88977075356dc9e4c81ff59e5ffc004ab3d62070c1062ce7b690a941d5328090

Analysis

max time kernel
156s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24-04-2024 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PCWProtectorSetup_Voice_Service.exe
Size

4.4MB
MD5

f14cc766cc424af695d5a22cf4603b00
SHA1

c305a43566ccc3427207c47f15ea348fb042ca60
SHA256

1e679e36e89a01b3c78d9e29600350d92469bded84088b4d00df2b70d50386f7
SHA512

bd7a7dbbb0e21c8893e968a5caa0390951e00281a7670f5d226cb8417b515e581d4726e61e36a39a83cdff4942204c96c57bdd7e5c11d50c178831ac63113739
SSDEEP

98304:gXr7+/ec6Mz2O1dXd8QDCoqF4AbrvQdw+bUiCMNjkTntdIhR3:gb769z2+dXdJ93q+bUi9ekT

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3812	PCWUpdater64.exe
1560	PCWProtectorService64.exe
2248	PCWProtectorDummy64.exe
3956	PCWProtector.exe

Loads dropped DLL 27 IoCs

pid	Process
3248	PCWProtectorSetup_Voice_Service.exe
3248	PCWProtectorSetup_Voice_Service.exe
3248	PCWProtectorSetup_Voice_Service.exe
3248	PCWProtectorSetup_Voice_Service.exe
3248	PCWProtectorSetup_Voice_Service.exe
3248	PCWProtectorSetup_Voice_Service.exe
3248	PCWProtectorSetup_Voice_Service.exe
3248	PCWProtectorSetup_Voice_Service.exe
1560	PCWProtectorService64.exe
2156	regsvr32.exe
3192	regsvr32.exe
5104	regsvr32.exe
1560	PCWProtectorService64.exe
1560	PCWProtectorService64.exe
3248	PCWProtectorSetup_Voice_Service.exe
1560	PCWProtectorService64.exe
3248	PCWProtectorSetup_Voice_Service.exe
1560	PCWProtectorService64.exe
3248	PCWProtectorSetup_Voice_Service.exe
3248	PCWProtectorSetup_Voice_Service.exe
3956	PCWProtector.exe
3956	PCWProtector.exe
3956	PCWProtector.exe
3248	PCWProtectorSetup_Voice_Service.exe
3248	PCWProtectorSetup_Voice_Service.exe
3248	PCWProtectorSetup_Voice_Service.exe
3248	PCWProtectorSetup_Voice_Service.exe

Registers COM server for autorun 1 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48AAF3B1-ABED-480E-B196-CA325A4E5D03}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48AAF3B1-ABED-480E-B196-CA325A4E5D03}\InprocServer32\ = "C:\\Windows\\Protect\\PCW64.ocx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\InprocServer32\ = "C:\\Windows\\Protect\\PCW64.ocx"	regsvr32.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WMlogo.bmp	PCWProtectorService64.exe
File created	C:\Windows\SysWOW64\TftLib.dll	PCWProtectorService64.exe
File created	C:\Windows\SysWOW64\TftLib64.dll	PCWProtectorService64.exe
File created	C:\Windows\SysWOW64\TDCommonLib64.dll	PCWProtectorService64.exe
File created	C:\Windows\SysWOW64\TDCommonLib.dll	PCWProtectorService64.exe
File created	C:\Windows\SysWOW64\T_Prevent64.dll	PCWProtectorService64.exe
File created	C:\Windows\SysWOW64\TDepend64.exe	PCWProtectorService64.exe
File created	C:\Windows\SysWOW64\RdUtil.dll	PCWProtectorService64.exe
File opened for modification	C:\Windows\SysWOW64\TftLib.dll	PCWProtectorService64.exe
File created	C:\Windows\SysWOW64\T_Prevent.dll	PCWProtectorService64.exe
File created	C:\Windows\SysWOW64\TDepend.exe	PCWProtectorService64.exe

