hxxps://github[.]com/Endermanch/MalwareDatabase/blob/master/rogues/PC%20Defender%20v2[.]zip

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase/blob/master/rogues/PC%20Defender%20v2.zip

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,\"C:\\Program Files (x86)\\Def Group\\PC Defender\\pcdef.exe\""	MsiExec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	pcdef.exe

Executes dropped EXE 6 IoCs

pid	Process
4184	rundelay.exe
3716	rundelay.exe
2960	pcdef.exe
3388	prockill64.exe
5620	prockill64.exe
5772	proccheck.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
47	raw.githubusercontent.com
48	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Def Group\PC Defender\uninstall.bat	msiexec.exe
File created	C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe	msiexec.exe
File created	C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe	msiexec.exe
File created	C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe	msiexec.exe
File created	C:\Program Files (x86)\Def Group\PC Defender\prockill32.exe	msiexec.exe
File created	C:\Program Files (x86)\Def Group\PC Defender\pcdef.exe	msiexec.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\_368235FAFDAA3CD0178CB7.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\e5880e8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5880e3.msi	msiexec.exe
File created	C:\Windows\Installer\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\_368235FAFDAA3CD0178CB7.exe	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\_FC03FB89D84E75F2C05EA5.exe	msiexec.exe
File created	C:\Windows\Installer\e5880e3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}	msiexec.exe
File created	C:\Windows\Installer\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\_FC03FB89D84E75F2C05EA5.exe	msiexec.exe
File created	C:\Windows\Installer\e5880e7.msi	msiexec.exe
File created	C:\Windows\Installer\e5880e8.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI84EA.tmp	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	proccheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundelay.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pcdef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 20 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e6cf55ff94a5976e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e6cf55ff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e6cf55ff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de6cf55ff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e6cf55ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	rundelay.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	rundelay.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce\delrstrui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RLWRELQIIBUITZHXGZBO.bat"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	rundelay.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rundelay.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	rundelay.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\Version = "33554432"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\ProductName = "PC Defender"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\AdvertiseFlags = "388"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\PC Defender v2\\"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\AdvertiseFlags = "388"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\DeploymentFlags = "3"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\21B3A6546EF8EA14E9C5E5550F17C290\DefaultFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Version = "33554432"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\PackageName = "[email protected]"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Assignment = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\InstanceType = "0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Media\1 = ";"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\PC Defender v2\\"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\PackageName = "[email protected]"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Media\1 = ";"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Net	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\21B3A6546EF8EA14E9C5E5550F17C290	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\PC Defender v2\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\PackageCode = "793E8A3EDC915D546911442ABED08716"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\PC Defender v2\\"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Assignment = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\AdvertiseFlags = "388"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\AuthorizedLUAApp = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\DeploymentFlags = "3"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9E6DD28BF81ED654F84A0E1B229F9D5B	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\InstanceType = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Version = "33554432"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\PC Defender v2\\"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\PC Defender v2\\"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\ProductName = "PC Defender"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Version = "33554432"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\AuthorizedLUAApp = "0"	reg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Language = "1033"	reg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Clients = 3a0000000000	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9E6DD28BF81ED654F84A0E1B229F9D5B\21B3A6546EF8EA14E9C5E5550F17C290	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Language = "1033"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList\Net	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\PackageCode = "793E8A3EDC915D546911442ABED08716"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Media\1 = ";"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Net	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\ProductName = "PC Defender"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Assignment = "1"	reg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Clients = 3a0000000000	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\PC Defender v2\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\PackageCode = "793E8A3EDC915D546911442ABED08716"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\PackageName = "[email protected]"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	msedge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Language = "1033"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Media	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList\Media	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\InstanceType = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\DeploymentFlags = "3"	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3376	msedge.exe
3376	msedge.exe
5008	msedge.exe
5008	msedge.exe
2852	identity_helper.exe
2852	identity_helper.exe
4316	msedge.exe
4316	msedge.exe
2400	msiexec.exe
2400	msiexec.exe
2960	pcdef.exe
2960	pcdef.exe
3388	prockill64.exe
3388	prockill64.exe
3388	prockill64.exe
3388	prockill64.exe
3388	prockill64.exe
3388	prockill64.exe
3388	prockill64.exe
5620	prockill64.exe
5620	prockill64.exe
3388	prockill64.exe
5620	prockill64.exe
5620	prockill64.exe
2960	pcdef.exe
2960	pcdef.exe
3388	prockill64.exe
3388	prockill64.exe
5772	proccheck.exe
5772	proccheck.exe
3388	prockill64.exe
3388	prockill64.exe
3388	prockill64.exe
5620	prockill64.exe
5620	prockill64.exe
3388	prockill64.exe
3388	prockill64.exe
5620	prockill64.exe
5620	prockill64.exe
3388	prockill64.exe
3388	prockill64.exe
2960	pcdef.exe
2960	pcdef.exe
5772	proccheck.exe
5772	proccheck.exe
5620	prockill64.exe
5620	prockill64.exe
3388	prockill64.exe
3388	prockill64.exe
5620	prockill64.exe
5620	prockill64.exe
3388	prockill64.exe
3388	prockill64.exe
2960	pcdef.exe
2960	pcdef.exe
5620	prockill64.exe
5620	prockill64.exe
5772	proccheck.exe
5772	proccheck.exe
3388	prockill64.exe
3388	prockill64.exe
5620	prockill64.exe
5620	prockill64.exe
3388	prockill64.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4268	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4268	msiexec.exe
Token: SeSecurityPrivilege	2400	msiexec.exe
Token: SeCreateTokenPrivilege	4268	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4268	msiexec.exe
Token: SeLockMemoryPrivilege	4268	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4268	msiexec.exe
Token: SeMachineAccountPrivilege	4268	msiexec.exe
Token: SeTcbPrivilege	4268	msiexec.exe
Token: SeSecurityPrivilege	4268	msiexec.exe
Token: SeTakeOwnershipPrivilege	4268	msiexec.exe
Token: SeLoadDriverPrivilege	4268	msiexec.exe
Token: SeSystemProfilePrivilege	4268	msiexec.exe
Token: SeSystemtimePrivilege	4268	msiexec.exe
Token: SeProfSingleProcessPrivilege	4268	msiexec.exe
Token: SeIncBasePriorityPrivilege	4268	msiexec.exe
Token: SeCreatePagefilePrivilege	4268	msiexec.exe
Token: SeCreatePermanentPrivilege	4268	msiexec.exe
Token: SeBackupPrivilege	4268	msiexec.exe
Token: SeRestorePrivilege	4268	msiexec.exe
Token: SeShutdownPrivilege	4268	msiexec.exe
Token: SeDebugPrivilege	4268	msiexec.exe
Token: SeAuditPrivilege	4268	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4268	msiexec.exe
Token: SeChangeNotifyPrivilege	4268	msiexec.exe
Token: SeRemoteShutdownPrivilege	4268	msiexec.exe
Token: SeUndockPrivilege	4268	msiexec.exe
Token: SeSyncAgentPrivilege	4268	msiexec.exe
Token: SeEnableDelegationPrivilege	4268	msiexec.exe
Token: SeManageVolumePrivilege	4268	msiexec.exe
Token: SeImpersonatePrivilege	4268	msiexec.exe
Token: SeCreateGlobalPrivilege	4268	msiexec.exe
Token: SeBackupPrivilege	4500	vssvc.exe
Token: SeRestorePrivilege	4500	vssvc.exe
Token: SeAuditPrivilege	4500	vssvc.exe
Token: SeBackupPrivilege	2400	msiexec.exe
Token: SeRestorePrivilege	2400	msiexec.exe
Token: SeRestorePrivilege	2400	msiexec.exe
Token: SeTakeOwnershipPrivilege	2400	msiexec.exe
