xmrig | 0a8a9badaa7a74653d52a76837cbc5bb0052c3a5222813f754de14408d507a04

Analysis

max time kernel
147s
max time network
126s
platform
windows7_x64
resource
win7-en-20210920
submitted
13-10-2021 19:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PerfectDisk.Pro-14.0.900.exe
Size

22.5MB
MD5

a812981ee51425866446c46b40b0beea
SHA1

70ecfc7162d69218ebe91d40dda1d8ebdf10587c
SHA256

0a8a9badaa7a74653d52a76837cbc5bb0052c3a5222813f754de14408d507a04
SHA512

6171462dbbe9145769c3439de276476eb31cb5073cb8d28b58de1ea774cf260f887fbecfecf8d06fb5184b9096bdb42b8845af3c9dd90a710cf7943109c1a7ee

Score

10^/10

xmrig bootkit miner persistence

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Blocklisted process makes network request 3 IoCs

Processes:

msiexec.exe

flow pid process

3 1728 msiexec.exe
5 1728 msiexec.exe
7 1728 msiexec.exe

flow	pid	process
3	1728	msiexec.exe
5	1728	msiexec.exe
7	1728	msiexec.exe

Drops file in Drivers directory 4 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\DefragFs.sys	msiexec.exe
File created	C:\Windows\system32\Drivers\DefragFs_VS2013.sys	msiexec.exe
File created	C:\Windows\system32\Drivers\defragfs_VS2015.sys	msiexec.exe
File created	C:\Windows\system32\Drivers\PDFsFilter.sys	msiexec.exe

Executes dropped EXE 5 IoCs

Processes:

PDEngine.exePDAgent.exePDAgentS1.exeAutoUpdGui.exePerfectDisk.exe

pid process

1400 PDEngine.exe
1780 PDAgent.exe
1592 PDAgentS1.exe
1596 AutoUpdGui.exe
2268 PerfectDisk.exe
Uses Session Manager for persistence 2 TTPs
Creates Session Manager registry key to run executable early in system boot.
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

PDEngine.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate PDEngine.exe

pid	process
1400	PDEngine.exe
1780	PDAgent.exe
1592	PDAgentS1.exe
1596	AutoUpdGui.exe
2268	PerfectDisk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	PDEngine.exe

Loads dropped DLL 64 IoCs

Processes:

PerfectDisk.Pro-14.0.900.exeMsiExec.exeMsiExec.exeMsiExec.exemsiexec.exePDEngine.exePDAgent.exePDAgentS1.exeAutoUpdGui.exePerfectDisk.exe

pid	process
2040	PerfectDisk.Pro-14.0.900.exe
2040	PerfectDisk.Pro-14.0.900.exe
2040	PerfectDisk.Pro-14.0.900.exe
2040	PerfectDisk.Pro-14.0.900.exe
2040	PerfectDisk.Pro-14.0.900.exe
1760	MsiExec.exe
1568	MsiExec.exe
1568	MsiExec.exe
1568	MsiExec.exe
1568	MsiExec.exe
1760	MsiExec.exe
1692	MsiExec.exe
1728	msiexec.exe
1728	msiexec.exe
1388
1388
1388
880
880
1692	MsiExec.exe
1692	MsiExec.exe
1692	MsiExec.exe
1692	MsiExec.exe
1692	MsiExec.exe
1388
1692	MsiExec.exe
1692	MsiExec.exe
1692	MsiExec.exe
1692	MsiExec.exe
468
468
1400	PDEngine.exe
1400	PDEngine.exe
1400	PDEngine.exe
1400	PDEngine.exe
1692	MsiExec.exe
1692	MsiExec.exe
1692	MsiExec.exe
1388
1692	MsiExec.exe
1400	PDEngine.exe
1400	PDEngine.exe
1400	PDEngine.exe
1400	PDEngine.exe
1400	PDEngine.exe
1780	PDAgent.exe
1780	PDAgent.exe
1780	PDAgent.exe
1780	PDAgent.exe
1780	PDAgent.exe
1780	PDAgent.exe
1592	PDAgentS1.exe
1596	AutoUpdGui.exe
1596	AutoUpdGui.exe
2268	PerfectDisk.exe
2268	PerfectDisk.exe
2268	PerfectDisk.exe
2268	PerfectDisk.exe
1780	PDAgent.exe
1780	PDAgent.exe
1780	PDAgent.exe
1780	PDAgent.exe
1780	PDAgent.exe
1780	PDAgent.exe

Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

MsiExec.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" MsiExec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	MsiExec.exe

Enumerates connected drives 3 TTPs 27 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exePDEngine.exe

description	ioc	process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	PDEngine.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\D:	PDEngine.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	PDEngine.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

PDEngine.exePDAgent.exe

description ioc process

File opened for modification \??\PhysicalDrive0 PDEngine.exe
File opened for modification \??\PhysicalDrive0 PDAgent.exe
Drops file in System32 directory 1 IoCs