Drops file in Windows directory 38 IoCs

description	ioc	Process
File created	C:\Windows\Protect\WMlogo.bmp	PCWProtectorSetup_Voice_Service.exe
File created	C:\Windows\Protect\TModule64.dll	PCWProtectorSetup_Voice_Service.exe
File opened for modification	C:\Windows\Protect\T_Preventup.dll	PCWProtectorService64.exe
File opened for modification	C:\Windows\Protect\PCWProtector.log	PCWUpdater64.exe
File created	C:\Windows\Protect\PCWProtectorService64.exe	PCWUpdater64.exe
File created	C:\Windows\Protect\PCWProtector.exe	PCWUpdater64.exe
File opened for modification	C:\Windows\Protect\PCWProtector.log	PCWProtectorService64.exe
File created	C:\Windows\Protect\T_Prevent64up.dll	PCWProtectorSetup_Voice_Service.exe
File created	C:\Windows\Protect\TDCommonLib64up.dll	PCWProtectorSetup_Voice_Service.exe
File created	C:\Windows\Protect\TftLib64up.dll	PCWProtectorSetup_Voice_Service.exe
File created	C:\Windows\Protect\TModule.dll	PCWProtectorSetup_Voice_Service.exe
File opened for modification	C:\Windows\Protect\T_Prevent64up.dll	PCWProtectorService64.exe
File created	C:\Windows\Protect\TDCommonLibup.dll	PCWProtectorSetup_Voice_Service.exe
File created	C:\Windows\Protect\policy.ini	PCWProtectorSetup_Voice_Service.exe
File created	C:\Windows\Protect\TDepend64up.exe	PCWProtectorSetup_Voice_Service.exe
File created	C:\Windows\Protect\PCWUpdater64.exe	PCWProtectorSetup_Voice_Service.exe
File opened for modification	C:\Windows\Protect\TftLibup.dll	PCWProtectorService64.exe
File opened for modification	C:\Windows\Protect\TDCommonLibup.dll	PCWProtectorService64.exe
File opened for modification	C:\Windows\Protect\TDCommonLib64up.dll	PCWProtectorService64.exe
File created	C:\Windows\Protect\T_Preventup.dll	PCWProtectorSetup_Voice_Service.exe
File created	C:\Windows\Protect\RDUtil.dll	PCWProtectorSetup_Voice_Service.exe
File opened for modification	C:\Windows\Protect\TDependup.exe	PCWProtectorService64.exe
File opened for modification	C:\Windows\Protect\TftLib64up.dll	PCWProtectorService64.exe
File opened for modification	C:\Windows\Protect\PCWProtector.log	PCWProtector.exe
File created	C:\Windows\Protect\TftLibup.dll	PCWProtectorSetup_Voice_Service.exe
File created	C:\Windows\Protect\Uninstall64.exe	PCWProtectorSetup_Voice_Service.exe
File opened for modification	C:\Windows\Protect\PCWProtector.log	regsvr32.exe
File opened for modification	C:\Windows\Protect\TDepend64up.exe	PCWProtectorService64.exe
File opened for modification	C:\Windows\Protect\RdUtil.dll	PCWProtectorService64.exe
File created	C:\Windows\Protect\TDependup.exe	PCWProtectorSetup_Voice_Service.exe
File created	C:\Windows\Protect\PCWProtectorB.exe	PCWProtectorSetup_Voice_Service.exe
File created	C:\Windows\Protect\PCWProtectorDummy64.exe	PCWProtectorSetup_Voice_Service.exe
File created	C:\Windows\Protect\PCW.ocx	PCWProtectorSetup_Voice_Service.exe
File opened for modification	C:\Windows\Protect\PCWProtector.log	PCWProtectorDummy64.exe
File created	C:\Windows\Protect\PCW64.ocx	PCWProtectorSetup_Voice_Service.exe
File created	C:\Windows\Protect\PCWProtectorService64B.exe	PCWProtectorSetup_Voice_Service.exe
File opened for modification	C:\Windows\Protect\PCWProtectorService64.exe	PCWUpdater64.exe
File opened for modification	C:\Windows\Protect\PCWProtector.log	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B331BA4-FE84-4EE4-ACFC-F941B02F6282}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\MiscStatus\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\MiscStatus\1\ = "131473"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B331BA4-FE84-4EE4-ACFC-F941B02F6282}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PCW.PCWCtrl.1\CLSID\ = "{E0A34207-F738-4474-9E89-0A184BD3E947}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\MiscStatus\1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48AAF3B1-ABED-480E-B196-CA325A4E5D03}\ = "PCW Property Page"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\MiscStatus\1\ = "131473"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48AAF3B1-ABED-480E-B196-CA325A4E5D03}\InprocServer32\ = "C:\\Windows\\Protect\\PCW.ocx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BF057EB-2D2F-4396-911F-B564A366AAA5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\ToolboxBitmap32\ = "C:\\Windows\\Protect\\PCW.ocx, 1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48AAF3B1-ABED-480E-B196-CA325A4E5D03}\ = "PCW Property Page"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8BF057EB-2D2F-4396-911F-B564A366AAA5}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\Control\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B331BA4-FE84-4EE4-ACFC-F941B02F6282}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48AAF3B1-ABED-480E-B196-CA325A4E5D03}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E9662742-1760-4CC7-9BD9-CECFD6F0F594}\1.0\0\win64\ = "C:\\Windows\\Protect\\PCW64.ocx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PCW.PCWCtrl.