Token: SeRestorePrivilege	2400	msiexec.exe
Token: SeTakeOwnershipPrivilege	2400	msiexec.exe
Token: SeRestorePrivilege	2400	msiexec.exe
Token: SeTakeOwnershipPrivilege	2400	msiexec.exe
Token: SeRestorePrivilege	2400	msiexec.exe
Token: SeTakeOwnershipPrivilege	2400	msiexec.exe
Token: SeRestorePrivilege	2400	msiexec.exe
Token: SeTakeOwnershipPrivilege	2400	msiexec.exe
Token: SeRestorePrivilege	2400	msiexec.exe
Token: SeTakeOwnershipPrivilege	2400	msiexec.exe
Token: SeRestorePrivilege	2400	msiexec.exe
Token: SeTakeOwnershipPrivilege	2400	msiexec.exe
Token: SeRestorePrivilege	2400	msiexec.exe
Token: SeTakeOwnershipPrivilege	2400	msiexec.exe
Token: SeRestorePrivilege	2400	msiexec.exe
Token: SeTakeOwnershipPrivilege	2400	msiexec.exe
Token: SeRestorePrivilege	2400	msiexec.exe
Token: SeTakeOwnershipPrivilege	2400	msiexec.exe
Token: SeRestorePrivilege	2400	msiexec.exe
Token: SeTakeOwnershipPrivilege	2400	msiexec.exe
Token: SeRestorePrivilege	2400	msiexec.exe
Token: SeTakeOwnershipPrivilege	2400	msiexec.exe
Token: SeRestorePrivilege	2400	msiexec.exe
Token: SeTakeOwnershipPrivilege	2400	msiexec.exe
Token: SeRestorePrivilege	2400	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
4268	msiexec.exe
4268	msiexec.exe
4268	msiexec.exe
5184	msiexec.exe
5184	msiexec.exe
5008	msedge.exe
2960	pcdef.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
2960	pcdef.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe
3876	taskmgr.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2960	pcdef.exe
2960	pcdef.exe
2960	pcdef.exe
2960	pcdef.exe
2960	pcdef.exe
2960	pcdef.exe
2960	pcdef.exe
2960	pcdef.exe
2960	pcdef.exe
2960	pcdef.exe
2960	pcdef.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 1744	5008	msedge.exe	84
PID 5008 wrote to memory of 1744	5008	msedge.exe	84
PID 5008 wrote to memory of 1604	5008	msedge.exe	85
PID 5008 wrote to memory of 1604	5008	msedge.exe	85
PID 5008 wrote to memory of 1604	5008	msedge.exe	85
PID 5008 wrote to memory of 1604	5008	msedge.exe	85
PID 5008 wrote to memory of 1604	5008	msedge.exe	85
PID 5008 wrote to memory of 1604	5008	msedge.exe	85
PID 5008 wrote to memory of 1604	5008	msedge.exe	85
PID 5008 wrote to memory of 1604	5008	msedge.exe	85
PID 5008 wrote to memory of 1604	5008	msedge.exe	85
PID 5008 wrote to memory of 1604	5008	msedge.exe	85
PID 5008 wrote to memory of 1604	5008	msedge.exe	85
PID 5008 wrote to memory of 1604	5008	msedge.exe	85
PID 5008 wrote to memory of 1604	5008	msedge.exe	85
PID 5008 wrote to memory of 1604	5008	msedge.exe	85
PID 5008 wrote to memory of 1604	5008	msedge.exe	85
PID 5008 wrote to memory of 1604	5008	msedge.exe	85
PID 5008 wrote to memory of 1604	5008	msedge.exe	85
PID 5008 wrote to memory of 1604	5008	msedge.exe	85
PID 5008 wrote to memory of 1604	5008	msedge.exe	85
PID 5008 wrote to memory of 1604	5008	msedge.exe	85
PID 5008 wrote to memory of 1604	5008	msedge.exe	85
PID 5008 wrote to memory of 1604	5008	msedge.exe	85
PID 5008 wrote to memory of 1604	5008	msedge.exe	85
PID 5008 wrote to memory of 1604	5008	msedge.exe	85
PID 5008 wrote to memory of 1604	5008	msedge.exe	85
PID 5008 wrote to memory of 1604	5008	msedge.exe	85
PID 5008 wrote to memory of 1604	5008	msedge.exe	85
PID 5008 wrote to memory of 1604	5008	msedge.exe	85
PID 5008 wrote to memory of 1604	5008	msedge.exe	85
PID 5008 wrote to memory of 1604	5008	msedge.exe	85
PID 5008 wrote to memory of 1604	5008	msedge.exe	85
PID 5008 wrote to memory of 1604	5008	msedge.exe	85
PID 5008 wrote to memory of 1604	5008	msedge.exe	85
PID 5008 wrote to memory of 1604	5008	msedge.exe	85
PID 5008 wrote to memory of 1604	5008	msedge.exe	85
PID 5008 wrote to memory of 1604	5008	msedge.exe	85
PID 5008 wrote to memory of 1604	5008	msedge.exe	85
PID 5008 wrote to memory of 1604	5008	msedge.exe	85
PID 5008 wrote to memory of 1604	5008	msedge.exe	85
PID 5008 wrote to memory of 1604	5008	msedge.exe	85
PID 5008 wrote to memory of 3376	5008	msedge.exe	86
PID 5008 wrote to memory of 3376	5008	msedge.exe	86
PID 5008 wrote to memory of 2100	5008	msedge.exe	87
PID 5008 wrote to memory of 2100	5008	msedge.exe	87
PID 5008 wrote to memory of 2100	5008	msedge.exe	87
PID 5008 wrote to memory of 2100	5008	msedge.exe	87
PID 5008 wrote to memory of 2100	5008	msedge.exe	87
PID 5008 wrote to memory of 2100	5008	msedge.exe	87
PID 5008 wrote to memory of 2100	5008	msedge.exe	87
PID 5008 wrote to memory of 2100	5008	msedge.exe	87
PID 5008 wrote to memory of 2100	5008	msedge.exe	87
PID 5008 wrote to memory of 2100	5008	msedge.exe	87
PID 5008 wrote to memory of 2100	5008	msedge.exe	87
PID 5008 wrote to memory of 2100	5008	msedge.exe	87
PID 5008 wrote to memory of 2100	5008	msedge.exe	87
PID 5008 wrote to memory of 2100	5008	msedge.exe	87
PID 5008 wrote to memory of 2100	5008	msedge.exe	87
PID 5008 wrote to memory of 2100	5008	msedge.exe	87
PID 5008 wrote to memory of 2100	5008	msedge.exe	87
PID 5008 wrote to memory of 2100	5008	msedge.exe	87
PID 5008 wrote to memory of 2100	5008	msedge.exe	87
PID 5008 wrote to memory of 2100	5008	msedge.exe	87

