Malware Analysis Report

2025-08-11 01:06

Sample ID 240302-t6f79afd68
Target PC Defender v2.zip
SHA256 854113f2737ee276ba34fac399e8a615e4de4c712dd7a761ab0e198fa09d87fc
Tags
persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

854113f2737ee276ba34fac399e8a615e4de4c712dd7a761ab0e198fa09d87fc

Threat Level: Shows suspicious behavior

The file PC Defender v2.zip was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Adds Run key to start application

Enumerates connected drives

Modifies WinLogon for persistence

Loads dropped DLL

Executes dropped EXE

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Uses Volume Shadow Copy service COM API

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-02 16:39

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-02 16:39

Reported

2024-03-02 16:40

Platform

win7-20240221-en

Max time kernel

25s

Max time network

16s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\[email protected]

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\delrstrui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KEOJFMRIICVIUAHYG.bat" C:\Windows\syswow64\MsiExec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,\"C:\\Program Files (x86)\\Def Group\\PC Defender\\pcdef.exe\"" C:\Windows\syswow64\MsiExec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Def Group\PC Defender\prockill32.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Def Group\PC Defender\pcdef.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Def Group\PC Defender\uninstall.bat C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f764402.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\_368235FAFDAA3CD0178CB7.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f764405.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f764405.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\_FC03FB89D84E75F2C05EA5.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\_368235FAFDAA3CD0178CB7.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f764407.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\f764402.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI44DD.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\_FC03FB89D84E75F2C05EA5.exe C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Def Group\PC Defender\pcdef.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9E6DD28BF81ED654F84A0E1B229F9D5B C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList\PackageName = "[email protected]" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Version = "33554432" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList\Net C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\AuthorizedLUAApp = "0" C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList\Media C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\InstanceType = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Net C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\AdvertiseFlags = "388" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\PackageCode = "793E8A3EDC915D546911442ABED08716" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Media C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\21B3A6546EF8EA14E9C5E5550F17C290\DefaultFeature C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\ProductName = "PC Defender" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\Version = "33554432" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Language = "1033" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\DeploymentFlags = "3" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\PackageCode = "793E8A3EDC915D546911442ABED08716" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9E6DD28BF81ED654F84A0E1B229F9D5B\21B3A6546EF8EA14E9C5E5550F17C290 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_ C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\PackageName = "[email protected]" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290 C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\21B3A6546EF8EA14E9C5E5550F17C290 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\ProductName = "PC Defender" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Assignment = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Clients = 3a0000000000 C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Media\1 = ";" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\pcdef.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\pcdef.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\pcdef.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\pcdef.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\pcdef.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\pcdef.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\pcdef.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\pcdef.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\pcdef.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Def Group\PC Defender\pcdef.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2328 wrote to memory of 2832 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2328 wrote to memory of 2832 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2328 wrote to memory of 2832 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2328 wrote to memory of 2832 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2328 wrote to memory of 2832 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2328 wrote to memory of 2832 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2328 wrote to memory of 2832 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2832 wrote to memory of 600 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 2832 wrote to memory of 600 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 2832 wrote to memory of 600 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 2832 wrote to memory of 600 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 2832 wrote to memory of 1520 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 2832 wrote to memory of 1520 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 2832 wrote to memory of 1520 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 2832 wrote to memory of 1520 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 2832 wrote to memory of 1552 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 2832 wrote to memory of 1552 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 2832 wrote to memory of 1552 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 2832 wrote to memory of 1552 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 2832 wrote to memory of 632 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 2832 wrote to memory of 632 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 2832 wrote to memory of 632 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 2832 wrote to memory of 632 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\reg.exe
PID 2832 wrote to memory of 1916 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 1916 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 1916 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 1916 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 3040 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe
PID 2832 wrote to memory of 3040 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe
PID 2832 wrote to memory of 3040 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe
PID 2832 wrote to memory of 3040 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe
PID 3040 wrote to memory of 1284 N/A C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe
PID 3040 wrote to memory of 1284 N/A C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe
PID 3040 wrote to memory of 1284 N/A C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe
PID 3040 wrote to memory of 1284 N/A C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe
PID 2876 wrote to memory of 2128 N/A C:\Program Files (x86)\Def Group\PC Defender\pcdef.exe C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe
PID 2876 wrote to memory of 2128 N/A C:\Program Files (x86)\Def Group\PC Defender\pcdef.exe C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe
PID 2876 wrote to memory of 2128 N/A C:\Program Files (x86)\Def Group\PC Defender\pcdef.exe C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe
PID 2876 wrote to memory of 2128 N/A C:\Program Files (x86)\Def Group\PC Defender\pcdef.exe C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe
PID 2128 wrote to memory of 1804 N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe
PID 2128 wrote to memory of 1804 N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe
PID 2128 wrote to memory of 1804 N/A C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe
PID 2876 wrote to memory of 2000 N/A C:\Program Files (x86)\Def Group\PC Defender\pcdef.exe C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe
PID 2876 wrote to memory of 2000 N/A C:\Program Files (x86)\Def Group\PC Defender\pcdef.exe C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe
PID 2876 wrote to memory of 2000 N/A C:\Program Files (x86)\Def Group\PC Defender\pcdef.exe C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe
PID 2876 wrote to memory of 2000 N/A C:\Program Files (x86)\Def Group\PC Defender\pcdef.exe C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\[email protected]

