Malware Analysis Report

2025-08-11 01:05

Sample ID 240302-t5zcfafa31
Target PC Defender.zip
SHA256 b23eccb36868753a1131a9a6b88b33324b3cdd7e232fb80cb5df4e2994f5a9e6
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b23eccb36868753a1131a9a6b88b33324b3cdd7e232fb80cb5df4e2994f5a9e6

Threat Level: Known bad

The file PC Defender.zip was found to be: Known bad.

Malicious Activity Summary

persistence

Modifies WinLogon for persistence

Loads dropped DLL

Executes dropped EXE

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Uses Volume Shadow Copy service COM API

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-02 16:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-02 16:39

Reported

2024-03-02 16:39

Platform

win7-20240220-en

Max time kernel

33s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,\"C:\\Program Files (x86)\\Def Group\\PC Defender\\Antispyware.exe\"" C:\Windows\syswow64\MsiExec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Def Group\PC Defender\hook.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\f76405a.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_966CD4ED37489844400D0C.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_966CD4ED37489844400D0C.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_3F16219B047CF8432B7ADA.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI41B2.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76405a.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76405d.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76405f.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76405d.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_3F16219B047CF8432B7ADA.exe C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\Found\C:\Windows\inf\mdmaiwa4.inf = "Backdoor.Win32.Bifrose.cbfm" C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\scanSchedulerMinute = "0" C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\updateSchedulerNever = "1" C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\updateSchedulerMinute = "0" C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\scanSchedulerDayOfWeek = "0" C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\scanSchedulerDaily = "0" C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\scanSchedulerSecond = "0" C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\updateSchedulerSecond = "0" C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\scanSchedulerHour = "0" C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\ C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\scanSchedulerNever = "1" C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Def Group\Antispyware\updateSchedulerDayOfWeek = "0" C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\AdvertiseFlags = "388" C:\Windows\SysWOW64\reg.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\Clients = 3a0000000000 C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\Language = "1033" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\Media C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\InstanceType = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8CBA2CF517323A48B5B5539084F2528\DefaultFeature C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\ProductName = "PC Defender" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\Version = "16777216" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Net C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\InstanceType = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\Version = "16777216" C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528 C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\Net C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\AuthorizedLUAApp = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\AuthorizedLUAApp = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\Net C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\InstanceType = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\PackageCode = "18627594958587344B2B3984171915B1" C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\PackageCode = "18627594958587344B2B3984171915B1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C73BCE36FA1AA0E45AB2649A3FA0D390\E8CBA2CF517323A48B5B5539084F2528 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\AdvertiseFlags = "388" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\PackageName = "PCDefenderSilentSetup.msi" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\PackageName = "PCDefenderSilentSetup.msi" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\Media C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\AdvertiseFlags = "388" C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Media C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_ C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\PackageCode = "18627594958587344B2B3984171915B1" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\Version = "16777216" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\Language = "1033" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\DeploymentFlags = "3" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_ C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\ProductName = "PC Defender" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\AuthorizedLUAApp = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\Assignment = "1" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\Net C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\SourceList\PackageName = "PCDefenderSilentSetup.msi" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528\SourceList\PackageName = "PCDefenderSilentSetup.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\PackageCode = "18627594958587344B2B3984171915B1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\DeploymentFlags = "3" C:\Windows\SysWOW64\reg.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\Clients = 3a0000000000 C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\DeploymentFlags = "3" C:\Windows\SysWOW64\reg.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_\Clients = 3a0000000000 C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2260 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\msiexec.exe
PID 2260 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\msiexec.exe
PID 2260 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\msiexec.exe
PID 2260 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\msiexec.exe
PID 2260 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\msiexec.exe
PID 2260 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\msiexec.exe
PID 2260 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\[email protected] C:\Windows\SysWOW64\msiexec.exe
PID 2528 wrote to memory of 1992 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2528 wrote to memory of 1992 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2528 wrote to memory of 1992 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2528 wrote to memory of 1992 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2528 wrote to memory of 1992 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2528 wrote to memory of 1992 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2528 wrote to memory of 1992 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1992 wrote to memory of 540 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 1992 wrote to memory of 540 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 1992 wrote to memory of 540 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 1992 wrote to memory of 540 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 1992 wrote to memory of 784 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 1992 wrote to memory of 784 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 1992 wrote to memory of 784 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 1992 wrote to memory of 784 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 1992 wrote to memory of 1148 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 1992 wrote to memory of 1148 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 1992 wrote to memory of 1148 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 1992 wrote to memory of 1148 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 1992 wrote to memory of 2336 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 1992 wrote to memory of 2336 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 1992 wrote to memory of 2336 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 1992 wrote to memory of 2336 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 1992 wrote to memory of 556 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe
PID 1992 wrote to memory of 556 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe
PID 1992 wrote to memory of 556 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe
PID 1992 wrote to memory of 556 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe
PID 556 wrote to memory of 304 N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe
PID 556 wrote to memory of 304 N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe
PID 556 wrote to memory of 304 N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe
PID 556 wrote to memory of 304 N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe
PID 1948 wrote to memory of 2112 N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe
PID 1948 wrote to memory of 2112 N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe
PID 1948 wrote to memory of 2112 N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe
PID 1948 wrote to memory of 2112 N/A C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\[email protected]