Processes:

msiexec.exe

description ioc process

File created C:\Windows\system32\PDBoot.exe msiexec.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	PDEngine.exe
File opened for modification	\??\PhysicalDrive0	PDAgent.exe

description	ioc	process
File created	C:\Windows\system32\PDBoot.exe	msiexec.exe

Drops file in Program Files directory 38 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files\Raxco\PerfectDisk\QtGui4.dll	msiexec.exe
File created	C:\Program Files\Raxco\PerfectDisk\chartdir50.dll	msiexec.exe
File created	C:\Program Files\Common Files\Raxco\Shared\sqlceqp35.dll	msiexec.exe
File created	C:\Program Files\Common Files\Raxco\Shared\PDAgent.tlb	msiexec.exe
File created	C:\Program Files\Common Files\Raxco\Shared\AutoUpdDLL.dll	msiexec.exe
File created	C:\Program Files\Common Files\Raxco\Shared\English.tr	msiexec.exe
File created	C:\Program Files\Raxco\PerfectDisk\PDCmd.exe	msiexec.exe
File created	C:\Program Files\Common Files\Raxco\Shared\sqlceoledb35.dll	msiexec.exe
File created	C:\Program Files\Raxco\PerfectDisk\DefragFS_VS2015\defragfs.cat	msiexec.exe
File created	C:\Program Files\Common Files\Raxco\Shared\PDFSFilter\PDFsPerf.ini	msiexec.exe
File created	C:\Program Files\Raxco\PerfectDisk\PDAgentS1.exe	msiexec.exe
File created	C:\Program Files\Raxco\PerfectDisk\DefragFS\defragfs.cat	msiexec.exe
File created	C:\Program Files\Raxco\PerfectDisk\ssleay32.dll	msiexec.exe
File created	C:\Program Files\Raxco\PerfectDisk\English.tr	msiexec.exe
File created	C:\Program Files\Raxco\PerfectDisk\GPO\PerfectDisk14_0.admx	msiexec.exe
File created	C:\Program Files\Raxco\PerfectDisk\PerfectDisk.exe	msiexec.exe
File created	C:\Program Files\Common Files\Raxco\Shared\PDFSFilter\PdFsfilter.cat	msiexec.exe
File created	C:\Program Files\Raxco\PerfectDisk\Config.ini	msiexec.exe
File created	C:\Program Files\Raxco\PerfectDisk\PDVmGuestPS.dll	msiexec.exe
File created	C:\Program Files\Common Files\Raxco\Shared\sqlceca35.dll	msiexec.exe
File created	C:\Program Files\Raxco\PerfectDisk\GPO\en-us\PerfectDisk14_0.adml	msiexec.exe
File created	C:\Program Files\Common Files\Raxco\Shared\PDFSFilter\PDFsFilter.inf	msiexec.exe
File created	C:\Program Files\Common Files\Raxco\Shared\PDEnginePS.dll	msiexec.exe
File created	C:\Program Files\Raxco\PerfectDisk\PatchPDLocalDB.sql	msiexec.exe
File created	C:\Program Files\Raxco\PerfectDisk\libeay32.dll	msiexec.exe
File created	C:\Program Files\Common Files\Raxco\Shared\sqlceoledb35.raxco.manifest	msiexec.exe
File created	C:\Program Files\Raxco\PerfectDisk\QtCore4.dll	msiexec.exe
File created	C:\Program Files\Common Files\Raxco\Shared\PDState.dll	msiexec.exe
File created	C:\Program Files\Common Files\Raxco\Shared\PDUtils_v130.dll	msiexec.exe
File created	C:\Program Files\Raxco\PerfectDisk\PDAgent.exe	msiexec.exe
File created	C:\Program Files\Raxco\PerfectDisk\DefragFS\DefragFS.inf	msiexec.exe
File created	C:\Program Files\Raxco\PerfectDisk\AutoUpdGui.exe	msiexec.exe
File created	C:\Program Files\Raxco\PerfectDisk\PDFsPerf.dll	msiexec.exe
File created	C:\Program Files\Common Files\Raxco\Shared\PDEngine.exe	msiexec.exe
File created	C:\Program Files\Raxco\PerfectDisk\PDElevationWorker.exe	msiexec.exe
File created	C:\Program Files\Raxco\PerfectDisk\PDVmGuest.dll	msiexec.exe
File created	C:\Program Files\Common Files\Raxco\Shared\sqlcese35.dll	msiexec.exe
File created	C:\Program Files\Raxco\PerfectDisk\DefragFS_VS2015\defragfs.inf	msiexec.exe

