b9193e17782c77b01f52dd6e8324755aa81188295a0caed0718d330453bb02ca8bc942ee5588928e57a0d89d90d6b1c32690338c5eae8e1ad |
C:\Program Files (x86)\antiviruspc2009\avpc2009.exe
| MD5 | 5836a2a04328c778e9a485fe7d8c7aaa |
| SHA1 | 5a3214379be96f52fc6c639de17efa6e66b12188 |
| SHA256 | 98d6b205baa9c6167d2c7a7a4b4804f74a7795724dd894c2de0b6823b83e6f2a |
| SHA512 | a66a9c1d97736d63fd9fc38743d9313b726f40c4f522065c71eb0f8f9c0b797e51f5927c7c03041b2cbcb7ae1b23ed46b0fba3eb0f946adb172bcb7ab5551948 |
\Program Files (x86)\antiviruspc2009\avpc2009.exe
| MD5 | cfefcac1f28b2c3d8facac87c05fba83 |
| SHA1 | 7370ffee89bea5ee9f298b6a5bdec945f1714175 |
| SHA256 | 78b77d996c5c0f95ad044f219e5899858c2eda73b0c094e9b9228828f22fd501 |
| SHA512 | efa53779ea99553a3618b10e43ac6dd37cafb1fcf45ab7015f54925ecfe4aa9dd9c62258983f2e0e2f5dc221cc6fc669df2c26d610c58081719c301bc0e4e699 |
C:\Program Files (x86)\antiviruspc2009\avpc2009.exe
| MD5 | d794146696509541e8d1efbd2e9d0934 |
| SHA1 | dbb5b432734f357a28f42871dcedacfcd55053a7 |
| SHA256 | bef3c4dda6aafab6d7cc57eb921c51ca4bdba2365405810a551d652773a6d420 |
| SHA512 | b23ccb74a7cece8d4cca46d86c91688842414b0f28377bf59b29249e5c3743147797c9042806848f6dd40196d3d5e09ac217feb809c4f73139901fb611e50cb5 |
C:\Program Files (x86)\antiviruspc2009\libltdl3.dll
| MD5 | 00a71b4afda8033235432b1c433fecc7 |
| SHA1 | d7b0c218aa8fec1c60ada26a09d9e0d9601985ca |
| SHA256 | f9c9d2b92efb80f6d11df52735b8bddd099847cc79ba56650793b21a0923b1cd |
| SHA512 | 96635e66d9781ad4d2414271f6a0904cf880ed94fc19186ef4da5f88f24e14ef1591fdc90e27db15a6021847c592688d0034f20e2e50ca93bf8c6db27e8c510a |
C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll
| MD5 | 0ab7d0e87f3843f8104b3670f5a9af62 |
| SHA1 | 10c09a12e318f0fbebf70c4c42ad6ee31d9df2e5 |
| SHA256 | 8aecab563b3c629e8f9dcd525dc2d6b1903f6c600637e63b1efe05e3c64d757b |
| SHA512 | e08e17167edf461c0fca1e8b649c0c395793e80f5400f5cbb7d7906d0c99e955fcf6be2300db8663d413c4b3ffb075112a6ce5bf259553c0fd3d76200ee0d375 |
\Program Files (x86)\antiviruspc2009\bzip2.dll
| MD5 | 4143d4973e0f5a5180e114bdd868d4d2 |
| SHA1 | b47fd2cf9db0f37c04e4425085fb953cbce81478 |
| SHA256 | da25db24809479051d980be5e186926dd53233a76dfe357a455387646befca76 |
| SHA512 | e21827712a4870461921e7996506ffe456dd2303b69de370aa0499dde2e4747a73d8c0e8bd7d91c5bbc414ed5ee06f36d172237489494b3dd311ccd95ba07ebc |
C:\Program Files (x86)\antiviruspc2009\avpc2009.exe
| MD5 | 44d8f1b5659f5512ae3309e65ed77040 |
| SHA1 | c3f66712509d3613b4b77d02cebdb2227999431b |
| SHA256 | a6570473a07f88638779ae2c84598c5536e864e0038fdfb76fa8b0acafae6560 |
| SHA512 | b30e5ed41d5beacd211a8df120556be52ad65df436fa1a29215799b22ee3014379b986a99e475d51a50df9907f8e1255e26d9cb81201d638833707af13a13efa |
memory/2556-25-0x0000000068440000-0x0000000068457000-memory.dmp
memory/2556-24-0x000000006FDC0000-0x000000006FDCE000-memory.dmp
memory/2556-32-0x000000006FDC0000-0x000000006FDCE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-02 22:34
Reported
2024-03-02 22:38
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
116s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\antiviruspc2009\avpc2009.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\antiviruspc2009\avpc2009.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\antiviruspc2009\avpc2009.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\antiviruspc2009\avpc2009.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\antiviruspc2009 | C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe | N/A |
| File created | C:\Program Files (x86)\antiviruspc2009\__tmp_rar_sfx_access_check_240604609 | C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe | N/A |
| File created | C:\Program Files (x86)\antiviruspc2009\bzip2.dll | C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe | N/A |
| File opened for modification | C:\Program Files (x86)\antiviruspc2009\bzip2.dll | C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe | N/A |
| File opened for modification | C:\Program Files (x86)\antiviruspc2009\avpc2009.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe | N/A |
| File created | C:\Program Files (x86)\antiviruspc2009\libltdl3.dll | C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe | N/A |
| File created | C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll | C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe | N/A |
| File opened for modification | C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll | C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe | N/A |
| File created | C:\Program Files (x86)\antiviruspc2009\avpc2009.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe | N/A |
| File opened for modification | C:\Program Files (x86)\antiviruspc2009\libltdl3.dll | C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe | N/A |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\antiviruspc2009\avpc2009.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\antiviruspc2009\avpc2009.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\antiviruspc2009\avpc2009.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\antiviruspc2009\avpc2009.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\antiviruspc2009\avpc2009.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 232 wrote to memory of 4200 | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe | C:\Program Files (x86)\antiviruspc2009\avpc2009.exe |
| PID 232 wrote to memory of 4200 | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe | C:\Program Files (x86)\antiviruspc2009\avpc2009.exe |
| PID 232 wrote to memory of 4200 | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe | C:\Program Files (x86)\antiviruspc2009\avpc2009.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe
"C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe"
C:\Program Files (x86)\antiviruspc2009\avpc2009.exe
"C:\Program Files (x86)\antiviruspc2009\avpc2009.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | google.ru | udp |
| US | 8.8.8.8:53 | yandex.ru | udp |
| RU | 77.88.55.60:80 | yandex.ru | tcp |
| GB | 216.58.213.3:80 | google.ru | tcp |
| RU | 77.88.55.60:443 | yandex.ru | tcp |
| US | 8.8.8.8:53 | 3.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.55.88.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
Files
C:\Program Files (x86)\antiviruspc2009\avpc2009.exe
| MD5 | c18a7323332b3292a8e0f1c81df65698 |
| SHA1 | bcb8f34cbe0137e888d06acbcb6508417851a087 |
| SHA256 | 9c42eca99e96a7402716fd865b57ea601fb9a18477fe2ab890bdbcd3052f68f8 |
| SHA512 | 4d48d11f3d0a740b9193e17782c77b01f52dd6e8324755aa81188295a0caed0718d330453bb02ca8bc942ee5588928e57a0d89d90d6b1c32690338c5eae8e1ad |
C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll
| MD5 | 0ab7d0e87f3843f8104b3670f5a9af62 |
| SHA1 | 10c09a12e318f0fbebf70c4c42ad6ee31d9df2e5 |
| SHA256 | 8aecab563b3c629e8f9dcd525dc2d6b1903f6c600637e63b1efe05e3c64d757b |
| SHA512 | e08e17167edf461c0fca1e8b649c0c395793e80f5400f5cbb7d7906d0c99e955fcf6be2300db8663d413c4b3ffb075112a6ce5bf259553c0fd3d76200ee0d375 |
C:\Program Files (x86)\antiviruspc2009\bzip2.dll
| MD5 | 4143d4973e0f5a5180e114bdd868d4d2 |
| SHA1 | b47fd2cf9db0f37c04e4425085fb953cbce81478 |
| SHA256 | da25db24809479051d980be5e186926dd53233a76dfe357a455387646befca76 |
| SHA512 | e21827712a4870461921e7996506ffe456dd2303b69de370aa0499dde2e4747a73d8c0e8bd7d91c5bbc414ed5ee06f36d172237489494b3dd311ccd95ba07ebc |
C:\Program Files (x86)\antiviruspc2009\libltdl3.dll
| MD5 | 00a71b4afda8033235432b1c433fecc7 |
| SHA1 | d7b0c218aa8fec1c60ada26a09d9e0d9601985ca |
| SHA256 | f9c9d2b92efb80f6d11df52735b8bddd099847cc79ba56650793b21a0923b1cd |
| SHA512 | 96635e66d9781ad4d2414271f6a0904cf880ed94fc19186ef4da5f88f24e14ef1591fdc90e27db15a6021847c592688d0034f20e2e50ca93bf8c6db27e8c510a |
memory/4200-27-0x000000006FDC0000-0x000000006FDCE000-memory.dmp
memory/4200-28-0x0000000068440000-0x0000000068457000-memory.dmp
memory/4200-33-0x000000006FDC0000-0x000000006FDCE000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-03-02 22:34
Reported
2024-03-02 22:36
Platform
win7-20240220-en
Max time kernel
8s
Max time network
10s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\gog.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe
"C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe"
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
Network
| Country | Destination | Domain | Proto |
| LT | 94.244.80.60:80 | tcp |
Files
memory/2368-0-0x0000000000400000-0x000000000057F000-memory.dmp
memory/2368-1-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/2708-5-0x0000000002E90000-0x0000000002E91000-memory.dmp
memory/2368-4-0x0000000000400000-0x000000000057F000-memory.dmp
memory/2584-6-0x0000000002B30000-0x0000000002B31000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-03-02 22:34
Reported
2024-03-02 22:38
Platform
win7-20240221-en
Max time kernel
152s
Max time network
128s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-SKHN9.tmp\is-BA4K2.tmp | N/A |
| N/A | N/A | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\FileFixPro\FFProInstall.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-SKHN9.tmp\is-BA4K2.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-SKHN9.tmp\is-BA4K2.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-SKHN9.tmp\is-BA4K2.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-SKHN9.tmp\is-BA4K2.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-SKHN9.tmp\is-BA4K2.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-SKHN9.tmp\is-BA4K2.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-SKHN9.tmp\is-BA4K2.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-SKHN9.tmp\is-BA4K2.tmp | N/A |
| N/A | N/A | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Enumerates connected drives
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutofSyncIconImages.jpg | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared16x16Images.jpg | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_ButtonGraphic.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationUp_ButtonGraphic.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\InactiveTabImage.jpg | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_bottom_left.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_down.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-gibbous_partly-cloudy.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\THMBNAIL.PNG | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148798.JPG | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\logo.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarViewButtonImages.jpg | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\setting_back.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_left.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\logo.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145895.JPG | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)alertIcon.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\images\Audio-48.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-today.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-down.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_pressed.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_down.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\icon.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\square_settings.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-last-quarter.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-crescent.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_s.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_hover.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_down_BIDI.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\1047x576black.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierCloseButton.jpg | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-crescent_partly-cloudy.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_SelectionSubpicture.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\curl.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\back_lrg.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_right.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_ButtonGraphic.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\divider-horizontal.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02810J.JPG | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_ButtonGraphic.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha1.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0390072.JPG | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_thunderstorm.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File created | C:\Program Files (x86)\FileFix Professional 2009\is-F9R86.tmp | C:\Users\Admin\AppData\Local\Temp\is-SKHN9.tmp\is-BA4K2.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387337.JPG | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\ApothecaryLetter.dotx | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\play-background.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssBackBlue_docked.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-previous-static.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\THMBNAIL.PNG | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-disable.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\13.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_ButtonGraphic.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_hail.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\chapters-static.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\THMBNAIL.PNG | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-border.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_snow.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-pets_31bf3856ad364e35_6.1.7600.16385_none_d0d7ee773d711005\Pets_btn-back-over-select.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-o..iadisc-style-oldage_31bf3856ad364e35_6.1.7600.16385_none_02ee3365ea53e1ad\1047x576black.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-o..yle-specialoccasion_31bf3856ad364e35_6.1.7600.16385_none_01242a21ddccaf3b\NavigationRight_ButtonGraphic.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-e..ebargadgetresources_31bf3856ad364e35_6.1.7600.16385_none_88767a95b8bbf001\Gadget_WMC_LogoText.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-gadgets-currency_31bf3856ad364e35_6.1.7600.16385_none_c3b9072b536514f6\combo-hover-left.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-o..c-style-performance_31bf3856ad364e35_6.1.7600.16385_none_1d8aecb671a2bda5\PreviousMenuButtonIconSubpi.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-ringtonesamples_31bf3856ad364e35_6.1.7600.16385_none_135e536ebbe59c28\Ringtone 10.wma | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-o..adisc-style-babyboy_31bf3856ad364e35_6.1.7600.16385_none_f13596916b261f67\nav_rightarrow.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-memories_31bf3856ad364e35_6.1.7600.16385_none_51190840a935f980\Title_select-highlight.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-stacking_31bf3856ad364e35_6.1.7600.16385_none_d0d2b98d4629a41f\photograph.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-o..iadisc-style-travel_31bf3856ad364e35_6.1.7600.16385_none_f2a7c66510a5395d\header-background.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-o..sc-style-rectangles_31bf3856ad364e35_6.1.7600.16385_none_258f1924c482b7a1\NavigationRight_SelectionSubpicture.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\docked_black_rainy.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\US-wp3.jpg | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-o..calmediadisc-styles_31bf3856ad364e35_6.1.7600.16385_none_dac1eab162daeb45\circleround_glass.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-pets_31bf3856ad364e35_6.1.7600.16385_none_d0d7ee773d711005\Pets_image-frame-ImageMask.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\cronometer_s.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-o..iadisc-style-oldage_31bf3856ad364e35_6.1.7600.16385_none_02ee3365ea53e1ad\NavigationLeft_SelectionSubpicture.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-e..ebargadgetresources_31bf3856ad364e35_6.1.7600.16385_none_88767a95b8bbf001\logo.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\undocked_gray_snow.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-o..c-style-performance_31bf3856ad364e35_6.1.7600.16385_none_1d8aecb671a2bda5\Perf_Scenes_Mask1.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-memories_31bf3856ad364e35_6.1.7600.16385_none_51190840a935f980\btn-next-static.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\25.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-stacking_31bf3856ad364e35_6.1.7600.16385_none_d0d2b98d4629a41f\1047x576black.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-full_31bf3856ad364e35_6.1.7600.16385_none_ce3a164d3f0fa152\dotsdarkoverlay.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-gadgets-cpu_31bf3856ad364e35_6.1.7600.16385_none_a79a90daaf5bbeef\glass.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-gadgets-rssfeedsgadget_31bf3856ad364e35_6.1.7600.16385_none_07861dacd36a18f4\buttonUp_On.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-gadgets-rssfeedsgadget_31bf3856ad364e35_6.1.7600.16385_none_07861dacd36a18f4\rss_headline_glow_flyout.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\2.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-o..yle-specialoccasion_31bf3856ad364e35_6.1.7600.16385_none_01242a21ddccaf3b\NavigationLeft_SelectionSubpicture.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-s..inboxgames-shanghai_31bf3856ad364e35_6.1.7600.16385_none_1c98ed5d08db04ce\MahjongMCE.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-s..oxgames-purbleplace_31bf3856ad364e35_6.1.7600.16385_none_622070221822eb39\PurblePlaceMCE.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\Web\Wallpaper\Nature\img6.jpg | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\(144DPI)grayStateIcon.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\(144DPI)notConnectedStateIcon.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-full_31bf3856ad364e35_6.1.7600.16385_none_ce3a164d3f0fa152\NavigationRight_SelectionSubpicture.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-gb-component_31bf3856ad364e35_6.1.7601.17514_none_92d51a492ae12096\GB-wp2.jpg | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-o..calmediadisc-styles_31bf3856ad364e35_6.1.7600.16385_none_dac1eab162daeb45\4to3Squareframe_SelectionSubpicture.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\29.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\undocked_black_moon-new_partly-cloudy.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\undocked_black_moon-waxing-crescent_partly-cloudy.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\35.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-s..lpaper-architecture_31bf3856ad364e35_6.1.7600.16385_none_d99106b927aa7782\img16.jpg | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_ce76f352fa54bd75\settings_corner_bottom_right.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-gadgets-calendar_31bf3856ad364e35_6.1.7600.16385_none_6a1946701e0df451\bNext-hot.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-gadgets-currency_31bf3856ad364e35_6.1.7600.16385_none_c3b9072b536514f6\graph_down.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-landscapes_31bf3856ad364e35_6.1.7600.16385_none_e57abb2f66db71a9\img12.jpg | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-photosamples_31bf3856ad364e35_6.1.7600.16385_none_f36e0e659b8042be\Koala.jpg | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\28.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\docked_blue_sun.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-stacking_31bf3856ad364e35_6.1.7600.16385_none_d0d2b98d4629a41f\NavigationRight_SelectionSubpicture.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-pets_31bf3856ad364e35_6.1.7600.16385_none_d0d7ee773d711005\Pets_frame-border.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-o..yle-specialoccasion_31bf3856ad364e35_6.1.7600.16385_none_01242a21ddccaf3b\whitevignette1047.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\CA-wp3.jpg | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-o..c-style-performance_31bf3856ad364e35_6.1.7600.16385_none_1d8aecb671a2bda5\ParentMenuButtonIcon.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\Web\Wallpaper\Landscapes\img10.jpg | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-gadgets-calendar_31bf3856ad364e35_6.1.7600.16385_none_6a1946701e0df451\rings-desk.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Bears.jpg | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-o..iadisc-style-oldage_31bf3856ad364e35_6.1.7600.16385_none_02ee3365ea53e1ad\vintage.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\undocked_gray_hail.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-o..iadisc-style-travel_31bf3856ad364e35_6.1.7600.16385_none_f2a7c66510a5395d\play-background.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-memories_31bf3856ad364e35_6.1.7600.16385_none_51190840a935f980\button-highlight.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Fake AV\FileFixPro\FFProInstall.exe
"C:\Users\Admin\AppData\Local\Temp\Fake AV\FileFixPro\FFProInstall.exe"
C:\Users\Admin\AppData\Local\Temp\is-SKHN9.tmp\is-BA4K2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SKHN9.tmp\is-BA4K2.tmp" /SL4 $60150 "C:\Users\Admin\AppData\Local\Temp\Fake AV\FileFixPro\FFProInstall.exe" 232353 52224
C:\Program Files (x86)\FileFix Professional 2009\wizard.exe
"C:\Program Files (x86)\FileFix Professional 2009\wizard.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | filefixpro.com | udp |
Files
memory/1696-0-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1696-2-0x0000000000400000-0x0000000000413000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-SKHN9.tmp\is-BA4K2.tmp
| MD5 | 0360b1d1195775766b2e78a7b463f658 |
| SHA1 | 8e4b2b1b6d1e4446c979b0cea7db6db7eee21610 |
| SHA256 | bee86b674d51b4e21822e44f9408a69d60e282e39f5897888df334c74d840aa4 |
| SHA512 | 23103b4457952091848f171f5c20351dd55ce1bce209da21c1b6792d6e0b13476a104698c31ad744df2df39408110d73f84b61e627bbb6d1d2a461db4370597d |
\Users\Admin\AppData\Local\Temp\is-PF36L.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/1696-16-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1996-17-0x0000000000400000-0x00000000004B1000-memory.dmp
\Program Files (x86)\FileFix Professional 2009\wizard.exe
| MD5 | e1827fbbf959d7c5f3219a1f0b0c35fc |
| SHA1 | 677d7c6179729fdb4a25afdd5579533f1606c810 |
| SHA256 | c28ac5f267bec7650ce271c12b23f087f9c3927a46b48682e363581fa29e2a5d |
| SHA512 | a65dc0550f9d1501add93390501027d83002c2df0df22bbf5d88dce9c98b6ebb4a2c297010e44cfebfaa8b7ba0f77ed12c2d13fb9b213e15c4b53dfd56ead0c3 |
\Program Files (x86)\FileFix Professional 2009\unins000.exe
| MD5 | 361c253d8b03085714b050875274fb67 |
| SHA1 | 1f79d4cde86f67b206bd623fac80c73463b59db4 |
| SHA256 | 644cc1a533c21965d92af0d9ebb7a92ff6c9292582e7b4056d241bd590176023 |
| SHA512 | d3aa94c4b14883c66abdb733e7d2d6d62f3f255de005705d87d11a7096b168f38789e2010b6f582f572e97de9257d20358741a08e9c2881fce353b946f7b1875 |
\Program Files (x86)\FileFix Professional 2009\wizard.exe
| MD5 | 87873a5927e1234f9a31089c5d33e526 |
| SHA1 | 0d063f0c246ac4dffd18c2b8f51577e7bfa156f8 |
| SHA256 | 29e39a5cf12995d3623c803d514c3c9f448a40bd9359cda1c41e894ef6e23a63 |
| SHA512 | d732e266ebbed9a330e4ea2e6a9007fed90829269293b285d9be3556872b291f8c93b700c820db17c2f37d73521e93ec4f59f2f264dc9c333e55031d4db70337 |
memory/1996-57-0x0000000000400000-0x00000000004B1000-memory.dmp
memory/1696-62-0x0000000000400000-0x0000000000413000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-03-02 22:34
Reported
2024-03-02 22:38
Platform
win10v2004-20240226-en
Max time kernel
144s
Max time network