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Endermanch/MalwareDatabase/blob/master/rogues/PC%20Defender%20v2.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbc80b46f8,0x7ffbc80b4708,0x7ffbc80b4718
  2⤵
  PID:1744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,586783488208903350,1266713288083675921,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:1604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,586783488208903350,1266713288083675921,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,586783488208903350,1266713288083675921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
  2⤵
  PID:2100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,586783488208903350,1266713288083675921,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,586783488208903350,1266713288083675921,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:1356
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,586783488208903350,1266713288083675921,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:8
  2⤵
  PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,586783488208903350,1266713288083675921,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,586783488208903350,1266713288083675921,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
  2⤵
  PID:1724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,586783488208903350,1266713288083675921,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,586783488208903350,1266713288083675921,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3412 /prefetch:8
  2⤵
  PID:1248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,586783488208903350,1266713288083675921,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
  2⤵
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,586783488208903350,1266713288083675921,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,586783488208903350,1266713288083675921,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
  2⤵
  PID:1600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,586783488208903350,1266713288083675921,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
  2⤵
  PID:3304

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1556

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1572

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\PC Defender v2\[email protected]"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4268

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:5576
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C1684544800771CC2F72FED8AE812FAD E Global\MSI0000
  2⤵
  - Modifies WinLogon for persistence
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:5728
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_ /s /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:6044
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_ /s /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:6088
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_ /s /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:6136
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\SysWOW64\reg.exe" DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:4868
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\SysWOW64\cmd.exe" /C "DEL /F /Q C:\Windows\Prefetch\pcdef*"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4776
- - C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe
    "C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe" "shutdown -r -t 0"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    PID:4184
  - - C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe
      "C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe" "shutdown -r -t 0" 1
      4⤵
      Executes dropped EXE
      PID:3716

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4500

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /x "C:\Users\Admin\Downloads\PC Defender v2\[email protected]"
1⤵
- Suspicious use of FindShellTrayWindow
PID:5184