Drops file in Windows directory 43 IoCs

Processes:

msiexec.exeMsiExec.exeDrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI60DB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6689.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA77C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6262.tmp	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\CDC10E4C3600C3943B38C9F4FCA7987F\14.0.900\F_CENTRAL_msvcp100_x64.1C11561A_11CB_36A7_8A47_D7A042055FA7	msiexec.exe
File created	C:\Windows\Installer\{C4E01CDC-0063-493C-B383-9C4FCF7A89F7}\MenuStartPD.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA72C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA75C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI75D6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\CDC10E4C3600C3943B38C9F4FCA7987F\14.0.900\F_CENTRAL_msvcr100_x64.1C11561A_11CB_36A7_8A47_D7A042055FA7	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\CDC10E4C3600C3943B38C9F4FCA7987F\14.0.900\F_CENTRAL_msvcp100_x64.1C11561A_11CB_36A7_8A47_D7A042055FA7	msiexec.exe
File opened for modification	C:\Windows\Installer\{C4E01CDC-0063-493C-B383-9C4FCF7A89F7}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\{C4E01CDC-0063-493C-B383-9C4FCF7A89F7}\DesktopStartPD.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA4E9.tmp	msiexec.exe
File created	C:\Windows\Installer\f765c24.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA46B.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSIA77D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBC95.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\CDC10E4C3600C3943B38C9F4FCA7987F	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\CDC10E4C3600C3943B38C9F4FCA7987F\14.0.900\F_CENTRAL_msvcr100_x64.1C11561A_11CB_36A7_8A47_D7A042055FA7	msiexec.exe
File created	C:\Windows\Installer\{C4E01CDC-0063-493C-B383-9C4FCF7A89F7}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA44B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBC75.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBCE5.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI7C40.tmp	msiexec.exe
File created	C:\Windows\Installer\f765c28.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA4FA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f765c26.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f765c24.msi	msiexec.exe
File created	C:\Windows\Installer\f765c26.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI75E6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\CDC10E4C3600C3943B38C9F4FCA7987F\14.0.900	msiexec.exe
File opened for modification	C:\Windows\Installer\{C4E01CDC-0063-493C-B383-9C4FCF7A89F7}\DesktopStartPD.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBCA5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6502.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI75E7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C4E01CDC-0063-493C-B383-9C4FCF7A89F7}\MenuStartPD.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA43A.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

runonce.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

DrvInst.exeMsiExec.exemsiexec.exegrpconv.exerunonce.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\S-1-5-20	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Raxco\PDConsole\14.0	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Raxco\PDConsole\14.0	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Raxco\PDConsole\14.0	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\GrpConv	grpconv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Raxco\PDConsole	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\S-1-5-18	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Raxco	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Raxco	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Raxco\PDConsole\14.0	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\S-1-5-19	MsiExec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Raxco\PDConsole	MsiExec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000508d9d7e67c0d701	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	runonce.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe

Modifies registry class 64 IoCs

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\PDState.PDFileBrowserEx.1\CLSID	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C5D25F7B-6109-4111-9946-83814BD71D5D}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{F2ADB390-9BDA-11DF-981C-0800200C9A66}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{77499A0B-E5FE-4db5-A490-ADF727549681}\ = "CChunkSensativeDefragOnly Class"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{E1D4C78F-A52B-42C9-B475-C72A041DAD75}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C3A064E-C867-47E2-B0A1-E39285B9028A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D3FC2C52-4AAE-4A9C-8433-0E4B66575278}\ = "IPD10Configuration"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDEngine.PDEngineLicense\CurVer\ = "PDEngine.PDEngineLicense.1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{A4E2CDFB-B8BA-49B2-9D8B-79A0B3BBEAD0}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDState.PDFileBrowserEx.1\CLSID\ = "{4083DD45-6214-4147-92C7-E5980F92BC0A}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{55B1F637-52E1-46A9-9E94-BEA5E28D9C6B}\VersionIndependentProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45A03850-8EAF-4ffe-B18A-5A17333795A7}\VersionIndependentProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{40425F41-5EFC-4D3C-8331-76D67D22DA68}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDEngine.CChunkSensativeDefragOnly\CurVer\ = "PDEngine.CChunkSensativeDefragOnly.1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D3FC2C52-4AAE-4A9C-8433-0E4B66575278}\TypeLib\Version = "1.0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{90A1998A-EB21-4F61-872F-F4DFDE1065D6}\ = "Microsoft SQL Server Compact OLE DB Provider for Windows Error Lookup"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDEngine.DriveManager.1\ = "DriveManager Class"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{FAD56C9D-F10B-48E4-97A6-4F5BCE74B147}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{F279FB84-1168-4092-887E-ABC87398146F}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9F55F0AD-2731-46FC-BDB5-601462CEFE9C}\ProxyStubClsid32\ = "{F34CE102-4FE1-4068-93E1-49F316681D4E}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{18EF8FA5-89B7-4380-8AED-D502AD575DB4}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\PDUtils.PDBrowser.130\CLSID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{FE4CFAFE-910B-49E4-A581-D2B5B335250A}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21D752C0-92A4-4EBF-A85F-349832B74527}\ProgID\ = "AutoUpd91.AutoUpd91IniInterface.1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{4F2CB923-219F-4FC2-BC23-1E34C02671DD}\1.0	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2070972B-BE20-4395-9AC7-88A9CCF160BB}\1.0\0\win32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{455c3e04-bfe9-4089-8622-f2464ec3fddb}\InprocServer32\ = "C:\\Program Files\\Common Files\\Raxco\\Shared\\sqlceca35.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\08E5642BD1DFA4D4780F4AA8FD89CB1B	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{B0A4A2E0-83E1-4229-ABB5-53EB4CC6882D}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{628ADB01-5ABE-4672-84DD-EA9F5426F535}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E03CACF-4DFF-4F3B-BFC3-42919C2DAB81}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{18EC0531-7D75-46E7-8869-384AEDB699C9}\VersionIndependentProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDState.PDFileOp\CurVer\ = "PDState.PDFileOp.1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{21D752C0-92A4-4EBF-A85F-349832B74527}\Version	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\PDEngine.DefragOnly	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{7C73EFBE-1AEA-40A7-99AB-1B45EAB731C7}\ProxyStubClsid	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7C8C9637-5840-4647-8F3B-B08A6D06454A}\ = "PDEngineConfig Class"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\PDEngine.PDEngineLicense\CLSID	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B83F237B-81DD-4C3F-87FF-E7A534D221CA}\LocalServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{6A2448B5-6D47-4927-A429-89466114489E}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\PDEngine.DefragFiles\CurVer	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBE45900-B8A5-46FE-ACAA-EF56CC22D998}\AppID = "{D0027BB3-371D-4783-A64A-CA1296723B1E}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{E1D4C78F-A52B-42C9-B475-C72A041DAD75}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2070972B-BE20-4395-9AC7-88A9CCF160BB}\1.0\ = "PDAgent Type Library"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{62DBE6CE-65DF-4704-921E-52D17B77D391}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDState.PDFileBrowserEx	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4083DD45-6214-4147-92C7-E5980F92BC0A}\AppID = "{89601CD4-152F-43B8-8E33-2368E8E01C10}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\PDAgent.PDAgentFileBrowser.1	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{AB8F0C77-B851-4233-AC51-49E731077C50}\Version	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDEngine.WWGlobalSettings.1\CLSID\ = "{F01E003F-2784-4178-9209-5128ED010A65}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21D752C0-92A4-4EBF-A85F-349832B74527}\TypeLib\ = "{4F2CB923-219F-4FC2-BC23-1E34C02671DD}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8A322AB8-E12D-4E6F-B383-B2493A2F210C}\NumMethods\ = "16"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\PDEngine.DefragDirect	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\PDState.PDFileShredder.1\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A51AFC8C-431E-46E8-B3D0-4EBFDC879782}\TypeLib\ = "{2070972B-BE20-4395-9AC7-88A9CCF160BB}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{90A1998A-EB21-4F61-872F-F4DFDE1065D6}\ProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3018609e-cdbc-47e8-a255-809d46baa319}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C655122C-2AC6-4995-8C7B-928B7078AB40}\ = "PDBrowser Class"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\PDEngine.ConsolidateFreeSpaceArbitraryRegion	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{62DBE6CE-65DF-4704-921E-52D17B77D391}\VersionIndependentProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDC10E4C3600C3943B38C9F4FCA7987F\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RaxcoTEMP\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0A4A2E0-83E1-4229-ABB5-53EB4CC6882D}\NumMethods\ = "33"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4E2CDFB-B8BA-49B2-9D8B-79A0B3BBEAD0}\TypeLib\Version = "1.0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D3FC2C52-4AAE-4A9C-8433-0E4B66575278}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MsiExec.exeMsiExec.exe

pid	process
1568	MsiExec.exe
1568	MsiExec.exe
1568	MsiExec.exe
1568	MsiExec.exe
1568	MsiExec.exe
1568	MsiExec.exe
1568	MsiExec.exe
1568	MsiExec.exe
1568	MsiExec.exe
1568	MsiExec.exe
1568	MsiExec.exe
1568	MsiExec.exe
1568	MsiExec.exe
1568	MsiExec.exe
1568	MsiExec.exe
1568	MsiExec.exe
1568	MsiExec.exe
1568	MsiExec.exe
1568	MsiExec.exe
1568	MsiExec.exe
1568	MsiExec.exe
1568	MsiExec.exe
1568	MsiExec.exe
1568	MsiExec.exe
1568	MsiExec.exe
1568	MsiExec.exe
1568	MsiExec.exe
1568	MsiExec.exe
1568	MsiExec.exe
1568	MsiExec.exe
1568	MsiExec.exe
1568	MsiExec.exe
1568	MsiExec.exe
1568	MsiExec.exe
1568	MsiExec.exe
1568	MsiExec.exe
1568	MsiExec.exe
1568	MsiExec.exe
1568	MsiExec.exe
1568	MsiExec.exe
1568	MsiExec.exe
1568	MsiExec.exe
1692	MsiExec.exe
1692	MsiExec.exe
1692	MsiExec.exe
1692	MsiExec.exe
1692	MsiExec.exe
1692	MsiExec.exe
1692	MsiExec.exe
1692	MsiExec.exe
1692	MsiExec.exe
1692	MsiExec.exe
1692	MsiExec.exe
1692	MsiExec.exe
1692	MsiExec.exe
1692	MsiExec.exe
1692	MsiExec.exe
1692	MsiExec.exe
1692	MsiExec.exe
1692	MsiExec.exe
1692	MsiExec.exe
1692	MsiExec.exe
1692	MsiExec.exe
1692	MsiExec.exe