159s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Fake AV\LPS2019.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SoftProz = "C:\\Program Files (x86)\\HjuTygFcvX\\lpsprt.exe" | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\HjuTygFcvX | C:\Users\Admin\AppData\Local\Temp\Fake AV\LPS2019.exe | N/A |
| File created | C:\Program Files (x86)\HjuTygFcvX\__tmp_rar_sfx_access_check_240641656 | C:\Users\Admin\AppData\Local\Temp\Fake AV\LPS2019.exe | N/A |
| File created | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\LPS2019.exe | N/A |
| File opened for modification | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\LPS2019.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2684 wrote to memory of 2924 | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\LPS2019.exe | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe |
| PID 2684 wrote to memory of 2924 | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\LPS2019.exe | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe |
| PID 2924 wrote to memory of 3292 | N/A | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe |
| PID 2924 wrote to memory of 3292 | N/A | C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Fake AV\LPS2019.exe
"C:\Users\Admin\AppData\Local\Temp\Fake AV\LPS2019.exe"
C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe
"C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4112 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 2780
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.212.234:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 234.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
Files
C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe
| MD5 | 2e6360eeebcafd207ad6f4cfc81afdb3 |
| SHA1 | 6d85d48c8c809ad0ee5f7b1b20ef79e871466072 |
| SHA256 | 3a31f386f4a68827d8cbfeb087c017f871d80ab4565a2266f692fbe6cfea9c3b |
| SHA512 | 36e1cadeff91158c0e96585d7550dc193a6470f5fccf3cf98845c4291becc6dae39609771cc8157493bc6cb405446ac55a1790108c6c213293bf4a56ecf381e4 |
memory/2924-15-0x00007FFE928C0000-0x00007FFE93261000-memory.dmp
memory/2924-16-0x00007FFE928C0000-0x00007FFE93261000-memory.dmp
memory/2924-17-0x0000000001740000-0x0000000001750000-memory.dmp
memory/2924-18-0x000000001C1B0000-0x000000001C67E000-memory.dmp
memory/2924-19-0x000000001CD00000-0x000000001CE9C000-memory.dmp
memory/2924-20-0x000000001CF50000-0x000000001CFF6000-memory.dmp
memory/2924-21-0x000000001D0A0000-0x000000001D13C000-memory.dmp
memory/2924-22-0x0000000001720000-0x0000000001728000-memory.dmp
memory/2924-23-0x000000001D1A0000-0x000000001D1EC000-memory.dmp
memory/2924-24-0x0000000001740000-0x0000000001750000-memory.dmp
memory/2924-25-0x0000000001740000-0x0000000001750000-memory.dmp
memory/2924-26-0x00007FFE928C0000-0x00007FFE93261000-memory.dmp
memory/2924-27-0x00007FFE928C0000-0x00007FFE93261000-memory.dmp
memory/2924-28-0x0000000001740000-0x0000000001750000-memory.dmp
memory/2924-29-0x0000000001740000-0x0000000001750000-memory.dmp
memory/2924-30-0x0000000001740000-0x0000000001750000-memory.dmp
memory/2924-31-0x0000000001740000-0x0000000001750000-memory.dmp
memory/2924-32-0x0000000001740000-0x0000000001750000-memory.dmp
memory/2924-39-0x00007FFE928C0000-0x00007FFE93261000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-03-02 22:34
Reported
2024-03-02 22:38
Platform
win7-20240221-en
Max time kernel
150s
Max time network
124s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Nava Labs\Nava Shield\NavaShield.exe | N/A |
| N/A | N/A | C:\Nava Labs\Nava Shield\NavaBridge.exe | N/A |
| N/A | N/A | C:\Nava Labs\Nava Shield\NavaDebugger.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\NavaShield.exe | N/A |
| N/A | N/A | C:\Nava Labs\Nava Shield\NavaShield.exe | N/A |
| N/A | N/A | C:\Nava Labs\Nava Shield\NavaShield.exe | N/A |
| N/A | N/A | C:\Nava Labs\Nava Shield\NavaShield.exe | N/A |
| N/A | N/A | C:\Nava Labs\Nava Shield\NavaShield.exe | N/A |
| N/A | N/A | C:\Nava Labs\Nava Shield\NavaShield.exe | N/A |
| N/A | N/A | C:\Nava Labs\Nava Shield\NavaBridge.exe | N/A |
| N/A | N/A | C:\Nava Labs\Nava Shield\NavaBridge.exe | N/A |
| N/A | N/A | C:\Nava Labs\Nava Shield\NavaBridge.exe | N/A |
| N/A | N/A | C:\Nava Labs\Nava Shield\NavaShield.exe | N/A |
| N/A | N/A | C:\Nava Labs\Nava Shield\NavaDebugger.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\NavaShield = "c:\\Nava Labs\\Nava Shield\\navashield.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\NavaShield.exe | N/A |
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Nava Labs\Nava Shield\NavaShield.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Nava Labs\Nava Shield\NavaShield.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Nava Labs\Nava Shield\NavaShield.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Nava Labs\Nava Shield\NavaShield.exe | N/A |
| N/A | N/A | C:\Nava Labs\Nava Shield\NavaShield.exe | N/A |
| N/A | N/A | C:\Nava Labs\Nava Shield\NavaShield.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Nava Labs\Nava Shield\NavaShield.exe | N/A |
| N/A | N/A | C:\Nava Labs\Nava Shield\NavaShield.exe | N/A |
| N/A | N/A | C:\Nava Labs\Nava Shield\NavaShield.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Fake AV\NavaShield.exe
"C:\Users\Admin\AppData\Local\Temp\Fake AV\NavaShield.exe"
C:\Nava Labs\Nava Shield\NavaShield.exe
"C:\Nava Labs\Nava Shield\NavaShield.exe"
C:\Nava Labs\Nava Shield\NavaBridge.exe
"C:\Nava Labs\Nava Shield\NavaBridge.exe"
C:\Nava Labs\Nava Shield\NavaDebugger.exe
"C:\Nava Labs\Nava Shield\NavaDebugger.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | navashield.com | udp |
| DE | 64.190.63.222:80 | navashield.com | tcp |
Files
memory/2212-11-0x0000000000400000-0x000000000047A000-memory.dmp
C:\Nava Labs\Nava Shield\NavaDebugger Libs\MD5.dll
| MD5 | 831295342c47b770bf7cc591a6916fa7 |
| SHA1 | 2c9063fbf3f3363526abdc241bf90618b82446d1 |
| SHA256 | 8341ecc0938ca6d90b7e0f02af2d7e6b571c948a03a99d54af61c4557c78d656 |
| SHA512 | 01419defe963a987989cddb0e21cf651ec3eefeae97cf4b257d4caa8da26436a647e8e4d95cdad22bbb0657171f6d3d9c41dc6fb217ffc7d5172ebc9a409d36e |
C:\Nava Labs\Nava Shield\NavaDebugger.exe
| MD5 | ca349faf9fbed80c3eeb0c5735aad99c |
| SHA1 | 4707cd4b771f6c1783c492d1214f1e9e6a5551bc |
| SHA256 | 58d1784dbac1819d0dd11c60987f4442c99ea71fe8f9522a8299b3cff869194e |
| SHA512 | 4afb559f861053cb0352cf0d7bb69cfbc64e1c8565fd9fb8e53e3618a089da447f12da9b99626fbe16bf35c64147c4990eba3e601023c26bf53ea44876023bc3 |
C:\Nava Labs\Nava Shield\NavaShield Libs\Internet Encodings.dll
| MD5 | de5eefa1b686e3d32e3ae265392492bd |
| SHA1 | 7b37b0ac1061366bf1a7f267392ebc0d606bb3db |
| SHA256 | a50e56dfb68410a7927ecd50f55044756b54868e920e462671162d1961bfe744 |
| SHA512 | c71270a5275f91214444449be4923a70243a9e2cd06afcc6fd28ab9f2cd2d930219ce8ed9ec008750b2611b62ed26b65cb57a75c6035201cd9657263d157d508 |
memory/2212-59-0x0000000000400000-0x000000000047A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\$inst\0001.tmp
| MD5 | 69ae1881260e0f7870e0e5508f34a502 |
| SHA1 | 435c610d639c63b1a8e8a4ffd2188d0c47b155b3 |
| SHA256 | 55ea4da6d3f5582a187942aba0a08555c4770731baf3557556aec63edbaf4415 |
| SHA512 | 5232958fff6b2f2cf012e3ade5b60a5db696503e6b24c0781ad1cb30d99084d658e35fce4cde6eee6ed2d046297d6094c8f53b7c1510c3c05977162204617a8b |
\Nava Labs\Nava Shield\NavaShield.exe
| MD5 | 8bab9091f9d45d9d83fdebcaa4655e0e |
| SHA1 | 8c92be10d23ec9f0210cd25253a831ecd43f679f |
| SHA256 | e1e6024b36a6e2ec620dd6f9db061a5e11b870229b398a25ddcebb4dc75ca7fe |
| SHA512 | e970345034b3aa600851410a4f8348c359f606fa4b225d619bef0b24ae9cd7b133a013425dd1a2f884d60a2514ab5a6c85f1887fb32483fbda7d53ba5e018ee1 |
C:\Nava Labs\Nava Shield\NavaShield.exe
| MD5 | 49d7c9b8aabdde050324079d80855763 |
| SHA1 | da9aefeae29148f92181f2303ef5804caab67779 |
| SHA256 | b5f836905e10c181a2c1d089765a0de51fc6b7b6883b4dcd78633b8d26a6e141 |
| SHA512 | 5861e3b1d192f8fa580fdb8cdf8716a27b134b87668e838486a6f48192f0c4052ee63379402d6c48940501c8dea66de48b41fefbff34ac736f5bde9fc177a3d7 |
C:\Nava Labs\Nava Shield\NavaShield.exe
| MD5 | 90fff0b193fd143b5b435cfd0604c2a6 |
| SHA1 | f48f79f814ea2a3c9b368004ec05aaa3c86c6839 |
| SHA256 | b956e0149d07163bcf85131b671267698321c5590e5e3b1a853be0d69adf3fbb |
| SHA512 | d7bd9ca480dc03523d40a4f7533ea57db37ce603d2eb9609184284894014b1a976dc49ffa9b57650e9147367ceedcbd70fa2c2a3c87211a0b0a6945653c09aae |
\Nava Labs\Nava Shield\NavaShield Libs\Appearance Pak.dll
| MD5 | fcf3ac25f11ba7e8b31c4baf1910f7a6 |
| SHA1 | fb470541f0b6b8f3ce69dcaa239ca9a7d7e91d72 |
| SHA256 | e5b3249fbeea8395fd56c20511bfcfdb2b2632d3c8d517b943466a4e47f97b5c |
| SHA512 | 47c467924d64af4a48a6e640778aca1dce379d16b06bf3f60a44025034c15ce1498ef307b63cb04e5c0cbb6c2ac58022acdb0d6efb1109c5ea31f842a320aa40 |
memory/2012-108-0x0000000002540000-0x000000000285B000-memory.dmp
memory/2012-115-0x0000000000710000-0x000000000072A000-memory.dmp
\Nava Labs\Nava Shield\NavaMod.dll
| MD5 | 3d7f80fb0534d24f95ee377c40b72fb3 |
| SHA1 | 11b443ed953dae35d9c9905b5bbeb309049f3d36 |
| SHA256 | abd84867d63a5449101b7171b1cc3907c44d7d327ea97d45b22a1015cc3af4dc |
| SHA512 | 7fc741bbce281873134b9f4d68b74ae04daf943ea4c0c26e7e44579f2d51883c635972a405dd81cee63079a5ba9d09328a1e26e7878547590569806d219d83c7 |
C:\Nava Labs\Nava Shield\config.dat
| MD5 | 389bf6e15ae0a7250f454da52aa7ced5 |
| SHA1 | 1f6a6fe568a1b863bf1f8a9bec9fc8a67e04ca43 |
| SHA256 | 5993325acfe309946c176737a019aa16e22b921fa6387b766bf8bc8a504e220d |
| SHA512 | 74bf5a1b5aaa4a27777ef98744aa5a4aac9dc2d64def7be42883d965e77c06852b8bd61c9b7620030c0b5d712ddefdbf0786d0696f62459e33a0debfbc62eb22 |
memory/2012-112-0x00000000006E0000-0x00000000006F2000-memory.dmp
memory/2212-124-0x0000000000400000-0x000000000047A000-memory.dmp
C:\Nava Labs\Nava Shield\NavaBridge.exe
| MD5 | 6f89df4cde193c0636c3d497cf1a17bf |
| SHA1 | 9faaa0100195e3e81fdade11e7a476a1fd1b23c8 |
| SHA256 | e7f05380e90dfb15b91b8bbc2ae48a04ba84d573b3c9f7d81bcc12f814215929 |
| SHA512 | c31848b1dceb8f8351991051b389a38b2ca0ae7ee98ebf626576245ca1588f1f6ee14e3eff7b165ecf9879e7e11ab77888e297cc4ccbb405b0ed64ebcda304b2 |
C:\Nava Labs\Nava Shield\NavaDebugger.exe
| MD5 | 09e1f0733eb59abeb9180cd8db034053 |
| SHA1 | 209c79c4eca9f4a8ea5ed78561a76c6fc4ecdef8 |
| SHA256 | 7f9b0554775bbb6996de3a20038a08485fc8a211e0a4bb0aa055c3767339d00a |
| SHA512 | 515ff6df7d80fd81d0c7b3fb8ca64b29eeed5beb3dc42f14c6b17f4dc788e2d75e5df88273e151cb01cb92875eefb314219e48de9991ba4f8a76b0602bc7d532 |
C:\Nava Labs\Nava Shield\NavaBridge.exe
| MD5 | 57665e9b4d766001862c38bde736f965 |
| SHA1 | 05966b1b04e2e2f9e018d8b55f7b589d29d3ddbd |
| SHA256 | 3613e118d87531b4357b014f23a08551339962a3e0e5cfbdfbca7f989e145848 |
| SHA512 | 6759bb36ebe8316bfbc17ca5fead431813a6aa2accecfa1391c041f8ac50e78ab1f88b5bfc5016fe4e337c32c73d97165d6431d63e84e072fac1a29c015f1872 |
\Nava Labs\Nava Shield\NavaBridge Libs\Browser Plugin.dll
| MD5 | 912924f628e277be9cc28a5f2a990cb9 |
| SHA1 | 13c0166469a271497043a2f13e9a6a610dc2b336 |
| SHA256 | bd474c5aafcaa12f20da5ecb29e17555b953eca46b4f56588a72672a36d4a8eb |
| SHA512 | b33b430254f9ec32ecd6224124db69af93de3cbfbaf422a0045641f7961834a67cba1b9fd97f4e0e903e27e3360301c5dba214a6b9156c4cdf8a25115b860c39 |
memory/436-143-0x00000000002C0000-0x00000000002DA000-memory.dmp
C:\Nava Labs\Nava Shield\bridge.dat
| MD5 | e66f1107f995d52bcd90421b3cdc0dde |
| SHA1 | 245acafa2f3dab3f2b7f183d34267dcd976199c0 |
| SHA256 | 45fa6eacea58e682c2ef2bb9e888cb6bf396c37b957fd144ca73c95699ad3c74 |
| SHA512 | 0500f9dec5cfdfb80bc5763943deb3111ccde4b35f19ac124df2e5abde2681154977f160a42e9ef50698b0ea0cc26fc09361a3917534038f141dd047f0287c1f |
\Nava Labs\Nava Shield\NavaDebugger.exe
| MD5 | 25873e5d9d605d2e0937420b404b22b6 |
| SHA1 | 618a56b176c2edf76c2bfb8295dcf1fb35ef2cc8 |
| SHA256 | 1c23dfea6df21feb5d18b2914f961385608d63fd709209b57cbd701896ad9bb2 |
| SHA512 | 9680c68d1ae95663bc4c137aa4e75514322607132cb7cbccd7ddbf0fcb44a77699f0764b811b7401185c73f7b495a6eed7eb26d70c8b3af072914f125b66e41a |
C:\Nava Labs\Nava Shield\NavaDebugger.exe
| MD5 | 9111d2f189927c7b49f49d3e2068cb68 |
| SHA1 | ccb60935e474978efd8e7737d660f77be7720366 |
| SHA256 | 8ede8bbfdd719b86bf6c949412b86ef7ba7573596772a8f506e74c2c04ce430b |
| SHA512 | 3364416cdb9c7f276e1dd167b1cacf3ec964aac24c3cb1cd160a4e64435ccaed4331486be5c55172f83c2eab5b25ebb05816ada7f81085c68fa3eeee3306f4aa |
memory/1560-149-0x0000000002460000-0x00000000025E7000-memory.dmp
C:\Nava Labs\Nava Shield\navig.dat
| MD5 | 0bf850cb9d0aa0f4c778cc515b79bd13 |
| SHA1 | c0cb8a58cba046d2c7539025a39c8a1af81c3914 |
| SHA256 | 9c4723ecb77e39e58eda9c60f532724aa3bf69de30047cc7b6522534cd423f00 |
| SHA512 | 649c13f9f4fccc03ebd6cb2c3752434c69b5a8d7e9b94cac80cd98a7624bfd00648949b18cd720faf89fae050f6b523221db589a550c6ce4513e76ff0895da5b |
memory/436-140-0x0000000000290000-0x00000000002A2000-memory.dmp
memory/436-135-0x00000000025A0000-0x000000000272B000-memory.dmp
\Nava Labs\Nava Shield\NavaBridge.exe
| MD5 | beb9a1306c8001258b9df8c7a9c816ff |
| SHA1 | 63ac7fe58e9eedecdc35f2e12d3c263717b18d19 |
| SHA256 | d39c80e19ddaf2c1d8e2e10136c475778358c389d0caba91eab599efbf0c58ae |
| SHA512 | 0d4b9ec262993a19260386432acf9fc61819f2cf54e636abb392ac59427d02d4285b0a3c14b773ac709dbfffcb145588a83e9deb154ef52f33c709190bfb7e79 |
memory/2012-151-0x0000000069F80000-0x0000000069F88000-memory.dmp
C:\Nava Labs\Nava Shield\config.dat
| MD5 | 059404ab16e140325da96b8cf871eb0f |
| SHA1 | a042d03a013ccea427fa9d776801efd54b2862d8 |
| SHA256 | 6150381c68bdf45a6ce9cf13135dce19886ffd0c252d4b8a0a2ef6d5a983eb47 |
| SHA512 | fe1472d39f13228c5734a2ab29ba343571cf67df5dc844a1b828806649a6b734d226484e408d0376140670641950d257f0cdf617efbbec39043509088d250874 |
Analysis: behavioral9
Detonation Overview
Submitted
2024-03-02 22:34
Reported
2024-03-02 22:38
Platform
win7-20240221-en
Max time kernel
144s
Max time network
124s
Command Line
Signatures
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | \??\c:\windows\antivirus-platinum.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | \??\c:\windows\antivirus-platinum.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | \??\c:\windows\antivirus-platinum.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | \??\c:\windows\antivirus-platinum.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WINDOWS\302746537.exe | N/A |
| N/A | N/A | \??\c:\windows\antivirus-platinum.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | \??\c:\windows\antivirus-platinum.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | \??\c:\windows\antivirus-platinum.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | \??\c:\windows\antivirus-platinum.exe | N/A |
Drops file in Windows directory
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "YOUR PC MAY BE INFECTED WITH SPYWARE OR OTHER MALICIOUS ITEMS" | \??\c:\windows\antivirus-platinum.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main | \??\c:\windows\antivirus-platinum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main | \??\c:\windows\antivirus-platinum.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://secureservices2010.webs.com/scan" | \??\c:\windows\antivirus-platinum.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://secureservices2010.webs.com/scan" | \??\c:\windows\antivirus-platinum.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0713E8A2-850A-101B-AFC0-4210102A8DA7}\MiscStatus\1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DA8D8C-9D6A-101B-AFC0-4210102A8DA7} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE3A-8596-11D1-B16A-00C0F0283628}\ = "Panel Property Page Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.TreeCtrl\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F049-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C247F26-8591-11D1-B16A-00C0F0283628}\ = "IImage" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0713E8A2-850A-101B-AFC0-4210102A8DA7}\Control | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.Toolbar.1\CLSID\ = "{612A8624-0FB3-11CE-8747-524153480004}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{612A8626-0FB3-11CE-8747-524153480004}\TypeLib\Version = "1.3" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B7E6391-850A-101B-AFC0-4210102A8DA7}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6E17E86-DF38-11CF-8E74-00A0C90F26F8}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{373FF7F0-EB8B-11CD-8820-08002B2F4F5A}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E6E17E8E-DF38-11CF-8E74-00A0C90F26F8}\TypeLib\Version = "1.3" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA664-8594-11D1-B16A-00C0F0283628}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6B7E6392-850A-101B-AFC0-4210102A8DA7}\1.3\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F08DF952-8592-11D1-B16A-00C0F0283628}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8A3DC00-8593-11D1-B16A-00C0F0283628}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{58DA8D8F-9D6A-101B-AFC0-4210102A8DA7}\ = "Microsoft ImageList Control, version 5.0 (SP2)" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7791BA40-E020-11CF-8E74-00A0C90F26F8}\TypeLib\Version = "1.3" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4D83601-895E-11D0-B0A6-000000000000}\TypeLib\Version = "1.3" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DA8D8B-9D6A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{373FF7F1-EB8B-11CD-8820-08002B2F4F5A}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F04A-858B-11D1-B16A-00C0F0283628}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F08DF953-8592-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7791BA52-E020-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{58DA8D90-9D6A-101B-AFC0-4210102A8DA7}\ = "IImageList10" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}\Version\ = "2.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{612A8625-0FB3-11CE-8747-524153480004} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4D83602-895E-11D0-B0A6-000000000000}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EFB6594-857C-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE35-8596-11D1-B16A-00C0F0283628}\InprocServer32\ = "c:\\windows\\mscomctl.ocx" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FE9-8583-11D1-B16A-00C0F0283628}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{58DA8D8A-9D6A-101B-AFC0-4210102A8DA7}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{58DA8D96-9D6A-101B-AFC0-4210102A8DA7}\InprocServer32\ = "c:\\windows\\comctl32.ocx" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0713E8AF-850A-101B-AFC0-4210102A8DA7}\ = "IListItem10" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8556BCD0-E01E-11CF-8E74-00A0C90F26F8} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE38-8596-11D1-B16A-00C0F0283628} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6E17E80-DF38-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E6E17E82-DF38-11CF-8E74-00A0C90F26F8}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FE5-8583-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7791BA62-E020-11CF-8E74-00A0C90F26F8}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F04A-858B-11D1-B16A-00C0F0283628} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.ListViewCtrl\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BF877892-E026-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8556BCD2-E01E-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E6E17E8C-DF38-11CF-8E74-00A0C90F26F8}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0713E8D0-850A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4D83600-895E-11D0-B0A6-000000000000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\MiscStatus | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867AA-8586-11D1-B16A-00C0F0283628}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9ED94444-E5E8-101B-B9B5-444553540000} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6B7E63A3-850A-101B-AFC0-4210102A8DA7}\ = "Panel Property Page Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{612A8626-0FB3-11CE-8747-524153480004}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7791BA62-E020-11CF-8E74-00A0C90F26F8}\ = "INode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\antivirus-platinum.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | \??\c:\windows\antivirus-platinum.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "67108863" | \??\c:\windows\antivirus-platinum.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | \??\c:\windows\antivirus-platinum.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" | \??\c:\windows\antivirus-platinum.exe | N/A |
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPlatinum.exe
"C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPlatinum.exe"
C:\WINDOWS\302746537.exe
"C:\WINDOWS\302746537.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\5AFC.tmp\302746537.bat" "
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s c:\windows\comctl32.ocx
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s c:\windows\mscomctl.ocx
\??\c:\windows\antivirus-platinum.exe
c:\windows\antivirus-platinum.exe
C:\Windows\SysWOW64\attrib.exe
attrib +h c:\windows\antivirus-platinum.exe
Network
Files
memory/2492-10-0x0000000001D90000-0x0000000001D96000-memory.dmp
C:\Windows\302746537.exe
| MD5 | 8703ff2e53c6fd3bc91294ef9204baca |
| SHA1 | 3dbb8f7f5dfe6b235486ab867a2844b1c2143733 |
| SHA256 | 3028a2b0e95143a4caa9bcd6ae794958e7469a20c6e673da067958cbf4310035 |
| SHA512 | d5eb8a07457a78f9acd0f81d2f58bbf64b52183318b87c353a590cd2a3ac3a6ec9c1452bd52306c7cf99f19b6a897b16ceb8289a7d008c5ce3b07eda9b871204 |
memory/2492-14-0x00000000031C0000-0x00000000031D0000-memory.dmp
memory/2616-17-0x0000000000400000-0x0000000000410000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5AFC.tmp\302746537.bat
| MD5 | 7d8beb22dfcfacbbc2609f88a41c1458 |
| SHA1 | 52ec2b10489736b963d39a9f84b66bafbf15685f |
| SHA256 | 4aa9ed4b38514f117e6e4f326cb0a1be7f7b96199e21305e2bd6dce289d7baa2 |
| SHA512 | a26cf9168cf7450435a9fe8942445511f6fda1087db52bd73e335d6f5b544fc892999019d9291d9dcc60c3656de49688f6d63282c97706e2db286f988e44fd94 |
\??\c:\windows\comctl32.ocx
| MD5 | 821511549e2aaf29889c7b812674d59b |
| SHA1 | 3b2fd80f634a3d62277e0508bedca9aae0c5a0d6 |
| SHA256 | f59cdf89f0f522ce3662e09fa847bca9b277b006c415dcc0029b416c347db9c4 |
| SHA512 | 8b2e805b916e5fbfcccb0f4189372aea006789b3847b51018075187135e9b5db9098f704c1932623f356db0ee327e1539a9bf3729947e92844a26db46555e8cd |
\??\c:\windows\mscomctl.ocx
| MD5 | 714cf24fc19a20ae0dc701b48ded2cf6 |
| SHA1 | d904d2fa7639c38ffb6e69f1ef779ca1001b8c18 |
| SHA256 | 09f126e65d90026c3f659ff41b1287671b8cc1aa16240fc75dae91079a6b9712 |
| SHA512 | d375fd9b509e58c43355263753634368fa711f02a2235f31f7fa420d1ff77504d9a29bb70ae31c87671d50bd75d6b459379a1550907fbe5c37c60da835c60bc1 |
\??\c:\windows\antivirus-platinum.exe
| MD5 | cd1800322ccfc425014a8394b01a4b3d |
| SHA1 | 171073975effde1c712dfd86309457fd457aed33 |
| SHA256 | 8115de4ad0b7e589852f521eb4260c127f8afeaa3b0021bfc98e4928a4929ac0 |
| SHA512 | 92c22c025fd3a61979fa718bf2e89a86e51bf7e69c421a9534fbf9c2d5b23b7a9224d0e9f3e0501992038837015214d1ef73b532a68b7d19de559c9ab9c6e5f6 |
memory/2416-38-0x0000000000130000-0x000000000013D000-memory.dmp
memory/2416-37-0x0000000000130000-0x000000000013D000-memory.dmp
memory/2468-39-0x0000000000400000-0x000000000040D000-memory.dmp
memory/2616-42-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2468-43-0x0000000000400000-0x000000000040D000-memory.dmp
memory/2492-44-0x00000000031C0000-0x00000000031D0000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-03-02 22:34
Reported
2024-03-02 22:38
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
160s
Command Line
Signatures
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | \??\c:\windows\antivirus-platinum.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | \??\c:\windows\antivirus-platinum.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | \??\c:\windows\antivirus-platinum.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | \??\c:\windows\antivirus-platinum.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPlatinum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\WINDOWS\302746537.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WINDOWS\302746537.exe | N/A |
