Analysis Overview
SHA256
b23eccb36868753a1131a9a6b88b33324b3cdd7e232fb80cb5df4e2994f5a9e6
Threat Level: Known bad
The file PC Defender.zip was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Loads dropped DLL
Executes dropped EXE
Enumerates connected drives
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of SetWindowsHookEx
Uses Volume Shadow Copy service COM API
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-02 16:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-02 16:39
Reported
2024-03-02 16:39
Platform
win7-20240220-en
Max time kernel
33s
Max time network
16s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,\"C:\\Program Files (x86)\\Def Group\\PC Defender\\Antispyware.exe\"" | C:\Windows\syswow64\MsiExec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\msiexec.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Def Group\PC Defender\hook.dll | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\f76405a.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_966CD4ED37489844400D0C.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_966CD4ED37489844400D0C.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_3F16219B047CF8432B7ADA.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI41B2.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f76405a.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f76405d.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f76405f.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f76405d.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev3 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev1 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_3F16219B047CF8432B7ADA.exe | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\Found\C:\Windows\inf\mdmaiwa4.inf = "Backdoor.Win32.Bifrose.cbfm" | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\scanSchedulerMinute = "0" | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\updateSchedulerNever = "1" | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\updateSchedulerMinute = "0" | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\scanSchedulerDayOfWeek = "0" | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\scanSchedulerDaily = "0" | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\scanSchedulerSecond = "0" | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\updateSchedulerSecond = "0" | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\scanSchedulerHour = "0" | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\ | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\scanSchedulerNever = "1" | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\updateSchedulerDayOfWeek = "0" | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Media\1 = ";" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\AdvertiseFlags = "388" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\Clients = 3a0000000000 | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\Language = "1033" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\Media | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\InstanceType = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8CBA2CF517323A48B5B5539084F2528\DefaultFeature | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\ProductName = "PC Defender" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\Version = "16777216" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Net | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\InstanceType = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\Version = "16777216" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528 | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\Net | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\AuthorizedLUAApp = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\AuthorizedLUAApp = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\Net | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\InstanceType = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\PackageCode = "18627594958587344B2B3984171915B1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\PackageCode = "18627594958587344B2B3984171915B1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C73BCE36FA1AA0E45AB2649A3FA0D390\E8CBA2CF517323A48B5B5539084F2528 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\AdvertiseFlags = "388" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\PackageName = "PCDefenderSilentSetup.msi" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\PackageName = "PCDefenderSilentSetup.msi" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\Media | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\AdvertiseFlags = "388" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Media | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_ | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\PackageCode = "18627594958587344B2B3984171915B1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\Version = "16777216" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\Language = "1033" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\DeploymentFlags = "3" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_ | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\ProductName = "PC Defender" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\AuthorizedLUAApp = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\Assignment = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\Net | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\PackageName = "PCDefenderSilentSetup.msi" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\PackageName = "PCDefenderSilentSetup.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\PackageCode = "18627594958587344B2B3984171915B1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\DeploymentFlags = "3" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\Clients = 3a0000000000 | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\DeploymentFlags = "3" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\Clients = 3a0000000000 | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PCDefenderSilentSetup.msi"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003D4" "000000000000039C"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 71AA340524A4D9270EA015A138DC85D0 M Global\MSI0000
C:\Windows\SysWOW64\reg.exe
"C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_ /s /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_ /s /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_ /s /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\SysWOW64\reg.exe" DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528 /f
C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe
"C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe"
C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe
"C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe" Antispyware.exe
C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe
"C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe"
C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe
"C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe" Antispyware.exe
C:\Program Files\Windows Defender\MSASCui.exe
"C:\Program Files\Windows Defender\MSASCui.exe"
C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe
"C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PCDefenderSilentSetup.msi
| MD5 | 7f728acab22868ca02cc1ba0a14f5d64 |
| SHA1 | 9e3e82b152447b8bcd27583fbdab7aa91ca4739d |
| SHA256 | 586f9a9af50b2a3321e77d2b4583741cc4842967af9429cc371534f7179caec4 |
| SHA512 | 9bc8bb97e6d4f18ec484fcd792466cb5df0bf0447cbaa19a41258ef80e599e8a2b2c83c700f32f30bef578b03614af1b554844d051435dc9f510ccbd56686800 |
memory/1992-26-0x00000000006F0000-0x00000000006F2000-memory.dmp
C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe
| MD5 | af4761437567f84ffbec44c978ac2634 |
| SHA1 | 488e27e01b629f3c2cd274a3c6572cdb040fc137 |
| SHA256 | 41922380e3a419fea5a794a16e7abe3364c08da6c66fca0ce8f37c20e21ede68 |
| SHA512 | 82694af3458a01040b9753f133e446c32fef105d4d36dfe8a5fa944080f4b6736dc8e4fbe2abb3db6f79ff24f8e1b9f07543c1193410cfa0a3faafd3e1ce096d |
C:\Config.Msi\f76405e.rbs
| MD5 | 9ebe73b0da14e32c19ed94445e34a9ee |
| SHA1 | 77e98228c192a24adeb14d9f02eb4790b67ed3ed |
| SHA256 | 87e6e733a90474844a05a6c922e6196d1ecd0c8502faeb6ce6b5b873cb6daeac |
| SHA512 | 5fe5eb18974f56ae66bf9a7a32aaa44d89fb8bbe32ace0ac0f78b12d282a31529fbc4aa5b709d648cd1b2737f38cf24a75513ed18e9093ae92127d6bfb40200e |
\Program Files (x86)\Def Group\PC Defender\hook.dll
| MD5 | dc973050688bfd27a2d47e0ac2e21abb |
| SHA1 | 3ff84e8c292051aa7e57439aa44b7beac68b2d71 |
| SHA256 | e69c437e565390cbc0209e7934136cc68a7caa07cf7341c870dac35ca549b225 |
| SHA512 | 4123df1cb903bff54897e1edd8c8c877e3fff9b81de9919569b3096fac8d80d06f73f005ef1c63269f4b50d7ee1965deb13d473b32f365c8324880ab995a600c |
C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe
| MD5 | c2514c216b4b6dac1a4d740126177f29 |
| SHA1 | c25d7b051339c9d0b1ee109abfb12724a24f130d |
| SHA256 | 8212f98e9caedd00bab3c3d561055507cd617cc2b2151c956968caeccde66e11 |
| SHA512 | dfe6dab9e14b539e50eea2b8314f3937f650eded149d1264763ee4d0d045bf1959569cb31e9e7d5bf602e49c68401cde02e2e552ef3d0baca2e4d48c53d78692 |
memory/2424-156-0x0000000000150000-0x0000000000151000-memory.dmp