Suspicious behavior: LoadsDriver 3 IoCs

Processes:

pid process

468
468
468

pid	process
468
468
468

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exeDrvInst.exe

description	pid	process
Token: SeShutdownPrivilege	1452	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1452	msiexec.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeTakeOwnershipPrivilege	1728	msiexec.exe
Token: SeSecurityPrivilege	1728	msiexec.exe
Token: SeCreateTokenPrivilege	1452	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1452	msiexec.exe
Token: SeLockMemoryPrivilege	1452	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1452	msiexec.exe
Token: SeMachineAccountPrivilege	1452	msiexec.exe
Token: SeTcbPrivilege	1452	msiexec.exe
Token: SeSecurityPrivilege	1452	msiexec.exe
Token: SeTakeOwnershipPrivilege	1452	msiexec.exe
Token: SeLoadDriverPrivilege	1452	msiexec.exe
Token: SeSystemProfilePrivilege	1452	msiexec.exe
Token: SeSystemtimePrivilege	1452	msiexec.exe
Token: SeProfSingleProcessPrivilege	1452	msiexec.exe
Token: SeIncBasePriorityPrivilege	1452	msiexec.exe
Token: SeCreatePagefilePrivilege	1452	msiexec.exe
Token: SeCreatePermanentPrivilege	1452	msiexec.exe
Token: SeBackupPrivilege	1452	msiexec.exe
Token: SeRestorePrivilege	1452	msiexec.exe
Token: SeShutdownPrivilege	1452	msiexec.exe
Token: SeDebugPrivilege	1452	msiexec.exe
Token: SeAuditPrivilege	1452	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1452	msiexec.exe
Token: SeChangeNotifyPrivilege	1452	msiexec.exe
Token: SeRemoteShutdownPrivilege	1452	msiexec.exe
Token: SeUndockPrivilege	1452	msiexec.exe
Token: SeSyncAgentPrivilege	1452	msiexec.exe
Token: SeEnableDelegationPrivilege	1452	msiexec.exe
Token: SeManageVolumePrivilege	1452	msiexec.exe
Token: SeImpersonatePrivilege	1452	msiexec.exe
Token: SeCreateGlobalPrivilege	1452	msiexec.exe
Token: SeBackupPrivilege	1288	vssvc.exe
Token: SeRestorePrivilege	1288	vssvc.exe
Token: SeAuditPrivilege	1288	vssvc.exe
Token: SeBackupPrivilege	1728	msiexec.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeRestorePrivilege	288	DrvInst.exe
Token: SeRestorePrivilege	288	DrvInst.exe
Token: SeRestorePrivilege	288	DrvInst.exe
Token: SeRestorePrivilege	288	DrvInst.exe
Token: SeRestorePrivilege	288	DrvInst.exe
Token: SeRestorePrivilege	288	DrvInst.exe
Token: SeRestorePrivilege	288	DrvInst.exe
Token: SeLoadDriverPrivilege	288	DrvInst.exe
Token: SeLoadDriverPrivilege	288	DrvInst.exe
Token: SeLoadDriverPrivilege	288	DrvInst.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeTakeOwnershipPrivilege	1728	msiexec.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeTakeOwnershipPrivilege	1728	msiexec.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeTakeOwnershipPrivilege	1728	msiexec.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeTakeOwnershipPrivilege	1728	msiexec.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeTakeOwnershipPrivilege	1728	msiexec.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeTakeOwnershipPrivilege	1728	msiexec.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeTakeOwnershipPrivilege	1728	msiexec.exe
Token: SeRestorePrivilege	1728	msiexec.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

msiexec.exePerfectDisk.exe

pid process

1452 msiexec.exe
1452 msiexec.exe
2268 PerfectDisk.exe
2268 PerfectDisk.exe
2268 PerfectDisk.exe
2268 PerfectDisk.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

PerfectDisk.exe

pid process

2268 PerfectDisk.exe
2268 PerfectDisk.exe
2268 PerfectDisk.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

AutoUpdGui.exePerfectDisk.exe

pid process

1596 AutoUpdGui.exe
1596 AutoUpdGui.exe
2268 PerfectDisk.exe

pid	process
1452	msiexec.exe
1452	msiexec.exe
2268	PerfectDisk.exe
2268	PerfectDisk.exe
2268	PerfectDisk.exe
2268	PerfectDisk.exe

pid	process
2268	PerfectDisk.exe
2268	PerfectDisk.exe
2268	PerfectDisk.exe

pid	process
1596	AutoUpdGui.exe
1596	AutoUpdGui.exe
2268	PerfectDisk.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