"C:\Users\Admin\AppData\Local\Temp\[email protected]"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PCDefenderSilentSetup.msi"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003D4" "000000000000039C"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 71AA340524A4D9270EA015A138DC85D0 M Global\MSI0000

C:\Windows\SysWOW64\reg.exe

"C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_ /s /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_ /s /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_ /s /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\SysWOW64\reg.exe" DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528 /f

C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe

"C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe"

C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe

"C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe" Antispyware.exe

C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe

"C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe"

C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe

"C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe" Antispyware.exe

C:\Program Files\Windows Defender\MSASCui.exe

"C:\Program Files\Windows Defender\MSASCui.exe"

C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe

"C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PCDefenderSilentSetup.msi

MD5 7f728acab22868ca02cc1ba0a14f5d64
SHA1 9e3e82b152447b8bcd27583fbdab7aa91ca4739d
SHA256 586f9a9af50b2a3321e77d2b4583741cc4842967af9429cc371534f7179caec4
SHA512 9bc8bb97e6d4f18ec484fcd792466cb5df0bf0447cbaa19a41258ef80e599e8a2b2c83c700f32f30bef578b03614af1b554844d051435dc9f510ccbd56686800

memory/1992-26-0x00000000006F0000-0x00000000006F2000-memory.dmp

C:\Program Files (x86)\Def Group\PC Defender\Antispyware.exe

MD5 af4761437567f84ffbec44c978ac2634
SHA1 488e27e01b629f3c2cd274a3c6572cdb040fc137
SHA256 41922380e3a419fea5a794a16e7abe3364c08da6c66fca0ce8f37c20e21ede68
SHA512 82694af3458a01040b9753f133e446c32fef105d4d36dfe8a5fa944080f4b6736dc8e4fbe2abb3db6f79ff24f8e1b9f07543c1193410cfa0a3faafd3e1ce096d

C:\Config.Msi\f76405e.rbs

MD5 9ebe73b0da14e32c19ed94445e34a9ee
SHA1 77e98228c192a24adeb14d9f02eb4790b67ed3ed
SHA256 87e6e733a90474844a05a6c922e6196d1ecd0c8502faeb6ce6b5b873cb6daeac
SHA512 5fe5eb18974f56ae66bf9a7a32aaa44d89fb8bbe32ace0ac0f78b12d282a31529fbc4aa5b709d648cd1b2737f38cf24a75513ed18e9093ae92127d6bfb40200e

\Program Files (x86)\Def Group\PC Defender\hook.dll

MD5 dc973050688bfd27a2d47e0ac2e21abb
SHA1 3ff84e8c292051aa7e57439aa44b7beac68b2d71
SHA256 e69c437e565390cbc0209e7934136cc68a7caa07cf7341c870dac35ca549b225
SHA512 4123df1cb903bff54897e1edd8c8c877e3fff9b81de9919569b3096fac8d80d06f73f005ef1c63269f4b50d7ee1965deb13d473b32f365c8324880ab995a600c

C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe

MD5 c2514c216b4b6dac1a4d740126177f29
SHA1 c25d7b051339c9d0b1ee109abfb12724a24f130d
SHA256 8212f98e9caedd00bab3c3d561055507cd617cc2b2151c956968caeccde66e11
SHA512 dfe6dab9e14b539e50eea2b8314f3937f650eded149d1264763ee4d0d045bf1959569cb31e9e7d5bf602e49c68401cde02e2e552ef3d0baca2e4d48c53d78692

memory/2424-156-0x0000000000150000-0x0000000000151000-memory.dmp