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\Control\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\InprocServer32\ = "C:\\Windows\\Protect\\PCW64.ocx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\InprocServer32\ = "C:\\Windows\\Protect\\PCW.ocx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E9662742-1760-4CC7-9BD9-CECFD6F0F594}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\ToolboxBitmap32\ = "C:\\Windows\\Protect\\PCW64.ocx, 1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BF057EB-2D2F-4396-911F-B564A366AAA5}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B331BA4-FE84-4EE4-ACFC-F941B02F6282}\TypeLib\ = "{E9662742-1760-4CC7-9BD9-CECFD6F0F594}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48AAF3B1-ABED-480E-B196-CA325A4E5D03}\InprocServer32\ = "C:\\Windows\\Protect\\PCW64.ocx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8BF057EB-2D2F-4396-911F-B564A366AAA5}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PCW.PCWCtrl.1\CLSID\ = "{E0A34207-F738-4474-9E89-0A184BD3E947}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\MiscStatus\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E9662742-1760-4CC7-9BD9-CECFD6F0F594}\1.0\FLAGS\ = "2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8BF057EB-2D2F-4396-911F-B564A366AAA5}\ = "_DPCW"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5B331BA4-FE84-4EE4-ACFC-F941B02F6282}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BF057EB-2D2F-4396-911F-B564A366AAA5}\TypeLib\ = "{E9662742-1760-4CC7-9BD9-CECFD6F0F594}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B331BA4-FE84-4EE4-ACFC-F941B02F6282}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E9662742-1760-4CC7-9BD9-CECFD6F0F594}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B331BA4-FE84-4EE4-ACFC-F941B02F6282}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\MiscStatus	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8BF057EB-2D2F-4396-911F-B564A366AAA5}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8BF057EB-2D2F-4396-911F-B564A366AAA5}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PCW.PCWCtrl.1\ = "PCW Control"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PCW.PCWCtrl.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BF057EB-2D2F-4396-911F-B564A366AAA5}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E9662742-1760-4CC7-9BD9-CECFD6F0F594}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E9662742-1760-4CC7-9BD9-CECFD6F0F594}\1.0\0\win32\ = "C:\\Windows\\Protect\\PCW.ocx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PCW.PCWCtrl.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E0A34207-F738-4474-9E89-0A184BD3E947}\TypeLib\ = "{E9662742-1760-4CC7-9BD9-CECFD6F0F594}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8BF057EB-2D2F-4396-911F-B564A366AAA5}\TypeLib\ = "{E9662742-1760-4CC7-9BD9-CECFD6F0F594}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BF057EB-2D2F-4396-911F-B564A366AAA5}\ = "_DPCW"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3248	PCWProtectorSetup_Voice_Service.exe
3248	PCWProtectorSetup_Voice_Service.exe
3248	PCWProtectorSetup_Voice_Service.exe
3248	PCWProtectorSetup_Voice_Service.exe
3248	PCWProtectorSetup_Voice_Service.exe
3248	PCWProtectorSetup_Voice_Service.exe
3248	PCWProtectorSetup_Voice_Service.exe
3248	PCWProtectorSetup_Voice_Service.exe
3248	PCWProtectorSetup_Voice_Service.exe
3248	PCWProtectorSetup_Voice_Service.exe
3248	PCWProtectorSetup_Voice_Service.exe
3248	PCWProtectorSetup_Voice_Service.exe
3248	PCWProtectorSetup_Voice_Service.exe
3248	PCWProtectorSetup_Voice_Service.exe
3812	PCWUpdater64.exe
3812	PCWUpdater64.exe
3812	PCWUpdater64.exe
3812	PCWUpdater64.exe
3812	PCWUpdater64.exe
3812	PCWUpdater64.exe