PerfectDisk.Pro-14.0.900.exemsiexec.exeMsiExec.exerunonce.exePDAgent.exePDAgentS1.exe

description	pid	process	target process
PID 2040 wrote to memory of 1452	2040	PerfectDisk.Pro-14.0.900.exe	msiexec.exe
PID 2040 wrote to memory of 1452	2040	PerfectDisk.Pro-14.0.900.exe	msiexec.exe
PID 2040 wrote to memory of 1452	2040	PerfectDisk.Pro-14.0.900.exe	msiexec.exe
PID 2040 wrote to memory of 1452	2040	PerfectDisk.Pro-14.0.900.exe	msiexec.exe
PID 2040 wrote to memory of 1452	2040	PerfectDisk.Pro-14.0.900.exe	msiexec.exe
PID 2040 wrote to memory of 1452	2040	PerfectDisk.Pro-14.0.900.exe	msiexec.exe
PID 2040 wrote to memory of 1452	2040	PerfectDisk.Pro-14.0.900.exe	msiexec.exe
PID 1728 wrote to memory of 1760	1728	msiexec.exe	MsiExec.exe
PID 1728 wrote to memory of 1760	1728	msiexec.exe	MsiExec.exe
PID 1728 wrote to memory of 1760	1728	msiexec.exe	MsiExec.exe
PID 1728 wrote to memory of 1760	1728	msiexec.exe	MsiExec.exe
PID 1728 wrote to memory of 1760	1728	msiexec.exe	MsiExec.exe
PID 1728 wrote to memory of 1760	1728	msiexec.exe	MsiExec.exe
PID 1728 wrote to memory of 1760	1728	msiexec.exe	MsiExec.exe
PID 1728 wrote to memory of 1568	1728	msiexec.exe	MsiExec.exe
PID 1728 wrote to memory of 1568	1728	msiexec.exe	MsiExec.exe
PID 1728 wrote to memory of 1568	1728	msiexec.exe	MsiExec.exe
PID 1728 wrote to memory of 1568	1728	msiexec.exe	MsiExec.exe
PID 1728 wrote to memory of 1568	1728	msiexec.exe	MsiExec.exe
PID 1728 wrote to memory of 1692	1728	msiexec.exe	MsiExec.exe
PID 1728 wrote to memory of 1692	1728	msiexec.exe	MsiExec.exe
PID 1728 wrote to memory of 1692	1728	msiexec.exe	MsiExec.exe
PID 1728 wrote to memory of 1692	1728	msiexec.exe	MsiExec.exe
PID 1728 wrote to memory of 1692	1728	msiexec.exe	MsiExec.exe
PID 1692 wrote to memory of 1796	1692	MsiExec.exe	runonce.exe
PID 1692 wrote to memory of 1796	1692	MsiExec.exe	runonce.exe
PID 1692 wrote to memory of 1796	1692	MsiExec.exe	runonce.exe
PID 1796 wrote to memory of 1576	1796	runonce.exe	grpconv.exe
PID 1796 wrote to memory of 1576	1796	runonce.exe	grpconv.exe
PID 1796 wrote to memory of 1576	1796	runonce.exe	grpconv.exe
PID 1780 wrote to memory of 1592	1780	PDAgent.exe	PDAgentS1.exe
PID 1780 wrote to memory of 1592	1780	PDAgent.exe	PDAgentS1.exe
PID 1780 wrote to memory of 1592	1780	PDAgent.exe	PDAgentS1.exe
PID 1592 wrote to memory of 1596	1592	PDAgentS1.exe	AutoUpdGui.exe
PID 1592 wrote to memory of 1596	1592	PDAgentS1.exe	AutoUpdGui.exe
PID 1592 wrote to memory of 1596	1592	PDAgentS1.exe	AutoUpdGui.exe

C:\Users\Admin\AppData\Local\Temp\PerfectDisk.Pro-14.0.900.exe
"C:\Users\Admin\AppData\Local\Temp\PerfectDisk.Pro-14.0.900.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\msiexec.exe
"msiexec" /i "C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\PerfectDisk.msi" /qb INSTALLDIR="C:\Program Files\Raxco\PerfectDisk" INSTALL_DESKTOP_ICON=1
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1452

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Drops file in Drivers directory
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding D0039FE920748E15D9C3CE3324C285DC
2⤵
- Loads dropped DLL
PID:1760

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 7DF10F5186DC81C4A7E1D0D38739A8DB
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1568

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 31245CF738FCA013DE3BF3F4C717533C M Global\MSI0000
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
3⤵
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
4⤵
- Modifies data under HKEY_USERS
PID:1576

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot13" "" "" "66d15495b" "0000000000000000" "00000000000003B4" "000000000000054C"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:288