| N/A | N/A | \??\c:\windows\antivirus-platinum.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | \??\c:\windows\antivirus-platinum.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | \??\c:\windows\antivirus-platinum.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | \??\c:\windows\antivirus-platinum.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | \??\c:\windows\antivirus-platinum.exe | N/A |
Drops file in Windows directory
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main | \??\c:\windows\antivirus-platinum.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "YOUR PC MAY BE INFECTED WITH SPYWARE OR OTHER MALICIOUS ITEMS" | \??\c:\windows\antivirus-platinum.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main | \??\c:\windows\antivirus-platinum.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://secureservices2010.webs.com/scan" | \??\c:\windows\antivirus-platinum.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://secureservices2010.webs.com/scan" | \??\c:\windows\antivirus-platinum.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E8AF-850A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1EFB6597-857C-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FE7-8583-11D1-B16A-00C0F0283628}\ = "IButtons" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9ED94444-E5E8-101B-B9B5-444553540000}\InprocServer32\ = "c:\\windows\\comctl32.ocx" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58DA8D8C-9D6A-101B-AFC0-4210102A8DA7}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4D83601-895E-11D0-B0A6-000000000000}\ = "IListItems" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0713E8B0-850A-101B-AFC0-4210102A8DA7}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EC0AB1C0-6CAB-11CF-8998-00AA00688B10}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE37-8596-11D1-B16A-00C0F0283628}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDD1F049-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0713E8D2-850A-101B-AFC0-4210102A8DA7}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0713E8A3-850A-101B-AFC0-4210102A8DA7} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8556BCD2-E01E-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6E17E86-DF38-11CF-8E74-00A0C90F26F8}\TypeLib\Version = "1.3" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C787A50-E01C-11CF-8E74-00A0C90F26F8}\ = "IPanels" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35053A21-8589-11D1-B16A-00C0F0283628}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0713E8D1-850A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E1B5150-DB62-11D0-A0D8-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66833FE5-8583-11D1-B16A-00C0F0283628} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{612A8625-0FB3-11CE-8747-524153480004} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E1B5150-DB62-11D0-A0D8-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BF877892-E026-11CF-8E74-00A0C90F26F8}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\ = "Microsoft TabStrip Control 6.0 (SP4)" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\ToolboxBitmap32\ = "c:\\windows\\mscomctl.ocx, 10" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C74190B5-8589-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C787A50-E01C-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1EFB6594-857C-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F050-858B-11D1-B16A-00C0F0283628} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD9DA662-8594-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E8A1-850A-101B-AFC0-4210102A8DA7}\ = "IPanel10" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0713E8D1-850A-101B-AFC0-4210102A8DA7}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4D83600-895E-11D0-B0A6-000000000000}\TypeLib\Version = "1.3" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E6E17E86-DF38-11CF-8E74-00A0C90F26F8}\ = "ISlider" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C74190B4-8589-11D1-B16A-00C0F0283628}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F049-858B-11D1-B16A-00C0F0283628}\ = "IListView" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA665-8594-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B7E638F-850A-101B-AFC0-4210102A8DA7}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9ED94441-E5E8-101B-B9B5-444553540000}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EC0AB1C0-6CAB-11CF-8998-00AA00688B10}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE32-8596-11D1-B16A-00C0F0283628} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C74190B7-8589-11D1-B16A-00C0F0283628}\ = "INodes" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F053-858B-11D1-B16A-00C0F0283628}\ = "IListSubItems" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{373FF7F4-EB8B-11CD-8820-08002B2F4F5A} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7791BA52-E020-11CF-8E74-00A0C90F26F8}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7791BA42-E020-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B7E6390-850A-101B-AFC0-4210102A8DA7}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.TreeCtrl\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDD1F051-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.Slider\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DA8D91-9D6A-101B-AFC0-4210102A8DA7}\TypeLib\Version = "1.3" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}\MiscStatus\1\ = "131473" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE34-8596-11D1-B16A-00C0F0283628} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EFB6597-857C-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0713E8D2-850A-101B-AFC0-4210102A8DA7}\MiscStatus\1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ProgCtrl\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7791BA50-E020-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7791BA42-E020-11CF-8E74-00A0C90F26F8}\ = "IButton" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\Control | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDD1F051-858B-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD9DA660-8594-11D1-B16A-00C0F0283628} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\antivirus-platinum.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | \??\c:\windows\antivirus-platinum.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "67108863" | \??\c:\windows\antivirus-platinum.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | \??\c:\windows\antivirus-platinum.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" | \??\c:\windows\antivirus-platinum.exe | N/A |
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPlatinum.exe
"C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPlatinum.exe"
C:\WINDOWS\302746537.exe
"C:\WINDOWS\302746537.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\30FE.tmp\302746537.bat" "
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s c:\windows\comctl32.ocx
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s c:\windows\mscomctl.ocx
\??\c:\windows\antivirus-platinum.exe
c:\windows\antivirus-platinum.exe
C:\Windows\SysWOW64\attrib.exe
attrib +h c:\windows\antivirus-platinum.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4192 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.192.122.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.15.104.51.in-addr.arpa | udp |
Files
C:\Windows\302746537.exe
| MD5 | 8703ff2e53c6fd3bc91294ef9204baca |
| SHA1 | 3dbb8f7f5dfe6b235486ab867a2844b1c2143733 |
| SHA256 | 3028a2b0e95143a4caa9bcd6ae794958e7469a20c6e673da067958cbf4310035 |
| SHA512 | d5eb8a07457a78f9acd0f81d2f58bbf64b52183318b87c353a590cd2a3ac3a6ec9c1452bd52306c7cf99f19b6a897b16ceb8289a7d008c5ce3b07eda9b871204 |
memory/4904-20-0x0000000000400000-0x0000000000410000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\30FE.tmp\302746537.bat
| MD5 | 7d8beb22dfcfacbbc2609f88a41c1458 |
| SHA1 | 52ec2b10489736b963d39a9f84b66bafbf15685f |
| SHA256 | 4aa9ed4b38514f117e6e4f326cb0a1be7f7b96199e21305e2bd6dce289d7baa2 |
| SHA512 | a26cf9168cf7450435a9fe8942445511f6fda1087db52bd73e335d6f5b544fc892999019d9291d9dcc60c3656de49688f6d63282c97706e2db286f988e44fd94 |
\??\c:\windows\comctl32.ocx
| MD5 | 821511549e2aaf29889c7b812674d59b |
| SHA1 | 3b2fd80f634a3d62277e0508bedca9aae0c5a0d6 |
| SHA256 | f59cdf89f0f522ce3662e09fa847bca9b277b006c415dcc0029b416c347db9c4 |
| SHA512 | 8b2e805b916e5fbfcccb0f4189372aea006789b3847b51018075187135e9b5db9098f704c1932623f356db0ee327e1539a9bf3729947e92844a26db46555e8cd |
C:\Windows\MSCOMCTL.OCX
| MD5 | 714cf24fc19a20ae0dc701b48ded2cf6 |
| SHA1 | d904d2fa7639c38ffb6e69f1ef779ca1001b8c18 |
| SHA256 | 09f126e65d90026c3f659ff41b1287671b8cc1aa16240fc75dae91079a6b9712 |
| SHA512 | d375fd9b509e58c43355263753634368fa711f02a2235f31f7fa420d1ff77504d9a29bb70ae31c87671d50bd75d6b459379a1550907fbe5c37c60da835c60bc1 |
C:\Windows\antivirus-platinum.exe
| MD5 | cd1800322ccfc425014a8394b01a4b3d |
| SHA1 | 171073975effde1c712dfd86309457fd457aed33 |
| SHA256 | 8115de4ad0b7e589852f521eb4260c127f8afeaa3b0021bfc98e4928a4929ac0 |
| SHA512 | 92c22c025fd3a61979fa718bf2e89a86e51bf7e69c421a9534fbf9c2d5b23b7a9224d0e9f3e0501992038837015214d1ef73b532a68b7d19de559c9ab9c6e5f6 |
memory/2216-32-0x0000000000400000-0x000000000040D000-memory.dmp
memory/4904-35-0x0000000000400000-0x0000000000410000-memory.dmp
C:\Windows\MSCOMCTL.OCX
| MD5 | dbdc92c26097147bd64b1b2f6f911bc5 |
| SHA1 | 6ed5c861bba59c9e90d045469514a3fc53a527a8 |
| SHA256 | 42b1d8bf222e56b6cc7019f0f6cc4cb4125f9ed0f08eb9a3dd2a855a9eb5bc28 |
| SHA512 | 81e7071e9421fc3b9cd9787bca6af30e0181e8a6cf45413db6a3014b8f7af949cc9a6f3106f73b7fafc91cb59d6f61253dc05c75f10c395bf2bc0a6797ed4fb3 |
memory/2216-38-0x0000000000400000-0x000000000040D000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-03-02 22:34
Reported
2024-03-02 22:38
Platform
win10v2004-20240226-en
Max time kernel
151s
Max time network
154s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdwCleaner = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\6AdwCleaner.exe\" -auto" | C:\Users\Admin\AppData\Local\Temp\6AdwCleaner.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\8AD5C9987E6F190BD6F5416E2DE44CCD641D8CDA | C:\Users\Admin\AppData\Local\Temp\6AdwCleaner.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\8AD5C9987E6F190BD6F5416E2DE44CCD641D8CDA\Blob = 0300000001000000140000008ad5c9987e6f190bd6f5416e2de44ccd641d8cda140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d8040000000100000010000000ff5fbc4290fa389e798467ebd7ae940b0f0000000100000014000000c45627b5584bf62327df60d6185744a2d2f2bcbf190000000100000010000000e843ac3b52ec8c297fa948c9b1fb28195c00000001000000040000000008000018000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c4b0000000100000044000000350034003500370041003800430045003400420032004100370034003900390046003800320039003900410030003100330042003600450031004300370043005f000000200000000100000088040000308204843082036ca0030201020210421af2940984191f520a4bc62426a74b300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3035303630373038303931305a170d3230303533303130343833385a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381f43081f1301f0603551d23041830168014adbd987a34b426f7fac42654ef03bde024cb541a301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d8300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030440603551d1f043d303b3039a037a0358633687474703a2f2f63726c2e7573657274727573742e636f6d2f416464547275737445787465726e616c4341526f6f742e63726c303506082b0601050507010104293027302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d010105050003820101004d422fa6c18aeb07809058468cf81939662a3c5a2c6dcfd4d987558d790b12887b408fd5c7f84b8d551663adb757dc3b2bbdd3c14f1e03874b449be3e2404526f326492b6a84f1547ad442dafcd36abb667eca9eeae9bbdc07c7c3924e833c81499f92d53209ea492ea111719a36d2c54e68b6cb0e1b2516af6cde5d76d81f72b193268617db18deaf45e9dffb98af1418eda45ef6899445f055044addff27dd064a40f6b4bcf1e40f9902bbfd5d0e2e28c1be3b5f1a3f971084bc163ed8a39c631d66cb5c5fda3ef30f0a093522dbdbc03f00f9e60d5d67d1fda01e032bd940f7becc87665480a6a3b8f51962d5d226b19826ee9acb44a7455a8195151af551 | C:\Users\Admin\AppData\Local\Temp\6AdwCleaner.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868 | C:\Users\Admin\AppData\Local\Temp\6AdwCleaner.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d90103000000010000001400000002faf3e291435468607857694df5e45b6885186820000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 | C:\Users\Admin\AppData\Local\Temp\6AdwCleaner.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b6885186868000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 | C:\Users\Admin\AppData\Local\Temp\6AdwCleaner.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6AdwCleaner.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6AdwCleaner.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6AdwCleaner.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\6AdwCleaner.exe
"C:\Users\Admin\AppData\Local\Temp\6AdwCleaner.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.vikingwebscanner.com | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.vikingwebscanner.com | udp |
| US | 8.8.8.8:53 | crl.usertrust.com | udp |
| US | 172.64.149.23:80 | crl.usertrust.com | tcp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | crl.comodoca.com | udp |
| US | 104.18.38.233:80 | crl.comodoca.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.112.168.52.in-addr.arpa | udp |
Files
memory/3680-0-0x00000000008B0000-0x00000000008DE000-memory.dmp
memory/3680-1-0x00007FFD10A70000-0x00007FFD11531000-memory.dmp
memory/3680-2-0x000000001B670000-0x000000001B680000-memory.dmp
memory/3680-3-0x000000001B670000-0x000000001B680000-memory.dmp
memory/3680-4-0x000000001B670000-0x000000001B680000-memory.dmp
memory/3680-5-0x000000001BF70000-0x000000001C119000-memory.dmp
memory/3680-6-0x00007FFD10A70000-0x00007FFD11531000-memory.dmp
memory/3680-7-0x000000001B670000-0x000000001B680000-memory.dmp
memory/3680-29-0x000000001BF70000-0x000000001C119000-memory.dmp
memory/3680-30-0x000000001B670000-0x000000001B680000-memory.dmp
memory/3680-31-0x000000001B670000-0x000000001B680000-memory.dmp
memory/3680-32-0x000000001BF70000-0x000000001C119000-memory.dmp
memory/3680-33-0x000000001B670000-0x000000001B680000-memory.dmp
memory/3680-34-0x000000001BF70000-0x000000001C119000-memory.dmp
memory/3680-35-0x000000001BF70000-0x000000001C119000-memory.dmp
memory/3680-36-0x000000001BF70000-0x000000001C119000-memory.dmp
memory/3680-37-0x000000001BF70000-0x000000001C119000-memory.dmp
memory/3680-38-0x000000001BF70000-0x000000001C119000-memory.dmp
memory/3680-39-0x000000001BF70000-0x000000001C119000-memory.dmp
memory/3680-40-0x000000001BF70000-0x000000001C119000-memory.dmp
memory/3680-41-0x000000001BF70000-0x000000001C119000-memory.dmp
memory/3680-42-0x000000001BF70000-0x000000001C119000-memory.dmp
memory/3680-43-0x000000001BF70000-0x000000001C119000-memory.dmp
memory/3680-44-0x000000001BF70000-0x000000001C119000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2024-03-02 22:34
Reported
2024-03-02 22:38
Platform
win10v2004-20240226-en
Max time kernel
152s
Max time network
159s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,\"C:\\Program Files (x86)\\Def Group\\PC Defender\\Antispyware.exe\"" | C:\Windows\syswow64\MsiExec.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Fake AV\PCDefender.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Def Group\PC Defender\hook.dll | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_3F16219B047CF8432B7ADA.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_3F16219B047CF8432B7ADA.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e5811dd.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1335.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_966CD4ED37489844400D0C.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e5811dd.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{FC2ABC8E-3715-4A32-B8B5-559380F45282} | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_966CD4ED37489844400D0C.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e5811e1.msi | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f85275ef8222787e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f85275ef0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f85275ef000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df85275ef000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f85275ef00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\24 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133538927103019166" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\23 | C:\Windows\system32\msiexec.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\Fake AV\PCDefender.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\PackageCode = "18627594958587344B2B3984171915B1" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C73BCE36FA1AA0E45AB2649A3FA0D390 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528 | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Media\1 = ";" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8CBA2CF517323A48B5B5539084F2528\DefaultFeature | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C73BCE36FA1AA0E45AB2649A3FA0D390\E8CBA2CF517323A48B5B5539084F2528 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\PackageName = "PCDefenderSilentSetup.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\Version = "16777216" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8CBA2CF517323A48B5B5539084F2528 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528 | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C73BCE36FA1AA0E45AB2649A3FA0D390 | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8CBA2CF517323A48B5B5539084F2528 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\ProductName = "PC Defender" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Fake AV\PCDefender.exe
"C:\Users\Admin\AppData\Local\Temp\Fake AV\PCDefender.exe"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PCDefenderSilentSetup.msi"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding EDB8E2C4D105E8B14E8F9980575AC7AF E Global\MSI0000
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffaa8489758,0x7ffaa8489768,0x7ffaa8489778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1752 --field-trial-handle=1916,i,17749516175133300583,9419090901374229005,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1916,i,17749516175133300583,9419090901374229005,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2264 --field-trial-handle=1916,i,17749516175133300583,9419090901374229005,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3028 --field-trial-handle=1916,i,17749516175133300583,9419090901374229005,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3036 --field-trial-handle=1916,i,17749516175133300583,9419090901374229005,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4528 --field-trial-handle=1916,i,17749516175133300583,9419090901374229005,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 --field-trial-handle=1916,i,17749516175133300583,9419090901374229005,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5108 --field-trial-handle=1916,i,17749516175133300583,9419090901374229005,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 --field-trial-handle=1916,i,17749516175133300583,9419090901374229005,131072 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 172.217.16.228:443 | www.google.com | udp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 67.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.200.14:443 | clients2.google.com | udp |
| GB | 142.250.200.14:443 | clients2.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 14.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.15.104.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PCDefenderSilentSetup.msi
| MD5 | 7f728acab22868ca02cc1ba0a14f5d64 |
| SHA1 | 9e3e82b152447b8bcd27583fbdab7aa91ca4739d |
| SHA256 | 586f9a9af50b2a3321e77d2b4583741cc4842967af9429cc371534f7179caec4 |
| SHA512 | 9bc8bb97e6d4f18ec484fcd792466cb5df0bf0447cbaa19a41258ef80e599e8a2b2c83c700f32f30bef578b03614af1b554844d051435dc9f510ccbd56686800 |
C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_3F16219B047CF8432B7ADA.exe
| MD5 | b84df77564555c63c899fce0fcec7edb |
| SHA1 | e63e7560b3c583616102cad58b06433b1a9903b0 |
| SHA256 | 912ebab4ab2ea830b961df778dd854e555c89e05e25b7c02b3737429115405f9 |
| SHA512 | 857717981c44a6a5fbb1bd34308e981c448746e0ea2d5bea94516fea20d0186e00a3547ad0b948c10fd9493e3ca00c0899927b0fa51c240697faacbbecca033a |
C:\Config.Msi\e5811e0.rbs
| MD5 | c94dabdd1e33f0a09652fa6bc7bfc184 |
| SHA1 | b48183e017fc43e4abe2d999fd6ca9ccecccc66e |
| SHA256 | 4b96540bbad8a7acca851013b6f35a5cb7ec3120c6ca5b9f3fd1e2fff5a68d5d |
| SHA512 | b6a3f2d4ab933255a19054974398825cfb217d6b160e976730333e854b58c415e8f2f5e525e65fcac433adf93e2e848f1557d82d6b5eeb771a70bbbe5c6e7db4 |
\??\Volume{ef7552f8-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f2fc0da7-0319-4d25-a2d3-2d4826c35753}_OnDiskSnapshotProp
| MD5 | 4938c71bd8c2422235e1fe2027f16d65 |
| SHA1 | ee894facb01f9cd1d0764bc8bf4ac16c4ccd525e |
| SHA256 | 0c36e793a2adf0d69a57705bfdf96c3ed1c31d71fcce2f558fb5e2284b1e416c |
| SHA512 | 850db522ee1af1885815fec4eb67dc9bf7815314ab36eae4a6f6bee0535e1b75fd6924b0e574ea2b34906d78020c612d48091f06231a5253094ac0365009ff45 |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | 6ef1fc6b1984c9bcd4ddf002e09be3d7 |
| SHA1 | 05d0364bfc7d50d4d76ddf517156ecf1b1517125 |
| SHA256 | 5c5d5a681e552e8b003e8ec2711bd7ffec5c923bd529d7c8a16f7f440dd4a113 |
| SHA512 | 2ebfa5218479ea34f23c7fde15f86bf8447ebc798490d1b0029931c0f55c717119f5a8c47a6141a7c090f897cb45720f7910afb0e8e4b48f1513284d0739760f |
\??\PIPE\wkssvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 4b21c844fe63940cc4dc14c66f92416f |
| SHA1 | c08525bbfec0f1b168ea9d4f61b476e3d824308d |
| SHA256 | 2b3264da95ba92c2cdafb5badcfc02f94db79953a008e08a8b659a8f9a65ea51 |
| SHA512 | 96adebf75b6af07e16881284374d0057bc6ebf0d605e866cc249493bd5b0f5a88c5a8b887d40e0bceb32ebb8a0a0e283b33ee7c5740ff59ef2f6043fcdcbfb51 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 3fb10993e95dad2c3ec354cea001108b |
| SHA1 | da42344fa918b69bbf488736bbb0dbc840098e4d |
| SHA256 | 7e204a42441eb6c3f9f494acae2bcbbfc7bc474b799951471bc3b909c8d279f4 |
| SHA512 | 481c052abe31b61f1c48d8db91777ff6d55d4c749c543b8705aed0f35d92ac9a78d8f5c2bf5339812dfba25578c06b16eaa53db2b2757154bb87514b8fca4f65 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | b1339764e026ac9bdb7e673a0d2fb17a |
| SHA1 | 17bb45545722f681e29bb0542e03e8b9f4f41465 |
| SHA256 | 5ae84ac103d09ce26a77380e25b5c53ae6b0acf7825a4310aba4ec16a0a61698 |
| SHA512 | 3090f3e46d0d8e4cef31071592244e2b6a735d909c06f082dbe46e5643658198c8a1abcfcc1c359b0f834e8a1d32c646dd5f5da638fe9ee0112f0f877d930e4b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 4a17848095bea25aecfa2687952c96c6 |
| SHA1 | fd49f9400efcac4ed473c742f6851563e0ec1cde |
| SHA256 | ab3f4158cf1e2f64477e4e3b142ef5e6e056d07d4d336645127f70e1263d154c |
| SHA512 | 143291ace88842560a5f0b24402f9301fcca2c4f6893762d5927520edad1d1618d87736f94ffacb91a346d20823274785cdbf46854f659b37a7862bdf0dc222a |
Analysis: behavioral5
Detonation Overview
Submitted
2024-03-02 22:34
Reported
2024-03-02 22:38
Platform
win7-20240221-en
Max time kernel
150s
Max time network
143s
Command Line
Signatures
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\Antivirus = "\"C:\\Program Files (x86)\\AnVi\\avt.exe\" -noscan" | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
Enumerates connected drives
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\AnVi\splash.mp3 | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