3812	PCWUpdater64.exe
3812	PCWUpdater64.exe
3812	PCWUpdater64.exe
3812	PCWUpdater64.exe
3812	PCWUpdater64.exe
3812	PCWUpdater64.exe
1560	PCWProtectorService64.exe
1560	PCWProtectorService64.exe
1560	PCWProtectorService64.exe
1560	PCWProtectorService64.exe
1560	PCWProtectorService64.exe
1560	PCWProtectorService64.exe
3248	PCWProtectorSetup_Voice_Service.exe
3248	PCWProtectorSetup_Voice_Service.exe
1560	PCWProtectorService64.exe
1560	PCWProtectorService64.exe
3248	PCWProtectorSetup_Voice_Service.exe
3248	PCWProtectorSetup_Voice_Service.exe
1560	PCWProtectorService64.exe
1560	PCWProtectorService64.exe
1560	PCWProtectorService64.exe
1560	PCWProtectorService64.exe
1560	PCWProtectorService64.exe
1560	PCWProtectorService64.exe
3248	PCWProtectorSetup_Voice_Service.exe
3248	PCWProtectorSetup_Voice_Service.exe
1560	PCWProtectorService64.exe
1560	PCWProtectorService64.exe
1560	PCWProtectorService64.exe
1560	PCWProtectorService64.exe
3248	PCWProtectorSetup_Voice_Service.exe
3248	PCWProtectorSetup_Voice_Service.exe
2248	PCWProtectorDummy64.exe
2248	PCWProtectorDummy64.exe
3956	PCWProtector.exe
3956	PCWProtector.exe
3956	PCWProtector.exe
3956	PCWProtector.exe
3956	PCWProtector.exe
3956	PCWProtector.exe
3956	PCWProtector.exe
3956	PCWProtector.exe
3956	PCWProtector.exe
3956	PCWProtector.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	3248	PCWProtectorSetup_Voice_Service.exe
Token: SeDebugPrivilege	3248	PCWProtectorSetup_Voice_Service.exe
Token: SeDebugPrivilege	3248	PCWProtectorSetup_Voice_Service.exe
Token: SeDebugPrivilege	3248	PCWProtectorSetup_Voice_Service.exe
Token: SeDebugPrivilege	3248	PCWProtectorSetup_Voice_Service.exe
Token: SeDebugPrivilege	3248	PCWProtectorSetup_Voice_Service.exe
Token: SeDebugPrivilege	3248	PCWProtectorSetup_Voice_Service.exe
Token: SeDebugPrivilege	3248	PCWProtectorSetup_Voice_Service.exe
Token: SeDebugPrivilege	3248	PCWProtectorSetup_Voice_Service.exe
Token: SeDebugPrivilege	3248	PCWProtectorSetup_Voice_Service.exe
Token: SeDebugPrivilege	3248	PCWProtectorSetup_Voice_Service.exe
Token: SeDebugPrivilege	3248	PCWProtectorSetup_Voice_Service.exe
Token: SeDebugPrivilege	3248	PCWProtectorSetup_Voice_Service.exe
Token: SeDebugPrivilege	3248	PCWProtectorSetup_Voice_Service.exe
Token: SeDebugPrivilege	3812	PCWUpdater64.exe
Token: SeDebugPrivilege	3812	PCWUpdater64.exe
Token: SeDebugPrivilege	1560	PCWProtectorService64.exe
Token: SeDebugPrivilege	2156	regsvr32.exe
Token: SeDebugPrivilege	5104	regsvr32.exe
Token: SeDebugPrivilege	3248	PCWProtectorSetup_Voice_Service.exe
Token: SeDebugPrivilege	3248	PCWProtectorSetup_Voice_Service.exe
Token: SeDebugPrivilege	3248	PCWProtectorSetup_Voice_Service.exe
Token: SeDebugPrivilege	3248	PCWProtectorSetup_Voice_Service.exe
Token: SeDebugPrivilege	2248	PCWProtectorDummy64.exe
Token: SeDebugPrivilege	3956	PCWProtector.exe
Token: SeDebugPrivilege	3248	PCWProtectorSetup_Voice_Service.exe
Token: SeDebugPrivilege	3248	PCWProtectorSetup_Voice_Service.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
3812	PCWUpdater64.exe
3812	PCWUpdater64.exe
2248	PCWProtectorDummy64.exe
2248	PCWProtectorDummy64.exe
3956	PCWProtector.exe
3956	PCWProtector.exe
3956	PCWProtector.exe
3956	PCWProtector.exe
3956	PCWProtector.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3248 wrote to memory of 3812	3248	PCWProtectorSetup_Voice_Service.exe	91
PID 3248 wrote to memory of 3812	3248	PCWProtectorSetup_Voice_Service.exe	91
PID 3248 wrote to memory of 2156	3248	PCWProtectorSetup_Voice_Service.exe	98
PID 3248 wrote to memory of 2156	3248	PCWProtectorSetup_Voice_Service.exe	98
PID 3248 wrote to memory of 2156	3248	PCWProtectorSetup_Voice_Service.exe	98
PID 3248 wrote to memory of 3192	3248	PCWProtectorSetup_Voice_Service.exe	100
PID 3248 wrote to memory of 3192	3248	PCWProtectorSetup_Voice_Service.exe	100
PID 3248 wrote to memory of 3192	3248	PCWProtectorSetup_Voice_Service.exe	100
PID 3192 wrote to memory of 5104	3192	regsvr32.exe	101
PID 3192 wrote to memory of 5104	3192	regsvr32.exe	101
PID 1560 wrote to memory of 2248	1560	PCWProtectorService64.exe	104
PID 1560 wrote to memory of 2248	1560	PCWProtectorService64.exe	104
PID 2248 wrote to memory of 3956	2248	PCWProtectorDummy64.exe	105
PID 2248 wrote to memory of 3956	2248	PCWProtectorDummy64.exe	105
PID 2248 wrote to memory of 3956	2248	PCWProtectorDummy64.exe	105