C:\Program Files (x86)\Def Group\PC Defender\pcdef.exe
"C:\Program Files (x86)\Def Group\PC Defender\pcdef.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2960
- C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe
  "C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3388
- - C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe
    "C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:5620
- C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe
  "C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe" pcdef.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5772

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5756

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5048

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious use of SendNotifyMessage
PID:3876

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
PID:2696

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
PID:6028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5880e6.rbs

Filesize
14KB

MD5
d19f5a28eedd16bdabc2e71e03119f13

SHA1
8e6df7924594ed9ac6922a47965de95531b14c77

SHA256
7406ee8231d299bfb3628da37022a424f7cf14ff7abbd6edf78f47ab99a5e9a3

SHA512
6eeda9c67bbc6b0edd1e3db2c3d850c5e3f4bbf56bdf7123b48e49df3b39c793cb952d38ec9bb225eaad427c0648c6721d39aa9e1664095bdfc0fb8322f441af

Download Submit
C:\Program Files (x86)\Def Group\PC Defender\pcdef.exe

Filesize
1.2MB

MD5
f37c2e31bd57905b90de048c58221dd4

SHA1
95d3972a5c6cf223e70d01e11e04a798eea59f8a

SHA256
352492ae2be4b4fcfe97a76f5318abe2351d9c4d33d6438a8f2fc87ed6601a06

SHA512
8bb6548c9a8ab47e9380ef0d01fd824c84a12469b29f5874de2969359a81d122aa379973608592ccee556b6639bfe85f920346e2f2c104ba5c333c57ce091680

Download Submit
C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe

Filesize
93KB

MD5
d96a5175eecd752ca22f41bad80870c0

SHA1
00f68eee206c2a6b07dd86e1cbf008c082a8032f

SHA256
c3ab412d3ea0232bb891319fe9ac79b1ed0a61d9251a574c9502a6cef0b1f5b5

SHA512
918db6e7728d2890fbd3afd8a9f4da2636d6eabe0cbeaeacb379db9ea779d7ba6133ed4b367725487bf18c10874f5700be5d252d527116ccf879842afadbe13c

Download Submit
C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe

Filesize
86KB

MD5
46b816356a5e05f65bfaed216106e7a0

SHA1
e7c55d7b4d2887a93ea55e55ed45ee57f8fbe9fa

SHA256
7eb8eecdf4654171f721a58a44d19ba2a1f35d8bbdabf38bff9f1c3c31fc1d19

SHA512
54cc8b6e56bba14608c95e5c678c00ed363e7e0cff77f9799ed3654022e13c883136b6477e2aa4b753c7ef8331033369168900f61bd36b35384dc72c4e60e3be

Download Submit
C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe

Filesize
43KB

MD5
c05ccc260692e8bfb5b6ba7238dbb943

SHA1
4ad185a7acb1c4ffcb3c03daa77cc77a833ae7e6

SHA256
0d58d2b03e3f6d5f32216e74badae8ad0d7f94cc4f207d06883ba953a1594cba

SHA512
7707d1c3f9085a710527e2d1559c8268ca3a1fb70fca9f1cf391a02cd81002193c6971cefd7b00b371e14adf5ae7b83b63206b88ead13b04a20ad08c7154ac22

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0a9dc42e4013fc47438e96d24beb8eff

SHA1
806ab26d7eae031a58484188a7eb1adab06457fc

SHA256
58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

SHA512
868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
61cef8e38cd95bf003f5fdd1dc37dae1

SHA1
11f2f79ecb349344c143eea9a0fed41891a3467f

SHA256
ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

SHA512
6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
54ce18e2527a62f07d4bd95309c2e453

SHA1
078b7b48dbd9f55db7777241cbcbf84f888eac4b

SHA256
717e2defcf8993e40815423b9d1f14ed4fdf77a14c66dd4a1dcc474050d36408

SHA512
16f36fe0fb2fa337aa4a72d46356aecb10d33a57ce6ddfd4ffe880d904d35378021e016b0b03f76f155f31b377c8865ed11f25e888fba602709fd8235bc65bc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
492B