| File created | C:\Program Files (x86)\AnVi\virus.mp3 | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\Use FormSuggest = "Yes" | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\mofcomp.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe
"C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe"
C:\Windows\SysWOW64\net.exe
net stop wscsvc
C:\Windows\SysWOW64\net.exe
net stop winmgmt /y
C:\Windows\SysWOW64\net.exe
net start winmgmt
C:\Windows\SysWOW64\net.exe
net start wscsvc
C:\Windows\SysWOW64\Wbem\mofcomp.exe
mofcomp C:\Users\Admin\AppData\Local\Temp\4otjesjty.mof
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start winmgmt
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop winmgmt /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start wscsvc
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wscsvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | searchdusty.com | udp |
| CA | 54.39.157.64:80 | searchdusty.com | tcp |
| US | 8.8.8.8:53 | fastsofgeld.com | udp |
| US | 8.8.8.8:53 | highway-traffic.com | udp |
| US | 8.8.8.8:53 | frequentwin.com | udp |
| CA | 54.39.157.64:80 | searchdusty.com | tcp |
| CA | 54.39.157.64:80 | searchdusty.com | tcp |
| US | 8.8.8.8:53 | computernewb.com | udp |
| US | 104.21.69.77:443 | computernewb.com | tcp |
| US | 104.21.69.77:443 | computernewb.com | tcp |
| US | 8.8.8.8:53 | static.cloudflareinsights.com | udp |
| US | 104.16.57.101:443 | static.cloudflareinsights.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\4otjesjty.mof
| MD5 | 7fad92afda308dca8acfc6ff45c80c24 |
| SHA1 | a7fa35e7f90f772fc943c2e940737a48b654c295 |
| SHA256 | 76e19416eb826a27bdcf626c3877cf7812bbe9b62cc2ccc5c2f65461d644246f |
| SHA512 | 49eed1e1197401cb856064bf7fdbd9f3bc57f3c864d47f509346d44eed3b54757d8c6cdb6254990d21291065f0762d2a1588d09e43c5728f77a420f6a8dcd6ea |
memory/2004-16-0x000000006F8A0000-0x000000006FBB2000-memory.dmp
memory/2004-17-0x00000000078C0000-0x00000000078C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabAFD1.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\TarB1BC.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U4VLHPRO\pixelplay[1].woff
| MD5 | b49e517a8e3605250d8a4231554c1b57 |
| SHA1 | 6da51af721bbb147c682f64c130ad97e336d1179 |
| SHA256 | 86f273658594b1fc14337bff6945402bc90cc6b67989b757d0146d83bb07260d |
| SHA512 | d4ce376ee0af2244de6ca039bafffa627cb5f795951d9cc4d2f01a0e65f5804d18909148f057edbc0f645072229120dbb8b31165254279fd6bbacf0c9a9acc66 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NXAFS242\v84a3a4012de94ce1a686ba8c167c359c1696973893317[1].js
| MD5 | dd1d068fdb5fe90b6c05a5b3940e088c |
| SHA1 | 0d96f9df8772633a9df4c81cf323a4ef8998ba59 |
| SHA256 | 6153d13804862b0fc1c016cf1129f34cb7c6185f2cf4bf1a3a862eecdab50101 |
| SHA512 | 7aea051a8c2195a2ea5ec3d6438f2a4a4052085b370cf4728b056edc58d1f7a70c3f1f85afe82959184869f707c2ac02a964b8d9166122e74ebc423e0a47fa30 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IKDEMF4Q\index[1].js
| MD5 | d6ccc01f5e7ffed0e34b710cc8f94aea |
| SHA1 | d8eebefa67f1b3ba5b4774450514063e2f5f0e84 |
| SHA256 | 13fee64f85f9ed03819cfb90371daea36ab141bc8b6d109b54d6f88dd15b9928 |
| SHA512 | 606b29db366da0738e5c918b7e872c1882ddd5ebec106179f2b599694aad1bca03833940cf11aa9fcef77d555ac89de573f6c358c083d9162e899a682df2ec58 |
memory/2004-114-0x000000006F8A0000-0x000000006FBB2000-memory.dmp
memory/2004-115-0x00000000078C0000-0x00000000078C1000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-03-02 22:34
Reported
2024-03-02 22:38
Platform
win7-20240221-en
Max time kernel
150s
Max time network
134s
Command Line
Signatures
Modifies security service
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP | N/A | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride = "1" | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallOverride = "1" | C:\Windows\system32\svchost.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\userinit\ImagePath = "\\\\.\\globalroot\\systemroot\\system32\\usеrinit.exe" | \??\globalroot\systemroot\system32\usеrinit.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\globalroot\systemroot\system32\usеrinit.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"exefile\" /shell <%1> %*" | C:\Windows\system32\svchost.exe | N/A |
Checks installed software on the system
Checks registry for disk virtualization
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet002\Enum\SCSI\Disk&Ven_Dell&Prod_VIRTUAL_DISK | C:\Windows\system32\svchost.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\X: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\svchost.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\system32\svchost.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\system32\svchost.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT | \??\globalroot\systemroot\system32\usеrinit.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of SetThreadContext
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet002\Enum\SCSI | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet002\Enum\SCSI\Disk&Ven_Dell&Prod_VIRTUAL_DISK | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\system32\svchost.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet002\Enum\SCSI | C:\Windows\system32\svchost.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Windows\system32\svchost.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\svchost.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Windows\system32\svchost.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Windows\system32\svchost.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral | C:\Windows\system32\svchost.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses | C:\Windows\system32\svchost.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 | C:\Windows\system32\svchost.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 | C:\Windows\system32\svchost.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus | C:\Windows\system32\svchost.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 | C:\Windows\system32\svchost.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 | C:\Windows\system32\svchost.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 | C:\Windows\system32\svchost.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 | C:\Windows\system32\svchost.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController | C:\Windows\system32\svchost.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus | C:\Windows\system32\svchost.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 | C:\Windows\system32\svchost.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor | C:\Windows\system32\svchost.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor | C:\Windows\system32\svchost.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Windows\system32\svchost.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral | C:\Windows\system32\svchost.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses | C:\Windows\system32\svchost.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 | C:\Windows\system32\svchost.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 | C:\Windows\system32\svchost.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 | C:\Windows\system32\svchost.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 | C:\Windows\system32\svchost.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 | C:\Windows\system32\svchost.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a9606900000000020000000000106600000001000020000000163cca1ea239604d83655249453b2bfe89a08924bfd8dc3a3af08712b3105dac000000000e80000000020000200000000efdeeeda1aa807721ebef3fcb258a237b615dba751ddc219840e87cfded5ae990000000ae5a984ece4e72c40bdce9959c1f333db2b303801ecd826004c407a733b9dfce5267a07bbcf0dabc04420837171ecc07b36f776d425c7ec907d2b3037446ea8e2fd96315df501431693d28a5793044c9e987cc160fd92ee9e2d29f084af436b8f59ee52946e6b7bc8b117737270a4b3343f3078b4e899c5cc2d4b8e6d5fc3725763464d331cd84fee075f5606b546a1640000000fa256474240d7555eca19f7c9d652d368c619e3b7a098b46b752d35b7786ba75002f93725a688b1d226c49063051d57ce4525dee87108d56a16237690f304a59 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7EC7A6A1-D8E5-11EE-BEEC-D20227E6D795} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90de7553f26cda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a96069000000000200000000001066000000010000200000007e24c37093847c92a5cea8828a9b9169c33e42a915fca012df3ae3e6a3448679000000000e80000000020000200000003c5d8c915dd416dba54cd572cb49441b0cb3a14a00a3a21b8fbf6c22e830a68a20000000f0b19839142c4be440857e7c64b19a633b3f332ea89441644e8813db0382bdfb40000000ef37381f87dc6825d3cad41c703aa26c22bb41f58de3051179dfc655956f132ee005d8b03f159aabb87408615296a61703d98ff8ab26306e98e9bb9b6fedeef1 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-fb-04-fa-e0-00\WpadDecision = "0" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main | \??\globalroot\systemroot\system32\usеrinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{18EF7846-4696-419F-A2FA-D996D7DAE5D2}\WpadNetworkName = "Network 3" | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | \??\globalroot\systemroot\system32\usеrinit.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{18EF7846-4696-419F-A2FA-D996D7DAE5D2}\WpadDecision = "0" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-fb-04-fa-e0-00 | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main | C:\Windows\system32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\system32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{18EF7846-4696-419F-A2FA-D996D7DAE5D2}\WpadDecisionTime = a0d5a40ef26cda01 | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{18EF7846-4696-419F-A2FA-D996D7DAE5D2}\WpadDecisionReason = "1" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{18EF7846-4696-419F-A2FA-D996D7DAE5D2}\e6-fb-04-fa-e0-00 | C:\Windows\system32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-fb-04-fa-e0-00\WpadDecisionTime = a0d5a40ef26cda01 | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{18EF7846-4696-419F-A2FA-D996D7DAE5D2} | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-fb-04-fa-e0-00\WpadDecisionReason = "1" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\system32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00fd000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" | C:\Windows\system32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | \??\globalroot\systemroot\system32\usеrinit.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | \??\globalroot\systemroot\system32\usеrinit.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \registry\machine\Software\Classes\Interface\{2ea8c9d4-7b76-aecf-38db-17f923ffdd55} | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2ea8c9d4-7b76-aecf-38db-17f923ffdd55}\u = "3" | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe | N/A |
| Key created | \registry\machine\Software\Classes\Interface\{507e1fac-b73d-1bbf-56af-f783afcbf39c} | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"exefile\" /shell <%1> %*" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \registry\machine\Software\Classes\Wow6432Node\Interface\{2ea8c9d4-7b76-aecf-38db-17f923ffdd55} | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2ea8c9d4-7b76-aecf-38db-17f923ffdd55}\u = "3" | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | \??\globalroot\systemroot\system32\usеrinit.exe | N/A |
| N/A | N/A | \??\globalroot\systemroot\system32\usеrinit.exe | N/A |
| N/A | N/A | \??\globalroot\systemroot\system32\usеrinit.exe | N/A |
| N/A | N/A | \??\globalroot\systemroot\system32\usеrinit.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe | N/A |
| Token: SeDebugPrivilege | N/A | \??\globalroot\systemroot\system32\usеrinit.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeAuditPrivilege | N/A | N/A | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | N/A | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | N/A | N/A |
| Token: SeSecurityPrivilege | N/A | N/A | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | N/A | N/A |
| Token: SeLoadDriverPrivilege | N/A | N/A | N/A |
| Token: SeRestorePrivilege | N/A | N/A | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | N/A | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | N/A | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | N/A | N/A |
| Token: SeSecurityPrivilege | N/A | N/A | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | N/A | N/A |
| Token: SeLoadDriverPrivilege | N/A | N/A | N/A |
| Token: SeSystemtimePrivilege | N/A | N/A | N/A |
| Token: SeBackupPrivilege | N/A | N/A | N/A |
| Token: SeRestorePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | N/A | N/A |
| Token: SeUndockPrivilege | N/A | N/A | N/A |
| Token: SeManageVolumePrivilege | N/A | N/A | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | N/A | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | N/A | N/A |
| Token: SeSecurityPrivilege | N/A | N/A | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | N/A | N/A |
| Token: SeLoadDriverPrivilege | N/A | N/A | N/A |
| Token: SeRestorePrivilege | N/A | N/A | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | N/A | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | N/A | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | N/A | N/A |
| Token: SeSecurityPrivilege | N/A | N/A | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | N/A | N/A |
| Token: SeLoadDriverPrivilege | N/A | N/A | N/A |
| Token: SeRestorePrivilege | N/A | N/A | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | N/A | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | N/A | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | N/A | N/A |
| Token: SeSecurityPrivilege | N/A | N/A | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | N/A | N/A |
| Token: SeLoadDriverPrivilege | N/A | N/A | N/A |
| Token: SeSystemtimePrivilege | N/A | N/A | N/A |
| Token: SeBackupPrivilege | N/A | N/A | N/A |
| Token: SeRestorePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | N/A | N/A |
| Token: SeUndockPrivilege | N/A | N/A | N/A |
| Token: SeManageVolumePrivilege | N/A | N/A | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | N/A | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | N/A | N/A |
| Token: SeSecurityPrivilege | N/A | N/A | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | N/A | N/A |
| Token: SeLoadDriverPrivilege | N/A | N/A | N/A |
| Token: SeSystemtimePrivilege | N/A | N/A | N/A |
| Token: SeBackupPrivilege | N/A | N/A | N/A |
| Token: SeRestorePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | N/A | N/A |
| Token: SeUndockPrivilege | N/A | N/A | N/A |
| Token: SeManageVolumePrivilege | N/A | N/A | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | N/A | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe
"C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
\??\globalroot\systemroot\system32\usеrinit.exe
/install
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://secure.2010billing.com/purchase/get.php?i=antvir&advert=3&extern=4&lang=EN
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2668 CREDAT:275457 /prefetch:2
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
Network
| Country | Destination | Domain | Proto |
| US | 168.156.42.60:80 | tcp | |
| US | 168.156.42.60:80 | tcp | |
| US | 168.156.42.60:80 | tcp | |
| US | 168.156.42.60:80 | tcp | |
| US | 8.8.8.8:53 | www.yahoo.com | udp |
| GB | 87.248.114.11:80 | www.yahoo.com | tcp |
| NL | 88.208.21.219:8083 | tcp | |
| US | 8.8.8.8:53 | secure.2010billing.com | udp |
Files
memory/2124-1-0x0000000000400000-0x00000000004C4400-memory.dmp
memory/2124-2-0x0000000000630000-0x0000000000830000-memory.dmp
\Windows\System32\usеrinit.exe
| MD5 | 4acd14244d2cd76d06939163127cfb10 |
| SHA1 | 75f3e3c764f7d20c9950f5410f753f3210bcc2e7 |
| SHA256 | 29b5b65a1cdf119ac7c6c9df76c6843b25a81bd00aa5a5e995ec675e34bf1acb |
| SHA512 | 001504da15c1825102479ba379b0be7ec15e779626d450d9d763552d7e1ac71f5bb86110f9361363bd401aabc53cdfd2d554480aec8bef85ed8c7b03cebf4031 |
\systemroot\system32\msiavjyv.dll
| MD5 | 7943d251821ca441924f0d64946e8a3d |
| SHA1 | cace099a490410260802ee143f7c7e3543f2f4cf |
| SHA256 | be8dbcb59c3181ec518a6934931efc725a128310956fd076f0f0bd537b96a9eb |
| SHA512 | 0d4c9f021e07e2a27f3e7f46be591f01ec4c04fce98d9c177697ea4518d0c8d80105d73a29deff925cf28fce89a4fe40e790ef0086748dc169b1a8190e6d40f9 |
memory/2124-9-0x0000000000400000-0x00000000004C4400-memory.dmp
memory/2520-14-0x00000000000A0000-0x00000000000BA000-memory.dmp
memory/2520-20-0x00000000000A0000-0x00000000000BA000-memory.dmp
memory/2520-15-0x0000000000060000-0x0000000000077000-memory.dmp
memory/2520-25-0x00000000000A0000-0x00000000000BA000-memory.dmp
memory/2520-30-0x00000000000A0000-0x00000000000BA000-memory.dmp
memory/272-32-0x0000000000F30000-0x0000000000F33000-memory.dmp
memory/272-37-0x0000000000F50000-0x0000000000F56000-memory.dmp
memory/272-41-0x0000000000F50000-0x0000000000F56000-memory.dmp
memory/272-33-0x0000000000F50000-0x0000000000F56000-memory.dmp
memory/272-42-0x0000000000060000-0x0000000000077000-memory.dmp
memory/2520-55-0x000007FFFFF80000-0x000007FFFFF90000-memory.dmp
memory/2520-63-0x00000000000A0000-0x00000000000BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{E9C1E0AC-C9B1-4c85-94DE-9C1518918D02}.tlb
| MD5 | 63881935b6ff930a39df13a27c18c3f5 |
| SHA1 | d5464ca24d61b2efb562b1b4f4e0bef69c94cf04 |
| SHA256 | 50d712b007a3339855619a4ad283661c07e13ec0a74465ea3d121439005cd1e5 |
| SHA512 | 011d0307d088ac7a691ff504f8c3e99a06097fc27e10d40d62721cf6c6d0500120d040a7d32fd10aa50aeef1ef12be67501fff122bed129a354fb57c213a0ed9 |
C:\Windows\System32\exefile.exe
| MD5 | 72178bb0f9674f0ce0b6b188d1219266 |
| SHA1 | ae3c43c7846c0ef977fa90991e1c366e34ab671c |
| SHA256 | 09cd3c864182b703a1384a15e60424c0ee8c82c3fd19f197c391a0e3ec5bd16e |
| SHA512 | d9004c1b8402375c92690525f06ae83198bb929bb18dfc46fda9036a4054ed9c38637438b13ecc2566f98f2a8ac297ec7f0151b63a59c4f7bbc2ab8f7b6d779e |
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx
| MD5 | aef9e26239afcb4b33a86a2fa1d7c6cd |
| SHA1 | 9d7d776bff2ad58b4d779abdb6e9e95762240db8 |
| SHA256 | 2d17533cf49cc30e382b259be3cfd2ed2a65d7d8919705fcde6eda818cb7caf0 |
| SHA512 | 52ab2b4a2eff04921b0c482e98c6d490bb9f112efbdf254b87f5740d93754225643b5feac4ab98a25517aac7502f3bb7a95b14be91f110cc0bf251bda6170ea5 |
memory/272-123-0x0000000000060000-0x0000000000077000-memory.dmp
memory/2520-280-0x00000000000A0000-0x00000000000BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabB696.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\CabB7B0.tmp
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\TarB7D5.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 33b3d0956cf1e67f6d99e50ff9ca4b72 |
| SHA1 | fc4acb2a82d5a3d3df7834de145748276305e2ae |
| SHA256 | b3443acda6dc4679b02eb78011a6abdc9b430be0af87ee16dceeb3caf29f9791 |
| SHA512 | f201a105f5d2d4b3ba8c7d905fc290709d93fd2c8b1076fc5b66e803b89d4aa1e2ae64daba022f2473fc089e47d391edf7bdbaa43a36aae27d43345a0df0a619 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e8c8ad26e9f11b8928694bb2d6c6d94a |
| SHA1 | 32bfe7b01b90260cf7ac4e527544db21a18e2d77 |
| SHA256 | 59df0721e4d7a01968a277611b7c87b9f90de375ed49e292b4f4e52d5a8b1c9a |
| SHA512 | 491d6c4bf7eccbe90222d167e8b381c7932f77ec4f66bccf41dc9a229bd8b356cd43e3ff848e3e9b86fc74d13f58d12f9346686474240ad7af6bff98aae376ee |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 960fd6e3c4cdc6b807d17f5183771629 |
| SHA1 | 0b9411a227592040fc7fab84ba09c0bef1af1b47 |
| SHA256 | 77faa62106444cd9b4ab805fa8090ee361d96fe76ac37cdd6f82da2c089e83e5 |
| SHA512 | 952ac212ac701a0bb560a4fff46874ed073ba1212883dab76f4cd2a753ddededda9b13c0f12420dfd42f9e24dc4cb9fea7232342506ca18f35afaa5d16afa1a0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 562bd3326b44ef8ff5b8a8dafdbcd71d |
| SHA1 | dc5d49d3aa18f7f4b2455e8c66521a88dff16865 |
| SHA256 | 6b61aafb816689db87e5623d5f125db9784b40cb65c3b390f99ab39562dd7cec |
| SHA512 | cd766785b3d0d0a7d63de54a030b70a281d35a7e05c6cc65e766ddfe132c33020281ad8f745327fe14886be55317fe1cbe70270865890cb49b562be2adb60fa4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 525a799223225fc1377353ffa8d8bcd1 |
| SHA1 | 0c0d1dafc844b63d820672f8967586d00a6159e6 |
| SHA256 | d8ab6a245af1599728c4c753bc8031e478dfce26e5f0c6738503e994d2243867 |
| SHA512 | ac63dcf10dfb07f9b54d92859d492db79d90096bb50791a6b5a37f1f7b83550e74c535920dd3270e19222f63b9784ce8c8b6dc4fb496214d1b532e618b352372 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c841051abe33a26f148bc8761b145c39 |
| SHA1 | 1dbce39d749d88715f6acab03a5a83a9e211e9f4 |
| SHA256 | 6e4e6863335ddcf5978e01482cd0798f325c43c2fa9cf09e5b6e2415004857da |
| SHA512 | bdb62c311205ead009484111babaa0426b05daf4e09bbe5e33784dce95d9a4fea55e3eef17b8e6cee2b1ec713e83de92bd9f3ced1882693c7085a3b298d64089 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5356c799e535e8b9604d68074c5450da |
| SHA1 | d49b6455fccdd16782da8c6bd100843e2b422032 |
| SHA256 | 63f7c6561009827c552948ed158caa23ad70e3c4047f59b3575272638c97723b |
| SHA512 | 8132ec1b5adc24431f59d824768b8459fd3d507d4c8580b7c7935f5fe795ebec7d6065c809a3a3ef265314c917965b0a910bc0a7ae529a7d8f3421b53e1626db |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 194a573050f71559bcd63ec8393f4032 |
| SHA1 | f63c29991b040840046ad7ac3e59620c10382fb0 |
| SHA256 | 4c203b1bd151eb4a9ba6b74877f304fa5b2ba7a8d0b86bad8fb32cf950a22b08 |
| SHA512 | aa547eac5c2355f3a21872e1878aedd7418cb885d6c0cc94cc9e229a7ff5e6ac88dcaf914bd6ec508789f45329de00e595d2b296f59df78deaac164e5c445f4f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 23a73bf5863c72733dd8cfe5708e6e27 |
| SHA1 | badff23e7692a5d227932d1923b76ea6614844f4 |
| SHA256 | 41abd4255977c86e552cf7f66e100fe2c52c7694d5c69527090138f147d79fb0 |
| SHA512 | 1c83768a68b6e09abccb639c1590273266f0af8d7db0cfcf5bd81c77673fd9ab62a02a58416d27fafb6a38e1fb5158722c696d0636a658608cc05a26d5a66013 |
Analysis: behavioral12
Detonation Overview
Submitted
2024-03-02 22:34
Reported
2024-03-02 22:38
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
114s
Command Line
Signatures
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiVirus Pro 2017 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Fake AV\\AntivirusPro2017.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe | N/A |
Enumerates connected drives
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe | N/A |
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe
"C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | twinkcam.net | udp |
| US | 103.224.212.215:80 | twinkcam.net | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ww25.twinkcam.net | udp |
| US | 199.59.243.225:80 | ww25.twinkcam.net | tcp |
| US | 8.8.8.8:53 | 225.243.59.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.212.224.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/3692-0-0x0000000000400000-0x0000000000A06000-memory.dmp
memory/3692-1-0x0000000000400000-0x0000000000A06000-memory.dmp
memory/3692-3-0x0000000000BA0000-0x0000000000BA1000-memory.dmp
memory/3692-4-0x0000000000400000-0x0000000000A06000-memory.dmp
memory/3692-5-0x0000000000400000-0x0000000000A06000-memory.dmp
memory/3692-6-0x00000000028F0000-0x00000000028F1000-memory.dmp
memory/3692-7-0x0000000000400000-0x0000000000A06000-memory.dmp
memory/3692-8-0x0000000000400000-0x0000000000A06000-memory.dmp
memory/3692-9-0x0000000000400000-0x0000000000A06000-memory.dmp
memory/3692-10-0x0000000000400000-0x0000000000A06000-memory.dmp
memory/3692-11-0x0000000000400000-0x0000000000A06000-memory.dmp
memory/3692-12-0x00000000028F0000-0x00000000028F1000-memory.dmp
memory/3692-13-0x0000000000400000-0x0000000000A06000-memory.dmp
memory/3692-14-0x0000000000400000-0x0000000000A06000-memory.dmp
memory/3692-15-0x0000000000400000-0x0000000000A06000-memory.dmp
memory/3692-16-0x0000000000400000-0x0000000000A06000-memory.dmp
memory/3692-17-0x0000000000400000-0x0000000000A06000-memory.dmp
memory/3692-18-0x0000000000400000-0x0000000000A06000-memory.dmp
memory/3692-19-0x0000000000400000-0x0000000000A06000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-03-02 22:34