C:\Users\Admin\AppData\Local\Temp\PCWProtectorSetup_Voice_Service.exe
"C:\Users\Admin\AppData\Local\Temp\PCWProtectorSetup_Voice_Service.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3248
- C:\Windows\Protect\PCWUpdater64.exe
  C:\Windows\Protect\PCWUpdater64.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3812
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s "C:\Windows\Protect\PCW.ocx"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:2156
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s "C:\Windows\Protect\PCW64.ocx"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3192
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Windows\Protect\PCW64.ocx"
    3⤵
    - Loads dropped DLL
    - Registers COM server for autorun
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:5104

C:\Windows\Protect\PCWProtectorService64.exe
C:\Windows\Protect\PCWProtectorService64.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Windows\Protect\PCWProtectorDummy64.exe
  C:\Windows\Protect\PCWProtectorDummy64.exe 1
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\Protect\PCWProtector.exe
    C:\Windows\Protect\PCWProtector.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4396 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:4392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsj365E.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj365E.tmp\PCWPlugin.dll

Filesize
262KB

MD5
8240bee02c3ad64fe256a67479de886c

SHA1
afb6f7fede3ef1509b1be979dd3ca1ce5ea03db6

SHA256
d0a7db3315f28a3b1016b21a78d30b71d961b5979d50635c716df5c11fd1351e

SHA512
34170981f78f77814c6869f3833631726c869ddab28827260d3a9ab9fd9b899414f53a7c94517cf25afebb883e2638190c1b396259fead3cb3dc1f123b94ad33