MD5
eae1eb65fd621e6749438259afe7af72

SHA1
502bf228af80f312d20001bea083ca5fb8ef4e29

SHA256
1bca0bd622d855af12258a117a3a80dc22b5fa62abf5c5aef3342d75c8f0a525

SHA512
159a58c74d3ee631fe4f804e30078eadd90669b86099078bc70681a4d7350e20dccf14c2e8995103e74be211a7f190cc17a9d3d7fd7b217b16760ec878a00401

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
492B

MD5
9a6ce27b8d0b8451401204291e83d579

SHA1
0a94eaae0e37289b3ab5c634d886579f01f8cbab

SHA256
475dd5afca6828b19833bdabdc3d287a2a147dd8d6e8abeb42f5927e3ed903af

SHA512
bcc5cb6b95208daf67402adbab62269fa29f6406d88c5759344887c109285ab59625f94f139fe92fa4dcea2151d7e3d2455484272ed6399370e4452724497785

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1fb14cd8661d8e62ac0cca8772dd5527

SHA1
0f3428d7a3fa7939cf32f65912beb85e3a21507c

SHA256
72a67937f7dad50f14f2b09f79fec49b46a9aec0c446e954f2f19403078c5a62

SHA512
639460fca88177888af56a5f705ef92be2db74c82c4abf7cd00976a0bbec796c5ed16384c16e6d7eed9ce9608aa4397af93e5944e6377bfc49050d807048d8a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
97649c71811b5691d969bee05b6deab3

SHA1
7c3be6ac78236ad4bfc4ea4f63c171a29aedaf50

SHA256
2ff465bc90386ac4237d80a97a30ec638a2e58ba3a03528b2016954644546182

SHA512
c34d2195ba72ed071a218f3ba37fb743c57c946a716bba9c54bd1610c85705f76c516d84d41265008aee385db3991daf086bb6c38e92e89e1c47baf65222fdf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d056bf5171f83a2252e4bf8d7e76451c

SHA1
5398708b40d4a72837a1191f96f3640d6213e09e

SHA256
913d9094199141a22a0e930c0948a8104f5b36be6c1dea25715180defff4c354

SHA512
ef6ade689c828060034341643acd9545c2736d14208d851e3442cd89ec2e63c46f997e98b01d520e03edbf2deaf28a6277a11d222d36204ed03eec2e6d0247f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
3859b0c919e643c7bd8fd1695865b42b

SHA1
21a5b0ba0f405dfc0c67333777b2e9ccd9016c2d

SHA256
1b4670bbdc02922bcff8e1fe8c4cf722c7416f7d04447d15f43b4042cf686577

SHA512
9e37b9ffa86ef26c6f73ba04dd07630dc86c53cf90402c41cdf6d7ee3da1eea2db34f82331c12d7d8ddf6322760eee3c37398782f4d13112586a5ae996384c09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5803d3.TMP

Filesize
874B

MD5
f35fda280d95d084c2cf8caa66e1a47d

SHA1
f90299d44c7682e85769610b33e2d42287e2c422

SHA256
29fc298a90b5934e6e6d12acf7f5f1a67660002166655b1eaee5cd36e06986bb

SHA512
7dda59cc588bdd4f1b8d7a71319c031a400e6842804182b04842bd9a08636408b0a460be36746ef3d9ed18cfefa2ec9ab063274239e286bc2e8b8430bb2d6792

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5776d4280c4e350e3931ddfec81f7941

SHA1
28bb204ae1fd7811f80db1c49aa9722044bb0178

SHA256
70da1c10f5596ac67f2d2c146152191380d23e82b79b306ecd90055cbe4d11bb

SHA512
fecb04c0981ea76e29c1473c7179e6a7f2ff0554a5f65328b274c55c7012e941c573e04c8aae542d63adb07b5f0f520e80871176d0a432662f0c11a3c2161a4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5fab320db5def36fa97e59c02351770a

SHA1
f661b07b09cfb13f63f6b12be009156d867b64be

SHA256
d531721299b3f18715506385061a467820b21350bf10c6ca9a0568d1c670db98

SHA512
e93339bbe17317f2cd2b62f48099a7ec40ee2cbaf300875b81317fb51ba64d625eaa226eb606fe4b9ad537389c289d30944d2ae9a98cbf943b9e41e589ccbf8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
90808533329072f68016c35babca4bf0