Reported
2024-03-02 22:39
Platform
win10v2004-20240226-en
Max time kernel
113s
Max time network
145s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\HappyAntivirus.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\HappyAntivirus.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Fake AV\HappyAntivirus.exe
"C:\Users\Admin\AppData\Local\Temp\Fake AV\HappyAntivirus.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3880 --field-trial-handle=2228,i,521073434451423547,2311651514500527526,262144 --variations-seed-version /prefetch:8
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f8 0x2ec
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.212.234:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 234.212.58.216.in-addr.arpa | udp |
Files
memory/492-1-0x0000000000BA0000-0x0000000000D92000-memory.dmp
memory/492-0-0x00000000753A0000-0x0000000075B50000-memory.dmp
memory/492-2-0x0000000005780000-0x000000000581C000-memory.dmp
memory/492-3-0x0000000005DD0000-0x0000000006374000-memory.dmp
memory/492-4-0x00000000058C0000-0x0000000005952000-memory.dmp
memory/492-5-0x0000000005760000-0x0000000005770000-memory.dmp
memory/492-6-0x0000000005830000-0x000000000583A000-memory.dmp
memory/492-7-0x0000000005A80000-0x0000000005AD6000-memory.dmp
memory/492-8-0x0000000005760000-0x0000000005770000-memory.dmp
memory/492-9-0x00000000753A0000-0x0000000075B50000-memory.dmp
memory/492-10-0x0000000005760000-0x0000000005770000-memory.dmp
memory/492-11-0x0000000005760000-0x0000000005770000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-03-02 22:34
Reported
2024-03-02 22:38
Platform
win7-20240221-en
Max time kernel
148s
Max time network
159s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,\"C:\\Program Files (x86)\\Def Group\\PC Defender\\Antispyware.exe\"" | C:\Windows\syswow64\MsiExec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Def Group\PC Defender\hook.dll | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSIC504.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_966CD4ED37489844400D0C.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_3F16219B047CF8432B7ADA.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev1 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev3 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\f76c19a.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_3F16219B047CF8432B7ADA.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f76c19d.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f76c19a.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_966CD4ED37489844400D0C.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f76c19f.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f76c19d.ipi | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-70-d1-5d-21-ee | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\scanSchedulerDaily = "0" | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Count = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\updateSchedulerDaily = "0" | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\updateSchedulerDayOfWeek = "0" | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\Found\C:\Windows\System32\more.com = "Backdoor.Win32.ProRat.gej" | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\Found\C:\Windows\Fonts\arabtype.ttf = "Trojan.Win32.Llac.bia" | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Suggested Sites\DataStreamEnabledState = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\Found | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7DB14485-0BDA-4E05-ABC4-CA60423FADA5}\8a-70-d1-5d-21-ee | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7DB14485-0BDA-4E05-ABC4-CA60423FADA5}\WpadNetworkName = "Network 3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time = e807030006000200160026002300a302 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\scanSchedulerSecond = "0" | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{2916C86E-86A6-43FE-8112-43ABE6BF8DCC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 010000000000000020cb685cf26cda01 | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Suggested Sites\MigrationTime = c0beb45ef26cda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\Software\Microsoft | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\scanSchedulerDayOfWeek = "0" | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\OperationalData = "4" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\scanSchedulerMinute = "0" | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\Found\C:\Windows\ehome\mstvcapn.dll = "Trojan.Win32.Agent.dfki" | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000004000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Suggested Sites | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\DiscardLoadTimes = 403cf55cf26cda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7DB14485-0BDA-4E05-ABC4-CA60423FADA5}\8a-70-d1-5d-21-ee | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Time = e807030006000200160026002300e102 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{08244EE6-92F0-47F2-9FC9-929BAA2E7235} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 010000000000000020cb685cf26cda01 | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C73BCE36FA1AA0E45AB2649A3FA0D390\E8CBA2CF517323A48B5B5539084F2528 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\PackageName = "PCDefenderSilentSetup.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\Clients = 3a0000000000 | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\Net | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\Media\1 = ";" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\Language = "1033" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8CBA2CF517323A48B5B5539084F2528 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\AdvertiseFlags = "388" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\AdvertiseFlags = "388" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\InstanceType = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\Version = "16777216" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Media\1 = ";" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\Language = "1033" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\InstanceType = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_ | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\AuthorizedLUAApp = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\ProductName = "PC Defender" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\Clients = 3a0000000000 | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\ProductName = "PC Defender" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Media | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\Media\1 = ";" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\InstanceType = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\AuthorizedLUAApp = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Net | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\Media | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\Clients = 3a0000000000 | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C73BCE36FA1AA0E45AB2649A3FA0D390 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\ProductName = "PC Defender" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\Assignment = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\DeploymentFlags = "3" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\PackageCode = "18627594958587344B2B3984171915B1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\PackageName = "PCDefenderSilentSetup.msi" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\PackageCode = "18627594958587344B2B3984171915B1" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\AuthorizedLUAApp = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\PackageCode = "18627594958587344B2B3984171915B1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\ProductName = "PC Defender" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_ | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\AdvertiseFlags = "388" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\Version = "16777216" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\PackageName = "PCDefenderSilentSetup.msi" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\DeploymentFlags = "3" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\Media | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_ | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8CBA2CF517323A48B5B5539084F2528\DefaultFeature | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Fake AV\PCDefender.exe
"C:\Users\Admin\AppData\Local\Temp\Fake AV\PCDefender.exe"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PCDefenderSilentSetup.msi"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005BC" "00000000000004A0"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding D03C52A3A4BAC024271885A7D74981C4 M Global\MSI0000
C:\Windows\SysWOW64\reg.exe
"C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_ /s /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_ /s /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_ /s /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\SysWOW64\reg.exe" DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528 /f
C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe
"C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe"
C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe
"C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe" Antispyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -startmediumtab -Embedding
C:\Windows\System32\ie4uinit.exe
"C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1752 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1752 CREDAT:537612 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1752 CREDAT:275482 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.plimus.com | udp |
| US | 104.18.31.105:443 | www.plimus.com | tcp |
| US | 104.18.31.105:443 | www.plimus.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 104.18.31.105:443 | www.plimus.com | tcp |
| US | 104.18.31.105:443 | www.plimus.com | tcp |
| US | 8.8.8.8:53 | www.bluesnap.com | udp |
| US | 141.193.213.20:443 | www.bluesnap.com | tcp |
| US | 141.193.213.20:443 | www.bluesnap.com | tcp |
| US | 141.193.213.20:443 | www.bluesnap.com | tcp |
| US | 141.193.213.20:443 | www.bluesnap.com | tcp |
| US | 104.18.31.105:443 | www.plimus.com | tcp |
| US | 104.18.31.105:443 | www.plimus.com | tcp |
| US | 141.193.213.20:443 | www.bluesnap.com | tcp |
| US | 141.193.213.20:443 | www.bluesnap.com | tcp |
| US | 8.8.8.8:53 | cp.bluesnap.com | udp |
| US | 8.8.8.8:53 | cp.bluesnap.com | udp |
| US | 104.18.26.40:443 | cp.bluesnap.com | tcp |
| US | 104.18.26.40:443 | cp.bluesnap.com | tcp |
| US | 104.18.26.40:443 | cp.bluesnap.com | tcp |
| US | 104.18.26.40:443 | cp.bluesnap.com | tcp |
| US | 104.18.26.40:443 | cp.bluesnap.com | tcp |
| US | 104.18.26.40:443 | cp.bluesnap.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PCDefenderSilentSetup.msi
| MD5 | 7f728acab22868ca02cc1ba0a14f5d64 |
| SHA1 | 9e3e82b152447b8bcd27583fbdab7aa91ca4739d |
| SHA256 | 586f9a9af50b2a3321e77d2b4583741cc4842967af9429cc371534f7179caec4 |
| SHA512 | 9bc8bb97e6d4f18ec484fcd792466cb5df0bf0447cbaa19a41258ef80e599e8a2b2c83c700f32f30bef578b03614af1b554844d051435dc9f510ccbd56686800 |
memory/1660-26-0x0000000000280000-0x0000000000282000-memory.dmp
C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe
| MD5 | af4761437567f84ffbec44c978ac2634 |
| SHA1 | 488e27e01b629f3c2cd274a3c6572cdb040fc137 |
| SHA256 | 41922380e3a419fea5a794a16e7abe3364c08da6c66fca0ce8f37c20e21ede68 |
| SHA512 | 82694af3458a01040b9753f133e446c32fef105d4d36dfe8a5fa944080f4b6736dc8e4fbe2abb3db6f79ff24f8e1b9f07543c1193410cfa0a3faafd3e1ce096d |
C:\Config.Msi\f76c19e.rbs
| MD5 | c156397be71b0387833fa5ee82450c83 |
| SHA1 | f64696065ed78ecb6527c5c2bc14531b24283358 |
| SHA256 | 24b9d981a3d19e77963e826656db1ef21f0d15caa89d2a5575c3c6a56d43162f |
| SHA512 | ada3559e0c9a18acfd92c97af42dd037a4b2138afde8f12f5d719365ccfbeb8d4e0facd2f6268f5540fa05982d64d0c59626547e15b0ea4afc1f27ee5def122f |
\Program Files (x86)\Def Group\PC Defender\hook.dll
| MD5 | dc973050688bfd27a2d47e0ac2e21abb |
| SHA1 | 3ff84e8c292051aa7e57439aa44b7beac68b2d71 |
| SHA256 | e69c437e565390cbc0209e7934136cc68a7caa07cf7341c870dac35ca549b225 |
| SHA512 | 4123df1cb903bff54897e1edd8c8c877e3fff9b81de9919569b3096fac8d80d06f73f005ef1c63269f4b50d7ee1965deb13d473b32f365c8324880ab995a600c |
C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe
| MD5 | c2514c216b4b6dac1a4d740126177f29 |
| SHA1 | c25d7b051339c9d0b1ee109abfb12724a24f130d |
| SHA256 | 8212f98e9caedd00bab3c3d561055507cd617cc2b2151c956968caeccde66e11 |
| SHA512 | dfe6dab9e14b539e50eea2b8314f3937f650eded149d1264763ee4d0d045bf1959569cb31e9e7d5bf602e49c68401cde02e2e552ef3d0baca2e4d48c53d78692 |
memory/2824-167-0x0000000002530000-0x0000000002532000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab95CA.tmp
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\Tar96E8.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ece29a6d223a9b0606015e0edaca2274 |
| SHA1 | 7cb5496f3fddf20006215bf4d3db56c86a9f9f3d |
| SHA256 | 993e4ed452681c71c09a020f6dc286d31874775fb9adbc98728bc20827e6cf0e |
| SHA512 | 2964fb5ba228e5bb1c96cb90a477cfde43e85dacccc284d1394f2e19a4ad44c779d9ab48fc973abdccbbf0ecb22af26937776081e543dbaa4e65870a74b2aa42 |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | f214c493fcdf1d0d7846f0e333dfd429 |
| SHA1 | 6328cd1f245c473a710622f271dbc23958e8b36f |
| SHA256 | b115366d00d960c96f2c54ce06f7b8af704cb2566182cdf75e29cf9576661dc5 |
| SHA512 | 59200140399a99311b8eb5f4948a7569a568eb14449e05d2d4ddf1004de96ed52f8d970dcd6854ddfdbe08827f61467cfc2905549dfe90381b25b5395be5c38e |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | e3aa453a55638bcecc11958b116dc597 |
| SHA1 | 224fa7cbc8bd7364894bf00532eb0f4ca6468e3f |
| SHA256 | 41f0a1b15dd35c2d25442b17bf16602cdaddbea176765b01e8633b20c7edd544 |
| SHA512 | 443e0543e35b120062cd2cee9d9a96caa042c3c90870a537ae10ae39c6527d78d32824b5b5a1e84db394ce3d7e16d3880a705e74b461f108af5315413ea89970 |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 5efd3ae592c00b1af85f29d01ea68ede |
| SHA1 | 6026df67033828a93f8aca97185740ec268c39c5 |
| SHA256 | ab0a0626af2d84239698869118d3302d8184c421094c1ebbf38fa9475ee9bb47 |
| SHA512 | 7a39a47da47627478a0365d8751d824e990b470cceed7c2e46f44de70751191e85744e38331673fd3c0c3bf86f68b958b252c84ba0099c6079d66fb88f34287c |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 178c69ff569642a29d7e3e0d769ed1b6 |
| SHA1 | a132d6d0aa2d8b571ca6ae4d6edcc28ea13a8fa7 |
| SHA256 | f5e4ffe7bb46407aaee8789b6428dbbf0311957f63a23500b21bc6217f018d68 |
| SHA512 | 6fc609ce963cf59889aca27ccbb592293b3b2d76cb1b1120e47598c1ff3974ece69fc402eb11a795bb7205faa2091a3518869f0c931b068d60bceb26653a0301 |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B
| MD5 | fc9ac26379524208bd455b861448bbeb |
| SHA1 | 54430990d0189a6b039e1daae7b374b55c88466a |
| SHA256 | 06afcdd746b7d79c8929ae2f1dd7b5ce521bd7becd1fdfe221c9474627239c5f |
| SHA512 | 3c78c5bd1ce833307144707b5c10839fd90ce66450c1e1e4dd6b60ac0a701b3db3b3ea2d3eb1c8db2424f2527e003e768cf59b4c720294ada2338c12ba262097 |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B
| MD5 | 681abe65c2221b4836728a7675abcbc4 |
| SHA1 | be6e7dd30b388dd128497623bbf7371868a4623d |
| SHA256 | 8869fdd49509413447a06499efdc58e1275fc968fa58a04a1af642673d549a3e |
| SHA512 | 56dabd6426ddd43ff8889db2298d25c5d015332338c499cb0e06dc4a31fe305cf59e86405e2a37f06c66a6cac309615c0f9aabd0ccb6f1063a1b2b225670ad65 |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B
| MD5 | db09bd2b07eaf44f25aebcf9e35fffc7 |
| SHA1 | ee5620e85bcc2709fd42f8b0881da980d04d19b5 |
| SHA256 | 19210beb9db1cae789065cffbd767bbf5c932b031d15a51bca1e4fd602009020 |
| SHA512 | 2e790f721bb7d607ab20b7733d8ac2a3bdd992ef8c449a60239fb19d30f3478087d83f31f02c001f9e21e1be6afc9ceafc59f27f9fabbcd533f8e1e43ae444c0 |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3ce7c53aeb9eab187048331c272f93f8 |
| SHA1 | 0117ce4f2fca2c639b9dd8660ced380e1378075d |
| SHA256 | 7b2270e1167fc804237a32fad034394a785b1a406fcc13e1643f072a5de28dc7 |
| SHA512 | cb8bf524e32387eff7b1a6f4c7c828a3aa0aa7d3eaa006b6cbc0ec1381b23e972d122b490196448ea4c088150bd48fa5187bea70db5c15ebc41a0e36b8582abd |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9ea0503fd3c3bef899992de41094a480 |
| SHA1 | 3e5b1ac4f18d0cbefd9f1a2a631e6592c6cb248d |
| SHA256 | b128cc5ab1bd55d27d9a6675cd7e61fa59f65e4181946104775a4bb2295c4f21 |
| SHA512 | c95b794bffef19b55d475aee50bba3bf41bb7ff5ee2b45b28a0578911cb01bfd8a6a1db9ff35006b823409fcdcd3f94d5b6e8ca454803e04c2803134d4536bc0 |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d481bfbddb70443c28cb2a9f0fa61e7e |
| SHA1 | 8846dc9a93edceafaf079bf70dcd8cf5f00abb42 |
| SHA256 | 135ede8e1351c764b4a381687f8203ea86432a1ba072e81297c80675edc4c1cd |
| SHA512 | 754ebc8df2dc7ce253678070f7b14da4903ac79c0ba67b58c1603adaeb0ab90e49466a4f1883f9bc3c4b984c9d7d861fdd6a73f0e57ec979abe97e0d16e6de4a |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 11d92e1a68d26a59956082b62c2eafaf |
| SHA1 | 04cd9cb01e414161e5bb0d21899c99dc6291d7ac |
| SHA256 | 18fa8a791d338e48d2eb17759be9dc042a312909f3a6ac90e43afb931d47a87d |
| SHA512 | 3a97943d2143159453faab900c6083cc9c563cb8e251c3a72a0a3091a2ae9429c5a2f547c972e89f7b2595b80e5fbfb028e3d5e73c54e188a9e15a874572d70b |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
| MD5 | 477111e39ebd454644e9c32e5b1f6f83 |
| SHA1 | 3cc96bc51579e43cbaeeed1c3d1b10522ab64e62 |
| SHA256 | 1ccfe9d47acaf0038f8dc13d214d23dccbbe48e0b8c5461c903443fb1e644402 |
| SHA512 | 88f188f54704d021f02db1056876c04c9ceed337f8b595ad87700c971d4b124ae0c70d773a7ad84e8dad3968952e44cbe58c8e7387c4ad5a808fd7a85d3cccac |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
| MD5 | e9117b246600d04457dc58825bdc8b8c |
| SHA1 | 70ca6ff576281391cf7a0e86d2a6a0ef9205d919 |
| SHA256 | b2a94ad1cd5e92532171096eeeeda1a01a2408ebf0d636cba969338a8ee67edf |
| SHA512 | ba29bb9c0b691e0d09208426a1cb17a74e8c9dca9cfd9dca1bed15fb3dd1cf476a28efee0237db1d23ef4ddbf0e30c74597524c003a568e509ba2c2eee0ad507 |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
| MD5 | a359c2feb92e48101aecfbc2acd9d9f1 |
| SHA1 | cc138b30159b47d5e5c05ac35c9834ffb9472cbd |
| SHA256 | ba5d5e0bfb584469b6a710ad8a6dbff91f88aa53f4a74049cfad16f3e1d365d8 |
| SHA512 | d36ab594e1ff1967b7b6b7d750b2225eec8633c4debe07d085cbc232ecca0fd57b6e45db297b67415a2db61657178e0d0831fe1edcb533afb636ff4716d40b02 |
Analysis: behavioral20
Detonation Overview
Submitted
2024-03-02 22:34
Reported
2024-03-02 22:38
Platform
win10v2004-20240226-en
Max time kernel
151s
Max time network
156s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-CB1BD.tmp\is-MLOMF.tmp | N/A |
| N/A | N/A | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Enumerates connected drives
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\@VpnToastIcon.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.ppt | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\SecurityAndMaintenance.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\@AppHelpToast.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\@AudioToastIcon.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\SecurityAndMaintenance_Error.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\@EnrollmentToastIcon.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bthprops\@BthpropsNotificationLogo.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\DefaultAccountTile.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.xls | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\SecurityAndMaintenance_Alert.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\@WirelessDisplayToast.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-32_altform-unplated_contrast-black.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-100_contrast-black.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-60.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\SearchEmail.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-24_altform-unplated.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-80_altform-unplated_contrast-white.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-72_contrast-white.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SmallTile.scale-100_contrast-white.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalStoreLogo.scale-125_contrast-black.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-36_altform-lightunplated.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderLogoExtensions.targetsize-336.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosLargeTile.scale-200.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-64_altform-lightunplated.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\subscription_intro\auto-renew.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-96_altform-lightunplated.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-129.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48_altform-unplated.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-36_contrast-white.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-36_altform-fullcolor.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\SmallTile.scale-100.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-20_contrast-black.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-20.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Dark\CottonCandy.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\firstrun\startup_background.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\MedTile.scale-200.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-100_contrast-high.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\accessibility_poster.jpg | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\SmallTile.scale-125.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_TileSmallSquare.scale-200.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-125.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageMedTile.scale-100.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-72_altform-unplated_contrast-black.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxAccountsSplashLogo.scale-140.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSplashLogo.scale-300.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockMedTile.contrast-black_scale-125.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Gravel.jpg | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-36_altform-unplated.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-20_altform-lightunplated.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Light.scale-250.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\MedTile.scale-100.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsMedTile.scale-125.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageWideTile.scale-150.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageSmallTile.scale-400.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SplashScreen.scale-100.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-30_altform-fullcolor.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\Icons\icon_done.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageSplashScreen.scale-100_contrast-black.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteWideTile.scale-150.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\WideTile.scale-100.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-100_contrast-black.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubStoreLogo.scale-100_contrast-black.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreBadgeLogo.scale-100.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-200.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-48_altform-fullcolor.