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj365E.tmp\PCWProtector.log

Filesize
37B

MD5
fe66a57578e17ad360ab1a5ee9508730

SHA1
e3a6c924df65990dcf271caa04cf82746a30f07a

SHA256
226ca4ce9e25d28d691c3430a706d9a20095aec6a2b479167a29ca2dbdceb621

SHA512
634becc06bbb328c85d0ae34416f754f0d7ac324311a2c833fa4d9f55810749d7786ec5d60e5627425372f412f1d805eede882198569dd9eddd29e45476017af

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj365E.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj365E.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj365E.tmp\ioSpecial.ini

Filesize
526B

MD5
1cd39d45e349ebe640f8848f647d59e5

SHA1
131b4148bb8e46dd2f6e89d105b4201c1576d47f

SHA256
b001df69448f6aba8a5c175a904ba0505121388388e180763944a96a5c26f083

SHA512
3eb3757f1ccaddcb5700a6ef3da0128154e962eb621107a70f33251dc9cb291369a2ed8644ab84cc157cf41043598729597baf013da86d259fdb522d2e6953c5

Download Submit
C:\Windows\Protect\PCW.ocx

Filesize
399KB

MD5
074b45a78113cf096d43187a5d38bbb6

SHA1
d31653a23df8e96c1f3f0f46a6178e8c3b05dcb5

SHA256
0b26f0cdc7dedcda0668ba6628aa9d3774ed5c97c7801c18b582cf4f43367f7c

SHA512
725755591e127e809be2aa7b3262178328257ff49f7666cb1005cdecb56b37936ca9b5cf83c3c343851f8c0063664def10efd9b183d94e78fcbbf46945e66c89

Download Submit
C:\Windows\Protect\PCW64.ocx

Filesize
524KB

MD5
61b0ff9ac09a1da24fc7c08d22f5a33d

SHA1
9a3411af07a241d6a5fd482d3ade8d7872944d60

SHA256
68ab12650aaefa3933928ac44ab01451c8923dfdf10b309c5723affe2c946550

SHA512
2d954b764c9e793f203a07a20df6fb7fe0044652ffe61053d55872c2763708039514ee2cc13fa67bf9070d2ab93b54227681e86f663a9f4df5f711d89f4045ef

Download Submit
C:\Windows\Protect\PCWProtector.log

Filesize
767B

MD5
bfaf79c995fc4199ef92ca6ac96b8362

SHA1
f4f4ac7855078ad91cf9af5583c4b145cea3d6e4

SHA256
5bac53d54e6d5c2590e25eb5da9832a661ca0e7d455a7a3e1994be1e505ad8b5

SHA512
3401db407b95db66e7b874a93fb6ab5a19f0af9bef9886839f4512a3249bacd7a6426821921c9ba38b1a01817369d4cb56f29cd87ae5c2482d35e193593630ea

Download Submit
C:\Windows\Protect\PCWProtector.log

Filesize
1KB

MD5
b7b43b867dc6995547650c1a0e2dd4be

SHA1
1848980045a0a57f0dec3e47305459b5668da91b

SHA256
9eb168c04da2496a4395402e677975fa7dbd0ba0fb0f4194241734b1d17e469b

SHA512
121e0e3ee393abd18fde743b17f0f4e48038ac9281e01a962d8b55cbbb6d05d2785f78977f67dcede0ac8d1b7c14198fd5758d97b9168efa3123254430e95ce5

Download Submit
C:\Windows\Protect\PCWProtector.log

Filesize
197B

MD5
fe8836d6db245c6c1f796d1b4d889630

SHA1
c21776a443643d656f542e474f68808ca050cef2

SHA256
39dc0029d6dc174531b865756ec82a3958a8b5fb6e69bcfd348ae3b45681e714

SHA512
f6a97796ed439d1fb8aaba474b6f29fed6c8284dd035cfab4cc699450e26828117fd52253f375339e244a79a95829578490d6b1ace16ef26455e87e283f7763a