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000048C" "00000000000005A8"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 1CA0AD245359E96357DBF35FBBD452D9 M Global\MSI0000

C:\Windows\SysWOW64\reg.exe

"C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_ /s /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_ /s /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_ /s /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\SysWOW64\reg.exe" DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290 /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\SysWOW64\cmd.exe" /C "DEL /F /Q C:\Windows\Prefetch\pcdef*"

C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe

"C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe" "shutdown -r -t 0"

C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe

"C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe" "shutdown -r -t 0" 1

C:\Program Files (x86)\Def Group\PC Defender\pcdef.exe

"C:\Program Files (x86)\Def Group\PC Defender\pcdef.exe"

C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe

"C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe"

C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe

"C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe"

C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe

"C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe" pcdef.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pc-defender.org udp

Files

memory/2832-20-0x00000000001E0000-0x00000000001E2000-memory.dmp

C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe

MD5 c05ccc260692e8bfb5b6ba7238dbb943
SHA1 4ad185a7acb1c4ffcb3c03daa77cc77a833ae7e6
SHA256 0d58d2b03e3f6d5f32216e74badae8ad0d7f94cc4f207d06883ba953a1594cba
SHA512 7707d1c3f9085a710527e2d1559c8268ca3a1fb70fca9f1cf391a02cd81002193c6971cefd7b00b371e14adf5ae7b83b63206b88ead13b04a20ad08c7154ac22

C:\Config.Msi\f764406.rbs

MD5 649c88dd120aa4261771978ccac4bc24
SHA1 a9a2573b4acd6b61abfdf58a03711b5fefe63080
SHA256 18031a3ce68b8ad3fd7f7343aab29d4940bf2b9353e3ff72b743b8c6397377b7
SHA512 e797dcdc9366dc65ac2a8ef17e0a6afc052cca4b17ab5a70e13a0623b19da9abd56f8fa439ba0d4616906dea8c311a50585ecb350803855f78db2be3f700c252

C:\Windows\Installer\f764402.msi

MD5 b3dce5c3f95a18fd076fad0f73bb9e39
SHA1 e80cc285a77302ee221f47e4e94823d4b2eba368
SHA256 df2e3b2222dcdbb5e0dbdd1200ec8fd5f67fcbea99e0023df54307eab60030ff
SHA512 c184436055cf74884ad0d2bd5ca00bcd5a62d6be46253fe8c71b4daaa5c710b9df34af1b6e41f6d1af94bcdec0d33679a6a1b34bf9755678b4e177f368c11d4c

C:\Program Files (x86)\Def Group\PC Defender\pcdef.exe

MD5 f37c2e31bd57905b90de048c58221dd4
SHA1 95d3972a5c6cf223e70d01e11e04a798eea59f8a
SHA256 352492ae2be4b4fcfe97a76f5318abe2351d9c4d33d6438a8f2fc87ed6601a06
SHA512 8bb6548c9a8ab47e9380ef0d01fd824c84a12469b29f5874de2969359a81d122aa379973608592ccee556b6639bfe85f920346e2f2c104ba5c333c57ce091680

C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe

MD5 46b816356a5e05f65bfaed216106e7a0
SHA1 e7c55d7b4d2887a93ea55e55ed45ee57f8fbe9fa
SHA256 7eb8eecdf4654171f721a58a44d19ba2a1f35d8bbdabf38bff9f1c3c31fc1d19
SHA512 54cc8b6e56bba14608c95e5c678c00ed363e7e0cff77f9799ed3654022e13c883136b6477e2aa4b753c7ef8331033369168900f61bd36b35384dc72c4e60e3be

C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe

MD5 d96a5175eecd752ca22f41bad80870c0
SHA1 00f68eee206c2a6b07dd86e1cbf008c082a8032f
SHA256 c3ab412d3ea0232bb891319fe9ac79b1ed0a61d9251a574c9502a6cef0b1f5b5
SHA512 918db6e7728d2890fbd3afd8a9f4da2636d6eabe0cbeaeacb379db9ea779d7ba6133ed4b367725487bf18c10874f5700be5d252d527116ccf879842afadbe13c