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-32.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSplashLogo.scale-150.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\WideTile.scale-200.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\nub.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-32_altform-unplated.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\ImportFromDevice.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyView-Dark.scale-400.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_altform-unplated_contrast-black.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockWideTile.contrast-white_scale-100.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Assets\Square71x71Logo.contrast-white_scale-125.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\VisualProfiler\images\i_chartzoom_reset.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\Square44x44Logo.targetsize-256.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\Assets\PeopleLogo.scale-100_contrast-black.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemResources\Windows.UI.AccountsControl\Images\Outlook.Theme-Dark_Scale-150.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemResources\Windows.UI.AccountsControl\Images\Outlook.Theme-Light_Scale-100.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\perftools\images\i_save.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Assets\PasswordExpiry.contrast-white_scale-150.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemResources\Windows.SystemToast.Calling\Images\YourPhoneCallingToast.scale-400_contrast-white.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\Web\Wallpaper\Theme2\img11.jpg | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemResources\Windows.UI.ShellCommon\Images\WiFiNetworkManagerWarningToast.scale-150_contrast-white.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\Web\Wallpaper\Theme1\img3.jpg | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\network\Images\i_clearCache.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Assets\Wide310x150Logo.contrast-white_scale-100.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemResources\Windows.UI.Shell\Images\LocationIcon.contrast-black_scale-100.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemResources\Windows.UI.ShellCommon\Images\RibbonToast.scale-150.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\ImmersiveControlPanel\images\wide.Globe.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.AppResolverUX_cw5n1h2txyewy\Assets\SquareTile150x150.scale-100.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\SmallTile.scale-200.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\ImmersiveControlPanel\images\Gaming.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\header\Images\dockV.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare44x44Logo.targetsize-30_altform-unplated.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\contrast-white\MediumTile.scale-125.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\ScreenClipping\ScreenClipping\Assets\Square44x44Logo.targetsize-24_altform-unplated.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemResources\Windows.UI.Search\Images\logo.contrast-white_scale-100.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\Square44x44Logo.targetsize-30_altform-unplated.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPStoreLogo.scale-100_contrast-white.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy\Assets\Splashscreen.scale-100.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemResources\Windows.UI.Shell\Images\PasswordExpiry.contrast-black_scale-100.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\Assets\StoreLogo.scale-150.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemResources\Windows.UI.ShellCommon\Images\DefaultSystemNotification.contrast-white_scale-400.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\Web\Screen\img101.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\Assets\PeopleLogo.scale-125_contrast-white.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\contrast-white\WideTile.scale-200.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Assets\SquareTile44x44.scale-200.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\ImmersiveControlPanel\images\wide.Apps.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemResources\Windows.UI.Search\Images\logo.contrast-white.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemResources\Windows.UI.ShellCommon\Images\WiFiNetworkManagerWarningToast.scale-400_contrast-white.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Ratings\RatingStars49.contrast-black_scale-200.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Assets\Square71x71Logo.contrast-white_scale-200.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\Assets\SquareLogo71x71.scale-400.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\Square44x44Logo.targetsize-48_altform-lightunplated.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\header\Images\headerrestore.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Assets\StoreLogo.scale-100.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\Web\Screen\img104.jpg | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Assets\PasswordExpiry.contrast-white_scale-200.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare150x150Logo.scale-400_contrast-white.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemResources\Windows.UI.Search\Images\logo.contrast-black_scale-100.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemResources\Windows.UI.ShellCommon\Images\WiFiNetworkManagerWarningToast.scale-100.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\ImmersiveControlPanel\images\logo.scale-100.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\ImmersiveControlPanel\images\TileSmall.scale-125.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\perftools\images\i_appevent.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\Assets\PeopleLogo.targetsize-30_altform-unplated_contrast-black.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\Assets\StoreLogo.scale-200.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\images\diffIcon.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\debugger\images\stepOver.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\dom\images\i_error.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\AppListIcon.targetsize-32_altform-unplated.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\SplashScreen.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\InputApp\Assets\SplashScreen.scale-400.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemResources\Windows.UI.ShellCommon\Images\CellularToast.scale-200_contrast-black.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\Assets\PeopleLogo.targetsize-96_altform-unplated_contrast-black.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\memoryAnalyzer\images\i_info.png | C:\Program Files (x86)\FileFix Professional 2009\wizard.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Fake AV\FileFixPro\FFProInstall.exe
"C:\Users\Admin\AppData\Local\Temp\Fake AV\FileFixPro\FFProInstall.exe"
C:\Users\Admin\AppData\Local\Temp\is-CB1BD.tmp\is-MLOMF.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CB1BD.tmp\is-MLOMF.tmp" /SL4 $301CA "C:\Users\Admin\AppData\Local\Temp\Fake AV\FileFixPro\FFProInstall.exe" 232353 52224
C:\Program Files (x86)\FileFix Professional 2009\wizard.exe
"C:\Program Files (x86)\FileFix Professional 2009\wizard.exe"
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | filefixpro.com | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.15.104.51.in-addr.arpa | udp |
Files
memory/4356-0-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-CB1BD.tmp\is-MLOMF.tmp
| MD5 | 0360b1d1195775766b2e78a7b463f658 |
| SHA1 | 8e4b2b1b6d1e4446c979b0cea7db6db7eee21610 |
| SHA256 | bee86b674d51b4e21822e44f9408a69d60e282e39f5897888df334c74d840aa4 |
| SHA512 | 23103b4457952091848f171f5c20351dd55ce1bce209da21c1b6792d6e0b13476a104698c31ad744df2df39408110d73f84b61e627bbb6d1d2a461db4370597d |
memory/3536-6-0x00000000007B0000-0x00000000007B1000-memory.dmp
memory/4356-12-0x0000000000400000-0x0000000000413000-memory.dmp
memory/3536-13-0x0000000000400000-0x00000000004B1000-memory.dmp
memory/3536-16-0x00000000007B0000-0x00000000007B1000-memory.dmp
C:\Program Files (x86)\FileFix Professional 2009\wizard.exe
| MD5 | e1827fbbf959d7c5f3219a1f0b0c35fc |
| SHA1 | 677d7c6179729fdb4a25afdd5579533f1606c810 |
| SHA256 | c28ac5f267bec7650ce271c12b23f087f9c3927a46b48682e363581fa29e2a5d |
| SHA512 | a65dc0550f9d1501add93390501027d83002c2df0df22bbf5d88dce9c98b6ebb4a2c297010e44cfebfaa8b7ba0f77ed12c2d13fb9b213e15c4b53dfd56ead0c3 |
memory/3536-37-0x0000000000400000-0x00000000004B1000-memory.dmp
memory/3536-44-0x0000000000400000-0x00000000004B1000-memory.dmp
memory/4356-45-0x0000000000400000-0x0000000000413000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-03-02 22:34
Reported
2024-03-02 22:38
Platform
win7-20240221-en
Max time kernel
33s
Max time network
36s
Command Line
Signatures
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\DB.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Zwcd = "C:\\Windows\\SysWOW64\\KBDKORC.exe" | C:\Users\Admin\AppData\Local\Temp\DB.EXE | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\KBDKORC.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\DB.EXE | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AV.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AV2.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DB.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EN.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SB.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\KBDKORC.exe | N/A |
| N/A | N/A | C:\ProgramData\mC17766EgLmO17766\mC17766EgLmO17766.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RtlDriver32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DB.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DB.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AV2.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AV2.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AV.EXE | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\{56321-2157-3235-3211} = "C:\\Users\\Admin\\AppData\\Roaming\\RtlDriver32.exe" | C:\Users\Admin\AppData\Local\Temp\AV.EXE | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\DB.EXE | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\physicaldrive0 | C:\Users\Admin\AppData\Local\Temp\SB.EXE | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\KBDKORC.exe | C:\Users\Admin\AppData\Local\Temp\DB.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\KBDKORC.exe | C:\Users\Admin\AppData\Local\Temp\DB.EXE | N/A |
Enumerates physical storage devices
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\30530A0C86EDB1CD5A2A5FE37EF3BF28E69BE16D | C:\Users\Admin\AppData\Local\Temp\AV.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\30530A0C86EDB1CD5A2A5FE37EF3BF28E69BE16D\Blob = 03000000010000001400000030530a0c86edb1cd5a2a5fe37ef3bf28e69be16d2000000001000000b3020000308202af308202180209009168978ee53f5964300d06092a864886f70d010105050030819b310b30090603550406130255533110300e06035504081307566972676e69613110300e060355040713074e65776275727931123010060355040a13094261636f72204c4c43312330210603550403131a746f74616c736f6c7574696f6e616e746976697275732e636f6d312f302d06092a864886f70d010901162061646d696e40746f74616c736f6c7574696f6e616e746976697275732e636f6d301e170d3131303931383131313834395a170d3132303931373131313834395a30819b310b30090603550406130255533110300e06035504081307566972676e69613110300e060355040713074e65776275727931123010060355040a13094261636f72204c4c43312330210603550403131a746f74616c736f6c7574696f6e616e746976697275732e636f6d312f302d06092a864886f70d010901162061646d696e40746f74616c736f6c7574696f6e616e746976697275732e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100cac8419346518527133fdefd7982ac3919f1d6e2f815ecab0b5d219ccf843885645cfd9c35cae2eff8e7506e690b52c587a59c8d667cb671454030bd370fa334b18afb5ea4f4f819a36685a705a8543f320af913ca680a1d32a402db6d3e42d93228e44ba230fda524d490ddc35b922f23d36d95417136ac50afa567e21359350203010001300d06092a864886f70d0101050500038181003c6a7f43ca2cee1caafee88b04777032a4c9d7794222537e3ebe57953198281bdbe0d3a58f7d3eb358f361848f30ad88a364cd0ae3376e6239dedb01497d52d3dd55e78e49375373419ad7e5e2e036f713bf4d96a552f2aa26b35b66d7a83fb2a9b6e317d162d8342f09ccc71b2a1c7d9474ca7872bfa4acd623d61c4491d740 | C:\Users\Admin\AppData\Local\Temp\AV.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DB.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AV2.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SB.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AV.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RtlDriver32.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AV.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\RtlDriver32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\KBDKORC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe
"C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe"
C:\Users\Admin\AppData\Local\Temp\AV.EXE
"C:\Users\Admin\AppData\Local\Temp\AV.EXE"
C:\Users\Admin\AppData\Local\Temp\AV2.EXE
"C:\Users\Admin\AppData\Local\Temp\AV2.EXE"
C:\Users\Admin\AppData\Local\Temp\DB.EXE
"C:\Users\Admin\AppData\Local\Temp\DB.EXE"
C:\Users\Admin\AppData\Local\Temp\EN.EXE
"C:\Users\Admin\AppData\Local\Temp\EN.EXE"
C:\Users\Admin\AppData\Local\Temp\SB.EXE
"C:\Users\Admin\AppData\Local\Temp\SB.EXE"
C:\Windows\SysWOW64\KBDKORC.exe
C:\Windows\SysWOW64\KBDKORC.exe
C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\system32\ipconfig.exe" /flushdns
C:\Windows\SysWOW64\cmd.exe
/c C:\Users\Admin\AppData\Local\Temp\~unins2362.bat "C:\Users\Admin\AppData\Local\Temp\DB.EXE"
C:\ProgramData\mC17766EgLmO17766\mC17766EgLmO17766.exe
"C:\ProgramData\mC17766EgLmO17766\mC17766EgLmO17766.exe" "C:\Users\Admin\AppData\Local\Temp\AV2.EXE"
C:\Users\Admin\AppData\Roaming\RtlDriver32.exe
"C:\Users\Admin\AppData\Roaming\RtlDriver32.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | middlechrist.com | udp |
| US | 8.8.8.8:53 | aeravine.com | udp |
| US | 66.96.162.135:80 | middlechrist.com | tcp |
| US | 8.8.8.8:53 | imagehut4.cn | udp |
| US | 137.175.35.119:80 | imagehut4.cn | tcp |
| US | 8.8.8.8:53 | aeravine.com | udp |
| US | 8.8.8.8:53 | bemachin.com | udp |
| NL | 178.162.174.147:80 | 178.162.174.147 | tcp |
Files
\Users\Admin\AppData\Local\Temp\AV.EXE
| MD5 | f284568010505119f479617a2e7dc189 |
| SHA1 | e23707625cce0035e3c1d2255af1ed326583a1ea |
| SHA256 | 26c8f13ea8dc17443a9fa005610537cb6700aebaf748e747e9278d504e416eb1 |
| SHA512 | ebe96e667dfde547c5a450b97cd7534b977f4073c7f4cbc123a0e00baaefeb3be725c1cafbfb5bb040b3359267954cd1b4e2094ef71fc273732016ee822064bf |
C:\Users\Admin\AppData\Local\Temp\AV.EXE
| MD5 | 6be30106ab1a102d1e71454880c03ab5 |
| SHA1 | 8aa4d38d9b7e5c31508adf94e8a582cff7301066 |
| SHA256 | 80cd1cb55b51d87f316748e04e600671c6be78be56739b8dac6a483da4623bf6 |
| SHA512 | e9d98bdecac318b752718f2b7222973c6eaa79ed9ac836f6ba2cb234fbbeb0f712831be8cf90547b8313ff355c4a20eab304e778c6eca83cde190156014ca686 |
C:\Users\Admin\AppData\Local\Temp\AV2.EXE
| MD5 | 68fc5382721ce31345378b910e468290 |
| SHA1 | 8eb5c95adf51dfcddd61ae130cf3d05641dedc4e |
| SHA256 | d8a11a901f9a5a0280e69015d7adb103509af7b03c7b8fd6fbbcd3796140d7cd |
| SHA512 | 527dbbaefdc088c473544619467c68c1069af81b61571741379d25168c5b8bc207871a59de1806526c253eb5d1bd0dad335291d885445c83cd4cd5b91eb3f8dd |
C:\Users\Admin\AppData\Local\Temp\DB.EXE
| MD5 | c6746a62feafcb4fca301f606f7101fa |
| SHA1 | e09cd1382f9ceec027083b40e35f5f3d184e485f |
| SHA256 | b5a255d0454853c8afc0b321e1d86dca22c3dbefb88e5d385d2d72f9bc0109e6 |
| SHA512 | ee5dfa08c86bf1524666f0851c729970dbf0b397db9595a2bae01516299344edb68123e976592a83e492f2982fafe8d350ba2d41368eb4ecf4e6fe12af8f5642 |
\Users\Admin\AppData\Local\Temp\DB.EXE
| MD5 | 9ea24c6453476b84947f59fa6286c67a |
| SHA1 | 915955825965f38523846f773d983c8085db8530 |
| SHA256 | da2f099f5ccef5a576f5c41f17887ab3430834cf4ee621ed578e334662b70e0b |
| SHA512 | f0a4ab2c9032c84c4106493bdfe62659c4caaeb35a4cee85ea8aa2b20d5520b2be071115810f6421a983e4d67df47b58db2f0dd00f11f389ae739ffa5cb77332 |
C:\Users\Admin\AppData\Local\Temp\AV.EXE
| MD5 | e1695d64b6dd90ccac31749222fd81d5 |
| SHA1 | a8596a81035087de73875bfc5a5edc8b93488d06 |
| SHA256 | 11338bf7b938c0e52392961e20511c25e05eb82f978da277fc1e46e764170805 |
| SHA512 | 5092bcc022218c40b4b759dbbac1ba0b2d9cf364d58b8e88905823663c6d9a2a96cced62bcefa8008317cba38945ea929815ed9c463a66824800ffe700c7011c |
memory/1280-27-0x0000000000260000-0x00000000002F3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SB.EXE
| MD5 | 9252e1be9776af202d6ad5c093637022 |
| SHA1 | 6cc686d837cd633d9c2e8bc1eaba5fc364bf71d8 |
| SHA256 | ce822ff86e584f15b6abd14c61453bd3b481d4ec3fdeb961787fceb52acd8bd6 |
| SHA512 | 98b1b3ce4d16d36f738478c6cf41e8f4a57d3a5ecfa8999d45592f79a469d8af8554bf4d5db34cb79cec71ce103f4fde1b41bd3cce30714f803e432e53da71ea |
C:\Users\Admin\AppData\Local\Temp\EN.EXE
| MD5 | 621f2279f69686e8547e476b642b6c46 |
| SHA1 | 66f486cd566f86ab16015fe74f50d4515decce88 |
| SHA256 | c17a18cf2c243303b8a6688aad83b3e6e9b727fcd89f69065785ef7f1a2a3e38 |
| SHA512 | 068402b02f1056b722f21b0a354b038f094d02e4a066b332553cd6b36e3640e8f35aa0499a2b057c566718c3593d3cea6bbabd961e04f0a001fd45d8be8e1c4e |
memory/2244-30-0x00000000002C0000-0x0000000000305000-memory.dmp
memory/1280-50-0x0000000000260000-0x00000000002F3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Fake AV\tsa.crt
| MD5 | 6e630504be525e953debd0ce831b9aa0 |
| SHA1 | edfa47b3edf98af94954b5b0850286a324608503 |
| SHA256 | 2563fe2f793f119a1bae5cca6eab9d8c20409aa1f1e0db341c623e1251244ef5 |
| SHA512 | bbcf285309a4d5605e19513c77ef077a4c451cbef04e3cbdfec6d15cc157a9800a7ff6f70964b0452ddb939ff50766e887904eda06a9999fdedf5b2e8776ebd2 |
memory/1280-52-0x0000000000260000-0x00000000002F3000-memory.dmp
memory/1280-53-0x0000000000400000-0x0000000000445000-memory.dmp
memory/1280-63-0x0000000000220000-0x0000000000251000-memory.dmp
memory/2580-64-0x0000000000400000-0x0000000000464000-memory.dmp
memory/2684-65-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2352-66-0x0000000001FE0000-0x0000000002020000-memory.dmp
memory/2352-67-0x00000000748B0000-0x0000000074E5B000-memory.dmp
memory/2580-68-0x0000000000290000-0x00000000002F4000-memory.dmp
memory/2580-69-0x000000000029B000-0x000000000029C000-memory.dmp
memory/2352-70-0x00000000748B0000-0x0000000074E5B000-memory.dmp
memory/2580-71-0x0000000000400000-0x0000000000464000-memory.dmp
memory/1280-72-0x0000000000260000-0x00000000002F3000-memory.dmp
memory/1280-73-0x0000000000380000-0x0000000000381000-memory.dmp
\Windows\SysWOW64\KBDKORC.exe
| MD5 | 80a2bdb0db5c5fbc8695c8ded8b30c0a |
| SHA1 | 1b211211a9b02ce2986e3613ccdb56d37869abbe |
| SHA256 | de3b58c97f73d98149c756b324f4e5a37fe2ac9beb1609e2abe1f5fef99a0ac1 |
| SHA512 | ebffc1222adc50ef3bdfd368da70ecbe4cde09a086392349e5ba4314ad5b5b99c480ca704f5d512b8fd78231503653383ff638563dd7f2302c1cf0761e973be5 |
C:\Users\Admin\AppData\Local\Temp\~unins2362.bat
| MD5 | 9e0a2f5ab30517809b95a1ff1dd98c53 |
| SHA1 | 5c1eefdf10e67d1e9216e2e3f5e92352d583c9ce |
| SHA256 | 97ac9fee75a1f7b63b3115e9c4fb9dda80b1caba26d2fb51325670dee261fe32 |
| SHA512 | e959cc1fd48fb1cccf135a697924c775a3812bab211fc7f9b00c5a9d617261d84c5d6f7cb548774c1e8f46811b06ca39c5603d0e10cbcb7b805f9abbe49b9b42 |
memory/1280-91-0x0000000000260000-0x00000000002F3000-memory.dmp
memory/2352-92-0x0000000001FE0000-0x0000000002020000-memory.dmp
memory/2352-93-0x0000000001FE0000-0x0000000002020000-memory.dmp
memory/2716-97-0x0000000000230000-0x0000000000233000-memory.dmp
memory/2716-103-0x0000000000240000-0x0000000000241000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AV2
| MD5 | f05db61496dfb8dc46702da9ac8818ec |
| SHA1 | e6b0e65de5d4a5d1f125eeee32b3107efc3c9bc5 |
| SHA256 | d5ef14abeed83be252cfb6205becf53984f3683f8eabc24cbf23451efd210af2 |
| SHA512 | 5357d258bef37d6f2556e91f88ea3621e120402493aa37286d194968a566eda2332a1febc6abf209a23ab5b82174020f95306cf3b70b293da989bfdeb3e0af03 |
memory/2716-104-0x0000000000400000-0x00000000004C3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AV2.EXE
| MD5 | 014578edb7da99e5ba8dd84f5d26dfd5 |
| SHA1 | df56d701165a480e925a153856cbc3ab799c5a04 |
| SHA256 | 4ce5e8b510895abb204f97e883d8cbaacc29ccef0844d9ae81f8666f234b0529 |
| SHA512 | bd5159af96d83fc7528956c5b1bd6f93847db18faa0680c6041f87bbebef5e3ba2de1f185d77ff28b8d7d78ec4f7bd54f48b37a16da39f43314ef022b4a36068 |
memory/2244-175-0x00000000002C0000-0x0000000000305000-memory.dmp
memory/2352-176-0x00000000748B0000-0x0000000074E5B000-memory.dmp
memory/2352-177-0x0000000001FE0000-0x0000000002020000-memory.dmp
memory/2352-181-0x0000000001FE0000-0x0000000002020000-memory.dmp
memory/2352-182-0x0000000001FE0000-0x0000000002020000-memory.dmp
memory/2716-183-0x0000000000400000-0x00000000004C3000-memory.dmp
\ProgramData\mC17766EgLmO17766\mC17766EgLmO17766.exe
| MD5 | ba45f719f6a86cde676a9ffc7461b6b8 |
| SHA1 | b72e9329577a7f47d6d95eb6efdf694ebbb39824 |
| SHA256 | e150c5221cdd7d755eb9b09bcbedeb9e993e5d39c3902ab30752187e564c55e1 |
| SHA512 | 43abb3f334e813402cb68611f3f575e2822ec951aefc1a721e64f37a267e0d207599921964233abe5ce9452f05217442a85a3e030d30b5f59f3706c6b20e04ed |
memory/3068-207-0x00000000748B0000-0x0000000074E5B000-memory.dmp
memory/3068-222-0x00000000748B0000-0x0000000074E5B000-memory.dmp
memory/2352-219-0x00000000748B0000-0x0000000074E5B000-memory.dmp
memory/3068-218-0x0000000000A60000-0x0000000000AA0000-memory.dmp
memory/3068-223-0x0000000000A60000-0x0000000000AA0000-memory.dmp
memory/3068-224-0x0000000000A60000-0x0000000000AA0000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-03-02 22:34
Reported
2024-03-02 22:39
Platform
win10v2004-20240226-en
Max time kernel
164s
Max time network
165s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\globalroot\systemroot\system32\usеrinit.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 732 set thread context of 4880 | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe | C:\Windows\SysWOW64\cmd.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \registry\machine\Software\Classes\Interface\{f456cbc2-bfc5-6f65-aca0-986e7eba0308} | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{f456cbc2-bfc5-6f65-aca0-986e7eba0308}\u = "3" | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe | N/A |
| Key created | \registry\machine\Software\Classes\WOW6432Node\Interface\{f456cbc2-bfc5-6f65-aca0-986e7eba0308} | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{f456cbc2-bfc5-6f65-aca0-986e7eba0308}\u = "3" | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | \??\globalroot\systemroot\system32\usеrinit.exe | N/A |
| N/A | N/A | \??\globalroot\systemroot\system32\usеrinit.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe | N/A |
| Token: SeDebugPrivilege | N/A | \??\globalroot\systemroot\system32\usеrinit.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 732 wrote to memory of 4880 | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 732 wrote to memory of 4880 | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 732 wrote to memory of 4880 | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 732 wrote to memory of 4880 | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 732 wrote to memory of 4200 | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe | \??\globalroot\systemroot\system32\usеrinit.exe |
| PID 732 wrote to memory of 4200 | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe | \??\globalroot\systemroot\system32\usеrinit.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe
"C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
\??\globalroot\systemroot\system32\usеrinit.exe
/install
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2972,i,4036376905309803364,5412922217215781933,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 168.156.42.60:80 | tcp | |