Download Submit
C:\Windows\Protect\PCWProtectorB.exe

Filesize
567KB

MD5
6ce74b64aee3c89d3939bb15ecfe7888

SHA1
58ec5c6b43b90aaa6fa7919c1dbf46812378efae

SHA256
ccb0bd5f3e296c35b38348cf4f231f93ce9bb57af42c328b0aba9e29103ee391

SHA512
f39486655c3d58a62d5c310ce181da0f7dee61e2d3179571b6c1e25ceba3b20c9061565708b8e7c5c5232ca3210348ed82305a105b3b678fadef7b62a2be8c64

Download Submit
C:\Windows\Protect\PCWProtectorDummy64.exe

Filesize
501KB

MD5
4e4009a8838142a76a1d3b7e9a72b0a2

SHA1
fce0ef120d20a322afbc0a0e8c942c69f2218e85

SHA256
3668f959946e719f5a72cc7c5311adf9e8dc5a13d94ca6e0b994d3a520adf881

SHA512
186de07c13518bbffc8eae9857228a4b51080fe409cd7499d9a9c1575a9cd2229c1d20418f121380e7b730ea9404595070b1b4f7ad55354472a9de49ac5a2d17

Download Submit
C:\Windows\Protect\PCWProtectorService64B.exe

Filesize
287KB

MD5
eb2aa21de1026a8a831af0797aac9a78

SHA1
0e5e03f209a50a46ac14246ae46ef19ee14d7233

SHA256
82c4c819c4d543f6131cbc462206e9cdaf4931abe6f73c21b6df4968897572a2

SHA512
89758110eef34b9c08b09cfb10569b0ce4b16788dc68029c12fda84859240d514d2a41827a61e99b9e2a8f1be1ce251a2fd8aeba990dfbb176158f6096ad11e2

Download Submit
C:\Windows\Protect\PCWUpdater64.exe

Filesize
520KB

MD5
506ce3ed7e4ee4d42c05482ebd9e230f

SHA1
4eb0d15002fad41803818600aa24002581b40bfa

SHA256
29ecf971c9d8b5301171b6f786164a1cea29fbf27e20949635e4b95307b2880b

SHA512
1997a7406afee2c460200addd76aca44478df66a5f5e16d153d4ff6e4e9e2b83fca12f338b4c6a55dfad843dfae243d005d7ef1f3870b376cfe8b21ff83dd74c

Download Submit
C:\Windows\Protect\RdUtil.dll

Filesize
274KB

MD5
47c45dc36bbf3c5e6130dcfe37c89347

SHA1
5098af2483b5e2edf205bca47d43b086ddfd8d9d

SHA256
6f149b8ff0e97d0d2dcae5a952e6bdbc6222116eb2f865c7129f32f3fd3c5fa2

SHA512
f99724202d538a554c1bc591f7d50fe3362f42b66d243b8875a4f5d9cece8b817b6d8db35c35a2016b3268be1d0f92fff12127d1ef91be784b563a88e9902c41

Download Submit
C:\Windows\Protect\TDCommonLib64up.dll

Filesize
249KB

MD5
0e00def51125c6b54261001e3bacc19d

SHA1
a361eae15275148b77f8e168bba93e05bb04abe4

SHA256
b5945295ba8cb45903c77057b13d09c80dbd6a31eb64cff1d3a7d486e02d57a1

SHA512
597b83237db5677044ede9eb71e984bc5347e64ab86780707942a8375e4a7fb700e387f10f4dbf392367bdd7ce2ce79db0877f8422ff59e79f046691cdb52aca

Download Submit
C:\Windows\Protect\TDCommonLibup.dll

Filesize
212KB

MD5
ac67f6efefd9227789aefa657264508b

SHA1
007b50e73b92d34d3f19b96ffbf64f9289f1d4d8

SHA256
35a1fe7507c35696348fb28c6f3cb5e9c2fe1a8a6966b0a0b8fd469e521f384d

SHA512
af070714a26ccd462933ffc94f8634de8e6e2da57aebf2155444413ae05741e0b6e964a539bb79db893dd75d42339e7f8c2f450c8dc7800fc830f1f606c88f0d