C:\Program Files\Common Files\Raxco\Shared\PDEngine.exe
"C:\Program Files\Common Files\Raxco\Shared\PDEngine.exe"
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
PID:1400

C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
"C:\Program Files\Raxco\PerfectDisk\PDAgent.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:1780

C:\Program Files\Raxco\PerfectDisk\PDAgentS1.exe
"C:\Program Files\Raxco\PerfectDisk\PDAgentS1.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1592

C:\Program Files\Raxco\PerfectDisk\AutoUpdGui.exe
"C:\Program Files\Raxco\PerfectDisk\AutoUpdGui.exe" /scheduledrun " HKLM\Software\Raxco\PerfectDisk\14.0\AutoUpdSettings\ "
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1596

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1120

C:\Program Files\Raxco\PerfectDisk\PerfectDisk.exe
"C:\Program Files\Raxco\PerfectDisk\PerfectDisk.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\Common64\Raxco\Shared\AutoUpdDLL.dll
MD5
e012bfa08ae3e2950461813be9f4e4b6

SHA1
b3467fc42b61d12e89267d0f483399936cca3e6e

SHA256
8a27912cb088f8ab6f802730bd12d2a135d96adcd84485489a5f206506f99fda

SHA512
e55f66377c77b5dad9f365307f8d38187d59efcaccb93b4758a49f8f51072af499a0bbb440b8b143aeaf8d35971b9914e79de4fd58863c76cb1208139f613052

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\Common64\Raxco\Shared\English.tr
MD5
30ab20dbb3661e2e67f952576cadd550

SHA1
39e13d38c7fda0831e073da5115b5459c965d4d5

SHA256
fc2fd9f45459ec3ccc1dd82ac8483edf51504307523852d989a56d534f325fde

SHA512
29b25939743e6ff104c08e9673e0744b973335e459c6ed76107c6c42d0aa67468c2d4134b294a41acc4f8be51d2645ee80aea3525a7d4fdadda6c882a043d355

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\Common64\Raxco\Shared\PDAgent.tlb
MD5
8f0c7dc657877167b91f17173a72488b

SHA1
1c80c9a3e9947e72e5b52a5118a2189489913333

SHA256
9267e2fb33e8c30b2ca2b1eeaed1bbf26dc9c419aa57ba05fde5b85b018fb4e2

SHA512
5bccea08f652cdf22bf449cd1e1b34b2fe1796945523d9b2c7c60961eee185beb702e82871c9203034317a27615251d6645159a9f17d1823fe8c7704417ce94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\Common64\Raxco\Shared\PDEngine.exe
MD5
c0f916f45c4cf3b7200216b3bc7347c5

SHA1
109af588a27d5c79d5f8cf8042f4ead606e9de71

SHA256
cadccdc492ba018903fb967571d6e2cd6c3bd814799e68a6797955a8f4a814c1

SHA512
76dd6e65cacd50996de8b6a168f6bd1657eaf948196f96a043f70d891c3e1024e832622c998dec28a1a125d1647644714df91585c776b5fb4a8d6bc626869c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\Common64\Raxco\Shared\PDEnginePS.dll
MD5
a13b894c65ff3b2a60c55fcd52bf2b5c

SHA1
072b5fc3d8ccbb41eabbb9a14805b21867577c2c

SHA256
24ce0812d007d6f0c546302affdb142112fea197b2e72451b278aef88a669bac

SHA512
0a1773a2ab6edfdb347e1320d0e2c0740f62f8a98224f3b43ce712e3c816f412ea3f499c5f240e916b4ad247f69f113d7fe6adda48b5cf0c04f99557cb341277

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\Common64\Raxco\Shared\PDFSFilter\PDFsFilter.inf
MD5
986dc3685196d4822d8bdc37a0197883

SHA1
b0825d0c521466bf7671b31df50966862e0b0a26

SHA256
9f9d53fdd438cdb516610f66afddf401b4a3d651914356a47c191a52757b1b96

SHA512
28ffc56f6f43b0a97f746a6b56ba3c796b1bd971a29fb091fe6eb19ae03487c83c3c24f8bc22d9785d5ea90a8b67f3260fec3b4ee6c7ddd3f21d4428fa47ed4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\Common64\Raxco\Shared\PDFSFilter\PDFsPerf.ini
MD5
9cc75fa4432c6d2f2fb32613f0b29b17

SHA1
13736254eeb4078f4e2b4782d4fb1246f12a2637

SHA256
2c7319db945b93052753dfd2c629c037fe9e8eb266aff8b2d587fe26ba9c489b

SHA512
3ea584edc908a3951df8f2497e040f0067476e1bb62342050e7c29508fec6855dbb4c4365ca05c7ccbc7a290be789d4632d956de45fb4646ca01bd6c48ebf93d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\Common64\Raxco\Shared\PDFSFilter\PdFsfilter.cat
MD5
9f93a1924027934954dd4d9f4c6e32f2