| US | 168.156.42.60:80 | tcp | |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.187.202:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 202.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 13.107.42.16:443 | tcp |
Files
memory/732-1-0x0000000000400000-0x00000000004C4400-memory.dmp
memory/732-2-0x00000000006A0000-0x00000000008A0000-memory.dmp
\??\globalroot\systemroot\system32\usеrinit.exe
| MD5 | 4acd14244d2cd76d06939163127cfb10 |
| SHA1 | 75f3e3c764f7d20c9950f5410f753f3210bcc2e7 |
| SHA256 | 29b5b65a1cdf119ac7c6c9df76c6843b25a81bd00aa5a5e995ec675e34bf1acb |
| SHA512 | 001504da15c1825102479ba379b0be7ec15e779626d450d9d763552d7e1ac71f5bb86110f9361363bd401aabc53cdfd2d554480aec8bef85ed8c7b03cebf4031 |
memory/732-10-0x0000000000400000-0x00000000004C4400-memory.dmp
\systemroot\system32\mseeeeee.dll
| MD5 | 8736c2a37ff0adf6f03d94bb34d1f784 |
| SHA1 | e4867b136e100c9d45f6adea593c9a636134f308 |
| SHA256 | dbe318e7c72f9558f836c920510a5245ae5af29996b62f661399ce3724458ec3 |
| SHA512 | 2bbb22540e6ae0ebdd7c5303f67fb3911025a9f8f68c1c192edf5247a66bff885e292dded093d4522488b9a98f5bb00f24b00374e8eeb219184faacc95818848 |
Analysis: behavioral14
Detonation Overview
Submitted
2024-03-02 22:34
Reported
2024-03-02 22:36
Platform
win10v2004-20240226-en
Max time kernel
9s
Max time network
11s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\gog.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "125" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe | N/A |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe
"C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe"
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39bf855 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| LT | 94.244.80.60:80 | tcp | |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| N/A | 104.208.16.89:443 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
memory/4684-0-0x0000000000400000-0x000000000057F000-memory.dmp
memory/4684-1-0x0000000002580000-0x0000000002581000-memory.dmp
memory/4684-4-0x0000000000400000-0x000000000057F000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-03-02 22:34
Reported
2024-03-02 22:38
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
127s
Command Line
Signatures
Checks for common network interception software
Enumerates VirtualBox registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
Blocks application from running via registry modification
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\0 = "msseces.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "ekrn.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "avgcfgex.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "avgnt.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "avscan.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "avgui.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "avgtray.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "avgscanx.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\13 = "avgchsvx.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\15 = "avgwdsvc.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "MSASCui.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "avcenter.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "avgfrw.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\14 = "avgcmgr.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "egui.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\12 = "avgemc.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\etc\host_new | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
Sets file execution options in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\generics.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msblast.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerscan.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllcache.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pfwadmin.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSSUI.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install[5].exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vswinperse.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mctool.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webtrap.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wyvernworksfirewall.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\au.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hxdl.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bidserver.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashSkPck.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgctrl.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netarmor.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winssk32.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zatutor.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BDInProcPatch.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto-protect.nav80try.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luspt.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\start.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windll32.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbcons.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dcomx.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshell.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpro.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan95.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brastk.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msfwsvc.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdsubwiz.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mwatch.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsmain.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ozn695m5.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav7win.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vet95.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsmon.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccapp.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgtray.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\c.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bd_professional.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perswf.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscfxfw.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mssmmc32.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pgmonitr.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wimmun32.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\win32.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmesys.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mu0311ad.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\support.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navnt.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\persfw.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avxquar.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qserver.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sh.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npf40_tw_98_nt_me_2k.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsmain.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\driverctrl.exe\Debugger = "svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
Reads user/profile data of web browsers
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Internet Security Guard = "\"C:\\ProgramData\\8b93e\\IS978.exe\" /s /d" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
Checks for any installed AV software in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\ | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
Checks installed software on the system
Enumerates connected drives
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\PRS = "http://127.0.0.1:27777/?inj=%ORIGINAL%" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\ltHI = "0" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\BrowserEmulation | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://findgala.com/?&uid=7&q={searchTerms}" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\IIL = "0" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\ltTST = "15831" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\MSCompatibilityMode = "0" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=7&q={searchTerms}" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=7&q={searchTerms}" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=7&q={searchTerms}" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\InternetSecurityGuard.DocHostUIHandler\ = "Implements DocHostUIHandler" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF} | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FAKEAV~1\\INTERN~1.EXE" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\InternetSecurityGuard.DocHostUIHandler | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Software\Microsoft | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Software\Microsoft\Internet Explorer | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ = "Implements DocHostUIHandler" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\InternetSecurityGuard.DocHostUIHandler\Clsid | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Software\Microsoft\Internet Explorer\SearchScopes | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\InternetSecurityGuard.DocHostUIHandler\Clsid\ = "{3F2BBC05-40DF-11D2-9455-00104BC936FF}" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\ = "InternetSecurityGuard.DocHostUIHandler" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Software | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=7&q={searchTerms}" | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\mofcomp.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe
"C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe"
C:\Windows\SysWOW64\Wbem\mofcomp.exe
mofcomp "C:\Users\Admin\AppData\Local\Temp\Fake AV\5781.mof"
C:\Windows\SysWOW64\netsh.exe
netsh "firewall" add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe" "Internet Security Guard" ENABLE
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt diinu560ubjjsv.com 8.8.8.8
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt diinu560ubjjsv.net 8.8.8.8
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt diinu560ubjjsv.com 208.67.222.222
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt diinu560ubjjsv.net 208.67.222.222
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt diinu560ubjjsv.com 8.8.4.4
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt diinu560ubjjsv.net 8.8.4.4
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt diinu560ubjjsv.com 208.67.220.220
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt diinu560ubjjsv.net 208.67.220.220
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt insssyfinr1275tc.com 8.8.8.8
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt insssyfinr1275tc.net 8.8.8.8
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt insssyfinr1275tc.com 208.67.222.222
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt insssyfinr1275tc.net 208.67.222.222
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt insssyfinr1275tc.com 8.8.4.4
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt insssyfinr1275tc.net 8.8.4.4
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt insssyfinr1275tc.com 208.67.220.220
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt insssyfinr1275tc.net 208.67.220.220
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt hppwycfjr1248swx.com 8.8.8.8
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt hppwycfjr1248swx.net 8.8.8.8
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt hppwycfjr1248swx.com 208.67.222.222
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt hppwycfjr1248swx.net 208.67.222.222
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt hppwycfjr1248swx.com 8.8.4.4
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt hppwycfjr1248swx.net 8.8.4.4
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt hppwycfjr1248swx.com 208.67.220.220
C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt hppwycfjr1248swx.net 208.67.220.220
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| FR | 46.105.131.122:80 | report2.ogpertblethagahert.net | tcp |
| US | 74.82.198.254:80 | tcp | |
| US | 8.8.8.8:53 | www5.internet-security-guard.com | udp |
| US | 8.8.8.8:53 | secure1.safe-scanerwas.com | udp |
| US | 8.8.8.8:53 | secure2.simplenetworkzqi.com | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.131.105.46.in-addr.arpa | udp |
| US | 74.82.198.254:80 | tcp | |
| SG | 76.73.19.181:80 | tcp | |
| FR | 46.105.131.122:80 | report2.ogpertblethagahert.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | diinu560ubjjsv.com | udp |
| US | 8.8.8.8:53 | diinu560ubjjsv.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | diinu560ubjjsv.net | udp |
| US | 8.8.8.8:53 | diinu560ubjjsv.net | udp |
| US | 208.67.222.222:53 | 222.222.67.208.in-addr.arpa | udp |
| US | 208.67.222.222:53 | diinu560ubjjsv.com | udp |
| US | 208.67.222.222:53 | diinu560ubjjsv.com | udp |
| US | 208.67.222.222:53 | 222.222.67.208.in-addr.arpa | udp |
| US | 208.67.222.222:53 | diinu560ubjjsv.net | udp |
| US | 208.67.222.222:53 | diinu560ubjjsv.net | udp |
| US | 8.8.4.4:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.4.4:53 | diinu560ubjjsv.com | udp |
| US | 8.8.4.4:53 | diinu560ubjjsv.com | udp |
| US | 8.8.4.4:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.4.4:53 | diinu560ubjjsv.net | udp |
| US | 8.8.4.4:53 | diinu560ubjjsv.net | udp |
| US | 8.8.8.8:53 | 222.222.67.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 208.67.220.220:53 | 220.220.67.208.in-addr.arpa | udp |
| US | 208.67.220.220:53 | diinu560ubjjsv.com | udp |
| US | 208.67.220.220:53 | diinu560ubjjsv.com | udp |
| US | 208.67.220.220:53 | 220.220.67.208.in-addr.arpa | udp |
| US | 208.67.220.220:53 | diinu560ubjjsv.net | udp |
| US | 208.67.220.220:53 | diinu560ubjjsv.net | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | insssyfinr1275tc.com | udp |
| US | 8.8.8.8:53 | insssyfinr1275tc.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | insssyfinr1275tc.net | udp |
| US | 8.8.8.8:53 | insssyfinr1275tc.net | udp |
| US | 208.67.222.222:53 | 222.222.67.208.in-addr.arpa | udp |
| US | 208.67.222.222:53 | insssyfinr1275tc.com | udp |
| US | 8.8.8.8:53 | 220.220.67.208.in-addr.arpa | udp |
| FR | 46.105.131.122:80 | report2.ogpertblethagahert.net | tcp |
| US | 208.67.222.222:53 | insssyfinr1275tc.com | udp |
| US | 208.67.222.222:53 | 222.222.67.208.in-addr.arpa | udp |
| US | 208.67.222.222:53 | insssyfinr1275tc.net | udp |
| US | 208.67.222.222:53 | insssyfinr1275tc.net | udp |
| US | 8.8.4.4:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.4.4:53 | insssyfinr1275tc.com | udp |
| US | 8.8.4.4:53 | insssyfinr1275tc.com | udp |
| US | 8.8.4.4:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.4.4:53 | insssyfinr1275tc.net | udp |
| US | 8.8.4.4:53 | insssyfinr1275tc.net | udp |
| US | 208.67.220.220:53 | 220.220.67.208.in-addr.arpa | udp |
| US | 208.67.220.220:53 | insssyfinr1275tc.com | udp |
| US | 208.67.220.220:53 | insssyfinr1275tc.com | udp |
| US | 208.67.220.220:53 | 220.220.67.208.in-addr.arpa | udp |
| US | 208.67.220.220:53 | insssyfinr1275tc.net | udp |
| US | 208.67.220.220:53 | insssyfinr1275tc.net | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hppwycfjr1248swx.com | udp |
| US | 8.8.8.8:53 | hppwycfjr1248swx.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hppwycfjr1248swx.net | udp |
| US | 8.8.8.8:53 | hppwycfjr1248swx.net | udp |
| US | 208.67.222.222:53 | 222.222.67.208.in-addr.arpa | udp |
| US | 208.67.222.222:53 | hppwycfjr1248swx.com | udp |
| US | 208.67.222.222:53 | hppwycfjr1248swx.com | udp |
| US | 208.67.222.222:53 | 222.222.67.208.in-addr.arpa | udp |
| US | 208.67.222.222:53 | hppwycfjr1248swx.net | udp |
| US | 208.67.222.222:53 | hppwycfjr1248swx.net | udp |
| US | 8.8.4.4:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.4.4:53 | hppwycfjr1248swx.com | udp |
| US | 8.8.4.4:53 | hppwycfjr1248swx.com | udp |
| US | 8.8.4.4:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.4.4:53 | hppwycfjr1248swx.net | udp |
| US | 8.8.4.4:53 | hppwycfjr1248swx.net | udp |
| US | 208.67.220.220:53 | 220.220.67.208.in-addr.arpa | udp |
| US | 208.67.220.220:53 | hppwycfjr1248swx.com | udp |
| US | 208.67.220.220:53 | hppwycfjr1248swx.com | udp |
| US | 208.67.220.220:53 | 220.220.67.208.in-addr.arpa | udp |
| US | 208.67.220.220:53 | hppwycfjr1248swx.net | udp |
| US | 208.67.220.220:53 | hppwycfjr1248swx.net | udp |
| US | 74.82.198.253:80 | tcp | |
| US | 74.82.198.253:80 | tcp | |
| SG | 76.73.19.181:80 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 74.82.198.254:80 | tcp | |
| US | 74.82.198.253:80 | tcp | |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| FR | 46.105.131.122:80 | report2.ogpertblethagahert.net | tcp |
| N/A | 127.0.0.1:27777 | tcp | |
| FR | 46.105.131.122:80 | report2.ogpertblethagahert.net | tcp |
| FR | 46.105.131.122:80 | report2.ogpertblethagahert.net | tcp |
| FR | 46.105.131.122:80 | report2.ogpertblethagahert.net | tcp |
| FR | 46.105.131.122:80 | report2.ogpertblethagahert.net | tcp |
| FR | 46.105.131.122:80 | report2.ogpertblethagahert.net | tcp |
| FR | 46.105.131.122:80 | report2.ogpertblethagahert.net | tcp |
| FR | 46.105.131.122:80 | report2.ogpertblethagahert.net | tcp |
| FR | 46.105.131.122:80 | report2.ogpertblethagahert.net | tcp |
| FR | 46.105.131.122:80 | report2.ogpertblethagahert.net | tcp |
| FR | 46.105.131.122:80 | report2.ogpertblethagahert.net | tcp |
| FR | 46.105.131.122:80 | report2.ogpertblethagahert.net | tcp |
| FR | 46.105.131.122:80 | report2.ogpertblethagahert.net | tcp |
| US | 74.82.198.254:80 | tcp | |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| US | 74.82.198.253:80 | tcp |
Files
memory/64-0-0x00000000023F0000-0x00000000023F1000-memory.dmp
C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg
| MD5 | b8224e5293d4fad1927c751cc00c80e7 |
| SHA1 | 270b8c752c7e93ec5485361fe6ef7b37f0b4513b |
| SHA256 | c47da9be4fc4d757add73c49654c9179067af547d0cc758d6356e2955bbfcb61 |
| SHA512 | 8fed9a509e46319529145fa2159251e43040d26080af84e44badaab1dd339c767ff75a2c473bc0abfb448b03beb96718ee34ba6bc150ed3085322878b55a22f2 |
C:\Windows\System32\drivers\etc\hosts
| MD5 | 008fba141529811128b8cd5f52300f6e |
| SHA1 | 1a350b35d82cb4bd7a924b6840c36a678105f793 |
| SHA256 | ab0e454a786ef19a3ae1337f10f47354ffa9521ea5026e9e11174eca22d86e84 |
| SHA512 | 80189560b6cf180a9c1ecafc90018b48541687f52f5d49b54ca25e040b3264da053e3d4dbb0cd38caaf496e23e516de18f500b333e3cda1fd1b25c6e9632defc |
C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg
| MD5 | 6e86650ad96258b23f022605c5f202d5 |
| SHA1 | 321290e91871cb653441e3c87ee8b20ab5f008a0 |
| SHA256 | 8c39246796530ee7588fc16486335d00d5b7273ebb26efe5833e4cfc2bcfe223 |
| SHA512 | e8a7bdf4bd2fba233a1a6cdf977d57dcb37ae46bc52bf29b4d23c6294e769069e146bcb5f56c4edbc3f93d38a226a9349f604b54156696ccdef41106cc05060c |
C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg
| MD5 | c0d1c60ba61e5779908fca77da375398 |
| SHA1 | 7b4029b08abeef0c7debd2f9ea44c3ac0d55a926 |
| SHA256 | 275727d35e9f113539cf02fb81ef35408242c29c14755f592d54590d23bbfedd |
| SHA512 | 7306029e6ef8082e6f23ed8e9ae8893249290b8f579942dd4e857bc98b6d54f895a4a63992689d8a7f4a2b93c90b178d3b53d323da25cff5fecbcbe8503bc488 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0etkwu5l.default-release\prefs.js
| MD5 | bf8ebb7e5ad797e5ab158a0d8a5ab5da |
| SHA1 | 9ad01fa0a0074b775d77171b18ee22c264b8fa54 |
| SHA256 | 498d565388665d46c31f7eaf04cda36242733a7848e967a027c83a7412b61c5c |
| SHA512 | 36337d24bc7a06508c719d3104b84510d649fa37ec4d2edaac12bda8a8ed2bc370f2923bffc185932af2868e189fde160fb1e95dfc9e1e88c06c8ea2bbd13dcd |
C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg
| MD5 | c9ce59b1e3ee8b75017e9a71f4df4fde |
| SHA1 | 5e0cfc36216696b394c10d043d914b95b0ac9506 |
| SHA256 | a73cb08ae5a7408d0fd322cb3ba096276a3c2db4f35fba5796692fc62cbe413c |
| SHA512 | 2b2463c9685172837b5e1d55f3d85c42b153e2db3b9c020f19b104d34540a96162e645809e68cb082e3047df7a2299acedd37572a40f6c13fbe2ffc66f83987b |
C:\Users\Admin\AppData\Roaming\Internet Security Guard\cookies.sqlite
| MD5 | d367ddfda80fdcf578726bc3b0bc3e3c |
| SHA1 | 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671 |
| SHA256 | 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0 |
| SHA512 | 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77 |
C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg
| MD5 | 614640314f320e667f14c1899746a503 |
| SHA1 | df2fd4a0379368f4456c8c7e910affd667d01b84 |
| SHA256 | a1e76dbb882c6f57c5ab01a5335b38a2de49e1e7a396ec74f10ca1ef52b6ce6d |
| SHA512 | 11f8877faaae439d6c8bd3520644dd5c11104b6b4c42c506e0ff11f63d63a1acd933f09cf6ec4c85b0586ebbc63288cc4aa8690f6150d4c01e69bbbe75f98820 |
C:\ProgramData\8b93e\IS978.exe
| MD5 | fe7c10448a5cc17a65029be6a71bd190 |
| SHA1 | e1767d3163388f2d74f89475f237f55154c22135 |
| SHA256 | aa350ca50c1656d06182bb60a2bad3f749225ba6ccbd841680c211bd756eefad |
| SHA512 | 313ae00c9504e395836e38e15bc3d3b9bcd408faf936fc1a9fde641aac302f49b0d8dc5d1e3546a7e35fe3ddabfbe193314fbaed9f96f268e5fcd4b696099e0e |
C:\Users\Admin\AppData\Local\Temp\Fake AV\5781.mof
| MD5 | 3754f8f8abad5bad797085d0717a9766 |
| SHA1 | 48d92f36cb721b390e216aa03b27b41f25c563fc |
| SHA256 | 3c77f5f888d417a7a31284cb8c5e3bdb4d926c4a274cecac8a8b2920659d5927 |
| SHA512 | c59f322ece53c757767e52fe9bfbc3526a13afe9ec7503e3d1cae683eeb55cbb808a1bce720fd58f97f286756d314124bcf797c2167275e08ed93ba759bf3985 |
C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg
| MD5 | 3478a0b0d29081b3dd28481a9437226a |
| SHA1 | 22f00dc21f300026431d716e3cc96ff7b1fd2c33 |
| SHA256 | b9d10d67574441c9fe5804b0c48c8b4b3829f3ddf9c6913febaf4d177211eb08 |
| SHA512 | 33b6b700ddcad993dc79f4f9ace5a31556c7dc5cda43dc283331b2b2fcb4da6ede3a8874f77e6e64e48d828996137773f0b7c9ef025f3af247a76771376b1feb |
C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg
| MD5 | 98c56cc5a5ad2768f9c2de15ae05bce0 |
| SHA1 | ba6024976a446be70e500bc4318df2ba57b40624 |
| SHA256 | 7f10dcf6013b5696925c9d613893b7c7e8023be95a35d4edd563594a556c142e |
| SHA512 | 6c4942eec234ad7276dacecf019da20df83f8ac535cc1e2b656e01468c06434cc69504c0fbb16d7dc0757d65fb076c7cf9d1586808b9bede9af8bd0b9203a3e2 |
C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg
| MD5 | c27a57f000ebaa707932db0f7821c77f |
| SHA1 | 2f94ae38c56aaa32b5566bf7073ce0b1b3eb159e |
| SHA256 | cb96d05337897d60ca9628c1f6f69e67e2b784818ff1dec24f229aca1b03d466 |
| SHA512 | b39b3c4f3e5dabf5440adb0eae1335f4f070c61d827695bb6d7edfbd817a9bcbc28f3fb6b96ed3f178c5111f8e0bb6f7f837feea56c2021cbb2e7319f2ff6b9c |
C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg
| MD5 | 24e7829c023f5ee044e40ad9e2cf5f1a |
| SHA1 | b7cc75068765a450f112230f08b577bb25630da6 |
| SHA256 | 54ef66c9894b0423e30105628a767e6b422fb0c02be614e0cbc3a2ec1851654a |
| SHA512 | a6f7f02a522035039c3107e1ef2c79687106a92d14339f595e3fdba7da6fde960ec948e495d35154c7a07850acaa1c951fc0bf640860f8e1a8bc34af57840aed |
C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg
| MD5 | d06c0de9604e2e2c45c42a82a2b8e333 |
| SHA1 | c2893e549458c48b0a5b4ebe07ae794b725d23dd |
| SHA256 | e841a98e62047dd9d21be1d6afd524eb662f627f692df28ea14d24275ab9def2 |
| SHA512 | c2bd03533d618e91da41959858997d5627c5bd9ea65113de178552b5a3fd1a3e7963ea3bf141b4c2fa615a2a0df3bfa0d57c186aabce36a5b57afc507720a70f |
memory/64-423-0x0000000013140000-0x0000000013764000-memory.dmp
C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg
| MD5 | 07d20e95c2a5ea8b2dd526dc80584a10 |
| SHA1 | cb3b943b0600fc4cbce9fc13874946f46eb933e7 |
| SHA256 | e7bbf018c2877d81007346c0796d10db12cabdf3aba7be4656cd8cff9088d208 |
| SHA512 | 26a5c9fdb296d54c025a82689fa7a240c4928d7bcd259933f7294e6c499dc3bdf2ac3f3a30815c55910031cebb9776ab36df31f48bb45c6d26b4057f3dc262ff |