Download Submit
C:\Windows\Protect\TDepend64up.exe

Filesize
490KB

MD5
b48cdc4af3bda1f3c5fc02deb759cfa2

SHA1
a007d162d5de321cfe7504c4d5212dc139f54fb0

SHA256
dfabe6784c2ab53bac3e579853449a3f57e291dd16af2fc56ebb84a56e8853aa

SHA512
33cc0c7336b8651005cebd466795d90a4a66720267756652c347593868f13fb59d601c46353d714f50fb5f47c21f1c107ca3212f42f743fe725d128e8f3a0496

Download Submit
C:\Windows\Protect\TDependup.exe

Filesize
387KB

MD5
6581da8becde34bd00604ae3a34fdf22

SHA1
310597bc32305530b9864ad517cdab915bb8310e

SHA256
a46584ab1229da1cf3b16a47e90a651b5d385e5b1c7b61d63e27d0b89148687a

SHA512
6e6e0478075639ebd105c3f8201646c5728be724311ee02500ccf0295e042b57ae072a2e694be5820df44aa47466f687960056ad8bb93e060301ba4f61be0264

Download Submit
C:\Windows\Protect\T_Prevent64up.dll

Filesize
309KB

MD5
d85f0082a012d73167921468731d1503

SHA1
43e6814e086b8385a3c03fc16526ab39adb7983a

SHA256
85235decb50cb8075a305d42809eb76f2237368d7e8155bc01cb8037c9caa18c

SHA512
3dbf52b866514c0b86fcc5752fc136d71bb4a802342801d64fe0127dfffcb6b8437e89d17fa81489c7cfcddf1c97908f1e1cdeeda67b0a1aabc48e8c78376849

Download Submit
C:\Windows\Protect\T_Preventup.dll

Filesize
258KB

MD5
c84ed9fe6e818185b971a6d10f0c16b7

SHA1
95daabafe876ebea94b24f8389ca6b0c8330e4af

SHA256
2a3324961c95098164646161108231510135f461d73e8ff07a1ee1216fff286f

SHA512
f1ffbeb198d3974afc03a4c5ca466cfb325db305e6bcb48852816e2bb1a516c441ece2bd74aaecce1e2597d59219e2b2e60c880bf2a98d7634138257ac90d3d4

Download Submit
C:\Windows\Protect\TftLib64up.dll

Filesize
303KB

MD5
69848fcf204e88745974c7650c4cb133

SHA1
cabb555c3bd71277e61eb5578267e359fd4b0809

SHA256
4cbec29c1857389174f7cd2e52d09b18307f1f58e8587c5102b12ea827a08423

SHA512
26086752234fdc212155620adf50ac6853b4b0515b5bd861a07bbf0eb6eff93c1838fc2911a471912f28195355438198c28eb0d9cef51774e010b79fda4627a2

Download Submit
C:\Windows\Protect\TftLibup.dll

Filesize
254KB

MD5
7bc750a3e94403913851e41f1028a832

SHA1
d035d67133c760b48522713bd3158ec2bf17fcbc

SHA256
64aaa65abb2d5cfd49c96d349dec267e904457ec70c91fa64d0ee60b0b155817

SHA512
8de51b3bb24cedf37a8a138f5c6177d3f8ad3602b81d387a129b2a7662c53ffe91afbba09b9f26844de535bab29ade8da7e25621efbc032e903882dda3974d61

Download Submit
C:\Windows\Protect\WMlogo.bmp

Filesize
210KB

MD5
dc27cb08c2e57eb137797d6ceab3f23c

SHA1
0caac5731c117db54d0e5fdb554b5a5c5d1f7d22

SHA256
07b7953d1a9b2fac4f4208649ed18ac1cffdca7f68ccbf1373d0e5120d837e95

SHA512
51618c56101d5a9fee1806a4ca08f31eaecbd80c53ec21628f297d6d651086384d8e2bdac054240870a2b66af6ee02b3697bcf2df4af059132e495d1295cc4da

Download Submit
memory/1560-123-0x0000000001A40000-0x0000000001A8A000-memory.dmp

Filesize
296KB

Download
memory/3956-203-0x0000000003650000-0x000000000368E000-memory.dmp

Filesize
248KB

Download