SHA1
cfef05f6baa5dbc152f783da1175976c3814a3e8

SHA256
d8e6ce27d2d8ca5ee24da41081144108975445e9333d85f059d40c92c7aa44a3

SHA512
099a3597658bf5cfa7e0d307cf4c21820a5c07be4a091383a3100732332304db58c515ebecf16389d3792102812efc8ac6bc8f72aa9f1a9013a0ed7fd63fec88

Download Submit
C:\Users\Admin\Downloads\PC Defender v2.zip

Filesize
789KB

MD5
cad618323b07c0f4f6273ae08df1779e

SHA1
e67715f81f83ce7cda32f12a116cc950b6fd0dac

SHA256
854113f2737ee276ba34fac399e8a615e4de4c712dd7a761ab0e198fa09d87fc

SHA512
efd9403706accfe996b5df58300b5e0a0b461727bdf7c5492e9914369fef09ae06cdc2d00d30ac6d494fc68dadcf423d800741f7c22d5c1d565ef3fc675c4565

Download Submit
C:\Windows\Installer\e5880e3.msi

Filesize
860KB

MD5
b3dce5c3f95a18fd076fad0f73bb9e39

SHA1
e80cc285a77302ee221f47e4e94823d4b2eba368

SHA256
df2e3b2222dcdbb5e0dbdd1200ec8fd5f67fcbea99e0023df54307eab60030ff

SHA512
c184436055cf74884ad0d2bd5ca00bcd5a62d6be46253fe8c71b4daaa5c710b9df34af1b6e41f6d1af94bcdec0d33679a6a1b34bf9755678b4e177f368c11d4c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
91d3c6fd3930dd92abbc29fed0ac7b83

SHA1
2e016be986769e2001f953f5c9e0f77297df307f

SHA256
e6ac5e4124b71f3ec370c669bf16c17a39aa16cd9b0a8e0d86f812d388af2a67

SHA512
f3ab540122e29a49a14e30035ee115d0c36e40f0d0767e00484a3d3d7c504dc3b1f03da8274f87e23ac658f7e9ea820e1b77db72c79ff2e9c23a18737699d0b4

Download Submit
\??\Volume{ff55cfe6-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{2e3fc3ea-1f74-4c68-9eb3-50a7f004355a}_OnDiskSnapshotProp

Filesize
6KB

MD5
c59342f02060b341688a91c010cdc56c

SHA1
55a5a5de4c9b09943bc9024667c0ccc022dce1b6

SHA256
0848c8544e4c14e1c3efd14a762fb91c896fa7af93957b2156025ce375f9f664

SHA512
a81e8ac28f00e4ed15d56085d78e6427d7efe845cb7a8973d990e5408e80fc26654346ff6247f369d6caffa51825dc1396a63198d72e27b42dbd43b89ea4be21

Download Submit
memory/3876-447-0x0000019C58E70000-0x0000019C58E71000-memory.dmp

Filesize
4KB

Download
memory/3876-456-0x0000019C58E70000-0x0000019C58E71000-memory.dmp

Filesize
4KB

Download
memory/3876-455-0x0000019C58E70000-0x0000019C58E71000-memory.dmp

Filesize
4KB

Download
memory/3876-454-0x0000019C58E70000-0x0000019C58E71000-memory.dmp

Filesize
4KB

Download
memory/3876-453-0x0000019C58E70000-0x0000019C58E71000-memory.dmp

Filesize
4KB

Download
memory/3876-452-0x0000019C58E70000-0x0000019C58E71000-memory.dmp

Filesize
4KB

Download
memory/3876-451-0x0000019C58E70000-0x0000019C58E71000-memory.dmp

Filesize
4KB

Download
memory/3876-457-0x0000019C58E70000-0x0000019C58E71000-memory.dmp

Filesize
4KB

Download
memory/3876-445-0x0000019C58E70000-0x0000019C58E71000-memory.dmp

Filesize
4KB

Download
memory/3876-446-0x0000019C58E70000-0x0000019C58E71000-memory.dmp

Filesize
4KB

Download