C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg
| MD5 | 06363b1a2562d3102f04ef94b71416de |
| SHA1 | 9cfc40ac33dcad09bf3addd5ce7165ec24f7bd11 |
| SHA256 | 30c5b9b48d4d3aac91cfe829c14514a8a9a0a3621802891373e011170fe3c7f4 |
| SHA512 | 908dc915aa528761326397dee3fea768ea5c974d4716a95be0e0f928576596cd4cd47700cce5977eb63232fd8fe5c313acda08b88c8ba2d75eea90351fd9f7f5 |
C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg
| MD5 | d9dc368d346defd69187a472d34a4134 |
| SHA1 | f11aa565121623f552a211140ed663e85060f182 |
| SHA256 | bedfee0f41b9aa0c9b1767c0b6ae5b73a25775c6e4246b4f1dce712cc715e542 |
| SHA512 | 0e95b7000876086005f8cd1ad43646e68d5372c467a6f427a6ee585f9584c3e3f701207e63dde04354cdd816abe6a6fedb1d0669f88fd29014ed8ad73db0f0f8 |
C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg
| MD5 | b466d4fd4a5fe76a26effe5004f0ef21 |
| SHA1 | 4b0a2a478ffab1b2b4a0082fd9578bfba01f4c5c |
| SHA256 | ab14a6ff8c11cecec6a84ca69f0c12a26224468a3e695573d8bb7952f56724e6 |
| SHA512 | 10c85255a79d9490896bace5bc5c8425159ca273c481c9ecf11083670838f4cd2e2a8e68ec1f040848350c314fb68adffba33c9d03307152acba651ba139ce16 |
C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg
| MD5 | 0d5c00ef7eae233c849b23bef8727676 |
| SHA1 | 0424ba73bad0e3f291a90fec3bb86bc20a776a9f |
| SHA256 | 377008d751f87732ca02182456b5d767e1c2b391a426b53106d3dd028530ebec |
| SHA512 | 2f76da17e4357f3b5b5428de88e936e674a6c5d0a13e9e49fa7c4436ddef1f5c31ab31dd65fd33e63c22336c82f63af450ff6ab1a1f313af4a0a052325ee9c35 |
memory/64-484-0x0000000013140000-0x0000000013764000-memory.dmp
memory/64-485-0x00000000023F0000-0x00000000023F1000-memory.dmp
C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg
| MD5 | 5ec1eb1ab2e0b62ad1cd97956bae8dce |
| SHA1 | be9e327e45409ae795a69cc9e50a4c5bb4049814 |
| SHA256 | d4433e694eccb96fa4ce9dd82f00f4d29512c33ca7a6e06d55592d757a1a99ac |
| SHA512 | cab651763361e49b5d03198bbeaee8df6ab5aa6dced4e9f43a65a5104fb9cf0b7d19b9cc4ff93c24b6fadc4ee27415cd32c1b8a5aa568cfdaa4bc478a5781340 |
C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg
| MD5 | c7b227048219ac5811bc2f777e879a8d |
| SHA1 | c264c74ff88210fb88ea8c5c947b96220f2e4a07 |
| SHA256 | 4a9a735a12405b0fe4c1fbcb38d1f57808ac0386167d3024eaff850d0fe4ee83 |
| SHA512 | 853f5bae6f7049a7802d23617a4b2c68d64dacdcd3ef4754ac8f06f52bf4046a0613450b2b2149d4d16d0515461511d87fbb2b6a301317cc1f304598959d3670 |
C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg
| MD5 | 2df5ad84c45badf1e03bd68bf95eb86c |
| SHA1 | 1c6eef307c6aa4bdf578073ae71a77004f68d31b |
| SHA256 | 655196e91302a5d6deb266cede4a6b193f6175a79a9b463c0ce26bacbbe2b040 |
| SHA512 | e90f3223081876419f51efe4733d581bff73c36bc876c9e60cb259892c9a43e0eb226a0b5fd89b89dd22cf1eacd208ac2afe05b8bdf63a5dd91a84228ff88f5c |
C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg
| MD5 | 0d9645e24c9b3dcc429ece0db44e2136 |
| SHA1 | 67b2dc6dbd4b452a32eb080db0f1d7da068422a5 |
| SHA256 | 4b35e346498774a434fd8f0d7db0c23adcb33c582d39e3c97e76e6f93eb90d17 |
| SHA512 | c8710ed57982f47713a70e1743fd4ac4362d19a3392f0f5c8b0cae3673814f88f16d9493e3f16c6f45b4d027c9a6e9597480f18257bb2e07136d0596d1d8d69f |
memory/64-535-0x0000000013140000-0x0000000013764000-memory.dmp
C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg
| MD5 | 63c3c1816d205ef6a895a020c603fb4f |
| SHA1 | eb57e0176ac506bff77a9dddc4bf8aef7bc308d2 |
| SHA256 | 91b0b9b7ec6bbed884331231a21581b7eb30aa4ebaebf70ec8e9a666dedc2557 |
| SHA512 | 43eedaf7b0b7a12043650705b465ddf0d5c23604dcc084603ae1de3295fabdd8f9ef0d1bfa0b8dec75647de18aacd7a6f9c86934a12f04d98a89f8cd6bf133fc |
C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg
| MD5 | 61e9ea70910e91d7232e04fe83ba7a6d |
| SHA1 | d21edcbaeee79549f05c3db4b33ed2414c000fba |
| SHA256 | 2f9346e228a51813dc895e2fcf679d9894c0739dfdb5e88fdc16c59c68fd5c26 |
| SHA512 | 2dcb38005f3c6d204d85756f892f53aedcc90ad75ae3b49aa8fb5124cf3eb6389648a871e8ce838dc15b558e3c7ffa3fccd1231d6cbea7bfe6c659aa14b6892e |
C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg
| MD5 | 3129f839d59c5f3d3cd267817f27d292 |
| SHA1 | 3101a3593fa865290ec4c1310ba37368e3ffc8c0 |
| SHA256 | c6004eb98e8c34e2fa1dc136ccfbf366c897f1226ccc0649e9b6be6f3741b525 |
| SHA512 | e10855220fde90204b3f93e274b9c75b70a26c8cca2ac04459babd7bca7de35369dc12328b7270038a8c6a7d279e24edc2528a655c25fbdeac6b8c633aa99b7f |
C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg
| MD5 | aba755f7b4d32732e06ec35015f92024 |
| SHA1 | f3a016dcdfe7c59ddad18fa8223c854444094f55 |
| SHA256 | e3b99bb6692ffcb94545f34ff49b054deeb9f455f75e0694306699b1316d7afb |
| SHA512 | a3e2a7913d69565cc7e31ba10c56cf996b6bbd439c0a449854d39990b5ae493bfbd3d2455155a8d16d466f01fee0b39818d160ffe8768278168e07e8f7ca1219 |
C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg
| MD5 | 8643c4e4da3fc60067945b37eb42bc04 |
| SHA1 | 1c6ce62ac6e39f88a08e07641b4a4e91eba54648 |
| SHA256 | 3979a8da68d0a6ded406bfd28b4d674d5d1006485ffeb37069064e280f46b237 |
| SHA512 | 479910d0dafa6a45735b24f61d9469bec108a4b90f29c7c63655b9d2633fa7a489123cc30520ec3b195f562bde9bd603651acd33ff9404a1220ecdf7edb7a0fc |
C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg
| MD5 | 538264467013e1dec74f79c771b02ad5 |
| SHA1 | e6b77af6c639972c9ab7454b30f5af82b6a94979 |
| SHA256 | 2340db009847570b9e450cff93337eedf42b1d98b3c37c9b5505ef0bead7ebc2 |
| SHA512 | e1a1b9e34bf48ea421d4872f69f453a220d1a4db77b6ef3c0e700bb13000042709201eab2aa3b523243f9433eeef3fe26432e88e2d7b7ab943d8263dbf11acd4 |
memory/64-607-0x0000000013140000-0x0000000013764000-memory.dmp
memory/64-609-0x0000000013140000-0x0000000013764000-memory.dmp
memory/64-611-0x0000000013140000-0x0000000013764000-memory.dmp
C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg
| MD5 | d6b6ca70350c95f725f3ac8246d19809 |
| SHA1 | b9055b5232e1c60a57d35b79ecd13ca71348b46c |
| SHA256 | e305e08757de10965c96651bdcbc89b961f2af2fee089546b6a672ece7373573 |
| SHA512 | eabb4fe5a79a3e2c476259b9bc1b9cdb47359e403c219f09a5b71276d40fdc7cfdeed97c16c91234f487cd36418c089a90a910093268b7ca494acdb7f1f8742f |
memory/64-615-0x0000000013140000-0x0000000013764000-memory.dmp
memory/64-618-0x0000000013140000-0x0000000013764000-memory.dmp
memory/64-619-0x0000000013140000-0x0000000013764000-memory.dmp
memory/64-620-0x0000000013140000-0x0000000013764000-memory.dmp
memory/64-621-0x0000000013140000-0x0000000013764000-memory.dmp
memory/64-622-0x0000000013140000-0x0000000013764000-memory.dmp
memory/64-623-0x0000000013140000-0x0000000013764000-memory.dmp
memory/64-624-0x0000000013140000-0x0000000013764000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-03-02 22:34
Reported
2024-03-02 22:38
Platform
win10v2004-20240226-en
Max time kernel
92s
Max time network
114s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Fake AV\Movie.mpeg.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Fake AV\Movie.mpeg.exe
"C:\Users\Admin\AppData\Local\Temp\Fake AV\Movie.mpeg.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2884 -ip 2884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 588
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| IE | 52.111.236.21:443 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.178.17.96.in-addr.arpa | udp |
Files
memory/2884-0-0x00000000006B0000-0x00000000006B1000-memory.dmp
memory/2884-1-0x0000000001000000-0x00000000010CE000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2024-03-02 22:34
Reported
2024-03-02 22:38
Platform
win10v2004-20240226-en
Max time kernel
151s
Max time network
155s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Fake AV\NavaShield.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation | C:\Nava Labs\Nava Shield\NavaShield.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Nava Labs\Nava Shield\NavaShield.exe | N/A |
| N/A | N/A | C:\Nava Labs\Nava Shield\NavaBridge.exe | N/A |
| N/A | N/A | C:\Nava Labs\Nava Shield\NavaDebugger.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Nava Labs\Nava Shield\NavaShield.exe | N/A |
| N/A | N/A | C:\Nava Labs\Nava Shield\NavaShield.exe | N/A |
| N/A | N/A | C:\Nava Labs\Nava Shield\NavaShield.exe | N/A |
| N/A | N/A | C:\Nava Labs\Nava Shield\NavaShield.exe | N/A |
| N/A | N/A | C:\Nava Labs\Nava Shield\NavaShield.exe | N/A |
| N/A | N/A | C:\Nava Labs\Nava Shield\NavaShield.exe | N/A |
| N/A | N/A | C:\Nava Labs\Nava Shield\NavaBridge.exe | N/A |
| N/A | N/A | C:\Nava Labs\Nava Shield\NavaBridge.exe | N/A |
| N/A | N/A | C:\Nava Labs\Nava Shield\NavaBridge.exe | N/A |
| N/A | N/A | C:\Nava Labs\Nava Shield\NavaBridge.exe | N/A |
| N/A | N/A | C:\Nava Labs\Nava Shield\NavaBridge.exe | N/A |
| N/A | N/A | C:\Nava Labs\Nava Shield\NavaDebugger.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NavaShield = "c:\\Nava Labs\\Nava Shield\\navashield.exe" | C:\Users\Admin\AppData\Local\Temp\Fake AV\NavaShield.exe | N/A |
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Nava Labs\Nava Shield\NavaShield.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Nava Labs\Nava Shield\NavaShield.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Nava Labs\Nava Shield\NavaShield.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Nava Labs\Nava Shield\NavaShield.exe | N/A |
| N/A | N/A | C:\Nava Labs\Nava Shield\NavaShield.exe | N/A |
| N/A | N/A | C:\Nava Labs\Nava Shield\NavaShield.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Nava Labs\Nava Shield\NavaShield.exe | N/A |
| N/A | N/A | C:\Nava Labs\Nava Shield\NavaShield.exe | N/A |
| N/A | N/A | C:\Nava Labs\Nava Shield\NavaShield.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Fake AV\NavaShield.exe
"C:\Users\Admin\AppData\Local\Temp\Fake AV\NavaShield.exe"
C:\Nava Labs\Nava Shield\NavaShield.exe
"C:\Nava Labs\Nava Shield\NavaShield.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514 0x510
C:\Nava Labs\Nava Shield\NavaBridge.exe
"C:\Nava Labs\Nava Shield\NavaBridge.exe"
C:\Nava Labs\Nava Shield\NavaDebugger.exe
"C:\Nava Labs\Nava Shield\NavaDebugger.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | navashield.com | udp |
| DE | 64.190.63.222:80 | navashield.com | tcp |
| US | 8.8.8.8:53 | 222.63.190.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
Files
memory/1264-11-0x0000000000400000-0x000000000047A000-memory.dmp
C:\Nava Labs\Nava Shield\NavaDebugger Libs\MD5.dll
| MD5 | 831295342c47b770bf7cc591a6916fa7 |
| SHA1 | 2c9063fbf3f3363526abdc241bf90618b82446d1 |
| SHA256 | 8341ecc0938ca6d90b7e0f02af2d7e6b571c948a03a99d54af61c4557c78d656 |
| SHA512 | 01419defe963a987989cddb0e21cf651ec3eefeae97cf4b257d4caa8da26436a647e8e4d95cdad22bbb0657171f6d3d9c41dc6fb217ffc7d5172ebc9a409d36e |
C:\Nava Labs\Nava Shield\NavaDebugger.exe
| MD5 | 404501846c15ee0774025ded425d4707 |
| SHA1 | 87c4af4698aa2294b53fe4c6349ff552cfa38356 |
| SHA256 | 660cc09f9d69a1ff879a811b765e1fa898081019d029d77cf833a9a915ae9873 |
| SHA512 | 4bbb20aea92140c1057e9131141a543c0d3bf46578f92a0b2fc8448b4b8fc106b98a5d44212f6c197d1ec77dbac32d7cb21935fcc72ef31b339c5b8e3080dec6 |
C:\Nava Labs\Nava Shield\NavaShield Libs\Internet Encodings.dll
| MD5 | de5eefa1b686e3d32e3ae265392492bd |
| SHA1 | 7b37b0ac1061366bf1a7f267392ebc0d606bb3db |
| SHA256 | a50e56dfb68410a7927ecd50f55044756b54868e920e462671162d1961bfe744 |
| SHA512 | c71270a5275f91214444449be4923a70243a9e2cd06afcc6fd28ab9f2cd2d930219ce8ed9ec008750b2611b62ed26b65cb57a75c6035201cd9657263d157d508 |
C:\Users\Admin\AppData\Local\Temp\$inst\0001.tmp
| MD5 | 4fe19c390d4cbaaa6faae51a9131923c |
| SHA1 | a3c114ab35f37b0444939ae479ed33a3a5ee6f13 |
| SHA256 | b95cbd2158693bbd3cefedfdc40cf4acae63883fa17ec4e9f8a38fb7b4593c1b |
| SHA512 | a7ea9145e9dfeb36adc13bdb2ccc286ab946a219899cb25b384e3788a90b43ee40c88584c64cbb77de074b8ff92fb8db9bd2b68af47b0a11d779c96bc154f24d |
C:\Nava Labs\Nava Shield\NavaShield.exe
| MD5 | 310ee3a3e78d0b21e6e09225a80f6cc0 |
| SHA1 | b0e1cd52ef63f0ad14049fc4237875794c4f5ecc |
| SHA256 | 20201d9a8462d9b26908b6482044610c7e1551f0b8e981cae20c2510af0ed12b |
| SHA512 | dc6112b43cad6fc13b8976c833231e38809880a966ae544803c0499257e78289b265c0b27d901e2593b554c366eb1cf3372033ab1ca3f492ab81fc52a062d8d8 |
C:\Nava Labs\Nava Shield\NavaShield.exe
| MD5 | 69f41559fca633978b2bd4032b5c0a49 |
| SHA1 | 5fcf9c203b39a7e0ee2a9c92541149310cbe20fa |
| SHA256 | 7d95aa92c14e385bc35087e143a3bff894c34974da1310c9c5cc9ec4ea17e82c |
| SHA512 | e1945fe0db154b5ad6e1e707b89dfd3f1f1d3191d618c8be549e5a7d9ee13bcd1b7a69f8a1f916b9588b756f0e78f19c89df39d99c709e8325c08af55e580744 |
memory/1264-110-0x0000000000400000-0x000000000047A000-memory.dmp
memory/4656-117-0x00000000026A0000-0x00000000029BB000-memory.dmp
memory/4656-116-0x0000000003E30000-0x0000000003E42000-memory.dmp
memory/4656-121-0x0000000003E60000-0x0000000003E7A000-memory.dmp
C:\Nava Labs\Nava Shield\config.dat
| MD5 | b0f4924346d2daa81a9f7d241a987d6c |
| SHA1 | 190356e26e8054f338d1f4b6a4e582e02149f7fa |
| SHA256 | da4728e17ae412494f6b548e21b136fbb830abc4a2bac5fd7c1522a2a729271c |
| SHA512 | 8eddb6eaf687aa5cb4bbdf3f0914e401dd42c488f8d68243d705608197006ee09195d39f80b6ff5b878be4e18238297bf1a38e60d82b72e3f53c7a998a8e1e1e |
C:\Nava Labs\Nava Shield\NavaMod.dll
| MD5 | 3d7f80fb0534d24f95ee377c40b72fb3 |
| SHA1 | 11b443ed953dae35d9c9905b5bbeb309049f3d36 |
| SHA256 | abd84867d63a5449101b7171b1cc3907c44d7d327ea97d45b22a1015cc3af4dc |
| SHA512 | 7fc741bbce281873134b9f4d68b74ae04daf943ea4c0c26e7e44579f2d51883c635972a405dd81cee63079a5ba9d09328a1e26e7878547590569806d219d83c7 |
C:\Nava Labs\Nava Shield\NavaShield Libs\Appearance Pak.dll
| MD5 | fcf3ac25f11ba7e8b31c4baf1910f7a6 |
| SHA1 | fb470541f0b6b8f3ce69dcaa239ca9a7d7e91d72 |
| SHA256 | e5b3249fbeea8395fd56c20511bfcfdb2b2632d3c8d517b943466a4e47f97b5c |
| SHA512 | 47c467924d64af4a48a6e640778aca1dce379d16b06bf3f60a44025034c15ce1498ef307b63cb04e5c0cbb6c2ac58022acdb0d6efb1109c5ea31f842a320aa40 |
memory/1264-130-0x0000000000400000-0x000000000047A000-memory.dmp
memory/4656-135-0x0000000069F80000-0x0000000069F88000-memory.dmp
C:\Nava Labs\Nava Shield\NavaBridge.exe
| MD5 | 903a4e6e78dc62bc7b9e261ff3cce399 |
| SHA1 | a6a9ae0572ab0ed14cb62441f1f1ed0d3b52d926 |
| SHA256 | 0d12740248a3849bc5f92134502a95dc413fcd6be25fa6893b1c05f920ed2cb7 |
| SHA512 | 31b9fb9bdaa78c18276f1d1da93ce099b19437f1fb27f0e4b0f49b82881aff40bc7d610ba755283461a6fd9c20dc669b86ff453e6b52f4633a38177bb6b89daf |
C:\Nava Labs\Nava Shield\NavaBridge.exe
| MD5 | 8c54a7f80cc21f50908023844bd88a77 |
| SHA1 | cf0f590a1c93356b77358d56311578b75b98cc57 |
| SHA256 | 3bf536a387ce91a81936b4f3bb1df34d19e80b22e98c08e7b87b757075ebac67 |
| SHA512 | 5e45edcb0c9c76e1c4b8ad52a2da899547416f69a3f931c04c439b2d447ce5d2fad40ea5a389645a225eb32086b65c91d37b778c6ace0764ff26d95f9f231e1f |
memory/2580-141-0x00000000025B0000-0x000000000273B000-memory.dmp
C:\Nava Labs\Nava Shield\bridge.dat
| MD5 | e66f1107f995d52bcd90421b3cdc0dde |
| SHA1 | 245acafa2f3dab3f2b7f183d34267dcd976199c0 |
| SHA256 | 45fa6eacea58e682c2ef2bb9e888cb6bf396c37b957fd144ca73c95699ad3c74 |
| SHA512 | 0500f9dec5cfdfb80bc5763943deb3111ccde4b35f19ac124df2e5abde2681154977f160a42e9ef50698b0ea0cc26fc09361a3917534038f141dd047f0287c1f |
C:\Nava Labs\Nava Shield\NavaDebugger.exe
| MD5 | bc379ff85e4b9b5886f7416d7e1014be |
| SHA1 | f74a8db0c0c2b19ded9b22ed8ea2183388845d08 |
| SHA256 | 84040973247c112d18ccf5495311df65f2bbe6b98c464cb2562549d03e8ad0ec |
| SHA512 | 95fb614a24be346c43acf572eed58a46defb4017f771453d83bfdb820f17f4ff1855d6f2c2b6822bf3f939f9bc7743adf81366e315aaf7e2816a6e5abccd668a |
memory/2580-151-0x0000000002960000-0x000000000297A000-memory.dmp
memory/380-154-0x0000000002600000-0x0000000002787000-memory.dmp
C:\Nava Labs\Nava Shield\navig.dat
| MD5 | 0bf850cb9d0aa0f4c778cc515b79bd13 |
| SHA1 | c0cb8a58cba046d2c7539025a39c8a1af81c3914 |
| SHA256 | 9c4723ecb77e39e58eda9c60f532724aa3bf69de30047cc7b6522534cd423f00 |
| SHA512 | 649c13f9f4fccc03ebd6cb2c3752434c69b5a8d7e9b94cac80cd98a7624bfd00648949b18cd720faf89fae050f6b523221db589a550c6ce4513e76ff0895da5b |
memory/2580-147-0x0000000002940000-0x0000000002952000-memory.dmp
C:\Nava Labs\Nava Shield\NavaBridge Libs\Browser Plugin.dll
| MD5 | 912924f628e277be9cc28a5f2a990cb9 |
| SHA1 | 13c0166469a271497043a2f13e9a6a610dc2b336 |
| SHA256 | bd474c5aafcaa12f20da5ecb29e17555b953eca46b4f56588a72672a36d4a8eb |
| SHA512 | b33b430254f9ec32ecd6224124db69af93de3cbfbaf422a0045641f7961834a67cba1b9fd97f4e0e903e27e3360301c5dba214a6b9156c4cdf8a25115b860c39 |
C:\Nava Labs\Nava Shield\config.dat
| MD5 | 3cad4610cca4159318a0e77632d3ef08 |
| SHA1 | e0d3c55b5992744e5b7d938873c682601a461fc1 |
| SHA256 | 8adfe6ddd57f59595cb026b09726b3146fc59b8f28183146cdd46e499d0ad527 |
| SHA512 | 37034028fc483d1b3bdeea24574c1113c0fca858f09e4bf4c3aa5ffce0a3016997dc559d4b8f4b5f66be415dba9539ce4d06e05ba6c83ac1609a71aba5039c01 |
Analysis: behavioral15
Detonation Overview
Submitted
2024-03-02 22:34
Reported
2024-03-02 22:38
Platform
win7-20240221-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\6AdwCleaner.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\FakeAdwCleaner.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdwCleaner = "\"C:\\Users\\Admin\\AppData\\Local\\6AdwCleaner.exe\" -auto" | C:\Users\Admin\AppData\Local\6AdwCleaner.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\6AdwCleaner.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\6AdwCleaner.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\6AdwCleaner.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1752 wrote to memory of 1928 | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\FakeAdwCleaner.exe | C:\Users\Admin\AppData\Local\6AdwCleaner.exe |
| PID 1752 wrote to memory of 1928 | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\FakeAdwCleaner.exe | C:\Users\Admin\AppData\Local\6AdwCleaner.exe |
| PID 1752 wrote to memory of 1928 | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\FakeAdwCleaner.exe | C:\Users\Admin\AppData\Local\6AdwCleaner.exe |
| PID 1752 wrote to memory of 1928 | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\FakeAdwCleaner.exe | C:\Users\Admin\AppData\Local\6AdwCleaner.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Fake AV\FakeAdwCleaner.exe
"C:\Users\Admin\AppData\Local\Temp\Fake AV\FakeAdwCleaner.exe"
C:\Users\Admin\AppData\Local\6AdwCleaner.exe
"C:\Users\Admin\AppData\Local\6AdwCleaner.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.vikingwebscanner.com | udp |
Files
\Users\Admin\AppData\Local\6AdwCleaner.exe
| MD5 | 87e4959fefec297ebbf42de79b5c88f6 |
| SHA1 | eba50d6b266b527025cd624003799bdda9a6bc86 |
| SHA256 | 4f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61 |
| SHA512 | 232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9 |
memory/1928-6-0x0000000000970000-0x000000000099E000-memory.dmp
memory/1928-7-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp
memory/1928-8-0x000000001ADC0000-0x000000001AE40000-memory.dmp
memory/1928-9-0x000000001ADC0000-0x000000001AE40000-memory.dmp
memory/1928-10-0x000000001ADC0000-0x000000001AE40000-memory.dmp
memory/1928-11-0x000000001ADC0000-0x000000001AE40000-memory.dmp
memory/1928-12-0x000000001ADC0000-0x000000001AE40000-memory.dmp
memory/1928-13-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp
memory/1928-14-0x000000001ADC0000-0x000000001AE40000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-03-02 22:34
Reported
2024-03-02 22:38
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Fake AV\FakeAdwCleaner.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\6AdwCleaner.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdwCleaner = "\"C:\\Users\\Admin\\AppData\\Local\\6AdwCleaner.exe\" -auto" | C:\Users\Admin\AppData\Local\6AdwCleaner.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\6AdwCleaner.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\6AdwCleaner.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\6AdwCleaner.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4880 wrote to memory of 932 | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\FakeAdwCleaner.exe | C:\Users\Admin\AppData\Local\6AdwCleaner.exe |
| PID 4880 wrote to memory of 932 | N/A | C:\Users\Admin\AppData\Local\Temp\Fake AV\FakeAdwCleaner.exe | C:\Users\Admin\AppData\Local\6AdwCleaner.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Fake AV\FakeAdwCleaner.exe
"C:\Users\Admin\AppData\Local\Temp\Fake AV\FakeAdwCleaner.exe"
C:\Users\Admin\AppData\Local\6AdwCleaner.exe
"C:\Users\Admin\AppData\Local\6AdwCleaner.exe"
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.vikingwebscanner.com | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 52.111.229.19:443 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.15.104.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\6AdwCleaner.exe
| MD5 | 87e4959fefec297ebbf42de79b5c88f6 |
| SHA1 | eba50d6b266b527025cd624003799bdda9a6bc86 |
| SHA256 | 4f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61 |
| SHA512 | 232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9 |
memory/932-11-0x0000000000640000-0x000000000066E000-memory.dmp
memory/932-12-0x00007FFF99910000-0x00007FFF9A3D1000-memory.dmp
memory/932-13-0x000000001B320000-0x000000001B330000-memory.dmp
memory/932-14-0x000000001B320000-0x000000001B330000-memory.dmp
memory/932-15-0x000000001B320000-0x000000001B330000-memory.dmp
memory/932-16-0x00007FFF99910000-0x00007FFF9A3D1000-memory.dmp
memory/932-17-0x000000001B320000-0x000000001B330000-memory.dmp
memory/932-18-0x000000001B320000-0x000000001B330000-memory.dmp
memory/932-19-0x000000001B320000-0x000000001B330000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-03-02 22:34
Reported
2024-03-02 22:38
Platform
win7-20240215-en
Max time kernel
149s
Max time network
124s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\goujfbdq.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\goujfbdq.exe | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\goujfbdq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\goujfbdq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\goujfbdq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\goujfbdq.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\goujfbdq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\goujfbdq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\goujfbdq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\goujfbdq.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Fake AV\Movie.mpeg.exe
"C:\Users\Admin\AppData\Local\Temp\Fake AV\Movie.mpeg.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 1256 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Fake AV\Movie.mpeg.exe" & start C:\Users\Admin\AppData\Local\goujfbdq.exe -f
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /pid 1256
C:\Windows\SysWOW64\PING.EXE
ping -n 3 127.1
C:\Users\Admin\AppData\Local\goujfbdq.exe
C:\Users\Admin\AppData\Local\goujfbdq.exe -f
Network
Files
memory/1256-0-0x0000000000250000-0x0000000000251000-memory.dmp
memory/1256-1-0x0000000001000000-0x00000000010CE000-memory.dmp
memory/1256-2-0x0000000000260000-0x0000000000262000-memory.dmp
memory/1256-4-0x0000000001000000-0x00000000010CE000-memory.dmp
\Users\Admin\AppData\Local\goujfbdq.exe
| MD5 | d0deb2644c9435ea701e88537787ea6e |
| SHA1 | 866e47ecd80da89c4f56557659027a3aee897132 |
| SHA256 | ad6cd46f373aadad85fab5ecdb4cb4ad7ebd0cbe44c84db5d2a2ee1b54eb5ec3 |
| SHA512 | 6faac2e1003290bb3a0613ee84d5c76d3c48a4524e97975e9174d6fcfb5a6a48d6648b06ed5a4c10c3349f70efffc6a08a185fdeb0824250ae044b96ef39fcdf |
memory/2600-9-0x0000000001000000-0x00000000010CE000-memory.dmp
memory/2600-10-0x0000000000270000-0x0000000000272000-memory.dmp
memory/2600-12-0x0000000001000000-0x00000000010CE000-memory.dmp
memory/2600-13-0x0000000001000000-0x00000000010CE000-memory.dmp
memory/2600-14-0x0000000001000000-0x00000000010CE000-memory.dmp
memory/2600-15-0x0000000001000000-0x00000000010CE000-memory.dmp
memory/2600-16-0x0000000001000000-0x00000000010CE000-memory.dmp
memory/2600-17-0x0000000001000000-0x00000000010CE000-memory.dmp
memory/2600-18-0x0000000001000000-0x00000000010CE000-memory.dmp
memory/2600-19-0x0000000001000000-0x00000000010CE000-memory.dmp