SHA1
6876d556c07685130334735a8cb8695966a62f89

SHA256
dcb6681c3014b78805d71c908f5d3a5331d4ccc03540bb2b790862f8ca8e5458

SHA512
4da9cebf4260508a30f22cfb5a336411df4c130004debe0cc72b271d582fee9ee32a8dd5230e8659093f4cd6cb3620bf1a182c182b79ce915f1243d58b69ce52

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\Common64\Raxco\Shared\PDState.dll
MD5
7ccb04d4d30196bee3cee263f23fa050

SHA1
6c0d5cdca60756a5fcda48ccd59a7abf669e4403

SHA256
6d41c69cc86d48c1a18e04529bac9f2a15f964132ca69c5a5b90f3af9b8529f6

SHA512
587fe0abc49659698c01853c9e6ca9997d25e9d8baaa2b5d3284b6d1ed464efe941f6f500cf4c4ac9413a0504f3cbc7ef54c198f017eb55c57c144cd5f77c594

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\Common64\Raxco\Shared\PDUtils_v130.dll
MD5
f53e6710f5634a9735f7b378c9a970ac

SHA1
89894868e461fe3ce76e166cd659cc752629afa7

SHA256
b042ea108389f35d6f470125e5e14d547ade4df586aa750b885ca62fa3d0ad4f

SHA512
1c5515b884d8c3460345f759285f5e07c1331661891cf0684a90d477f5c37a852475178020abcf692337bd02280b03eb51532a1b8b7239e3ce022c166dc29208

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\Common64\Raxco\Shared\sqlceca35.dll
MD5
35405a2318ff910265972cd184fe64d5

SHA1
9633ca32c9fc36f931d488357e00656311033597

SHA256
bf39b87c08a120fea63ebb7d2351ae06e329460f63a81f6844317b35249083b3

SHA512
bdfee029436670f12de3c007498dcfd3fd8d37ccb41e395083edd07901b0af00e9860ca83af21c16773aac95960745fe4ed5202f44982ec2e5b8c74860d7e03f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\Common64\Raxco\Shared\sqlceoledb35.dll
MD5
574556b24e7ffe24ed324e32a609ea67

SHA1
1f09b90b43efc4afb5e7f3c7bad7765beaa51b34

SHA256
aee567ffda64ef24a23abbf3036f4a183e3d747bc01fb45c8aaad97bb9460748

SHA512
a75b4a167221f8db331c60fb0381f0e4d5c5db3d1e8b87a3d475a30fc812beb50de3c27b852a9b5b96f550fb07058ea96e3ac0f4deb758cc03a97a9c87d0947e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\Common64\Raxco\Shared\sqlceoledb35.raxco.manifest
MD5
2fa788787d50af5b7b317952abcd2a31

SHA1
dc80ed87fe695439f0797cfbb44af926eee96be9

SHA256
c01cfd2ad5c157c5eb5afd63331ce6af8dd45839825082e349f23adc92a093a8

SHA512
d3f92f0b8596c2d11b8db34824fa7d017a3595d07d3eac623e0641ea6fd9c5d5248ac154d340b4e3ed2e081bed54e712ada9a03bc709a8e655d4283fe37dbf8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\Common64\Raxco\Shared\sqlceqp35.dll
MD5
b61426a70e8c1c2e5232bbcb20ee40e3

SHA1
286cd3c57ba736899c4dbb54a72486be7489e41d

SHA256
638befc8c51d11137430c6358d1564f72fcd8f6ef254508c9e76c0015b00f8bd

SHA512
d5f76dc77d1c75735469d6c3f968463c2fa658e4ea3af66ebf0e955f6ee22bf844a1918997030b4a96a1cd6a6f2d8a0406d56102e56421fd21dd7f8d889662dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\Common64\Raxco\Shared\sqlcese35.dll
MD5
dcc322f2bcf22ce8c8bbab89ca376c51

SHA1
759d6ffb8698438b1f5838b5554c3fc1ec835c10

SHA256
24b50b62f1aefe807432a9c0b42e24b90a1cb7a608c47e666837434665d80aec

SHA512
4adbaa9f9253afe6bcf2490d9935a60ff65a293ac25d28aabffbd8ad87be510d22543e88dfbb4d500b675cb45edd9683c0a2631e753fbd020e7d7f14d6deb7bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\CommonAppData\Raxco\PerfectDisk\14.0\pd_local.sdf
MD5
a0617377b6d73811f4ef3a01cd6c58df

SHA1
a0a02a96ed23b9781a9bd1be1519dc8b615a2232

SHA256
7ba0238c5da14ddbf36904b25808b17b5b0eb3061e3f3cf3347d04abe1dadbad

SHA512
690ebdcb85895fba6880a44e25aa08b1f74811d4db28703e534c9a3cdd263785707b1e269756f491888de7b233090d7d4a5edf90d52f0c570927b1a7b25837e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\PerfectDisk.msi
MD5
633b9af6df69fbd88541a2339cf3e51d

SHA1
f7996de35e26fec41c6aea4c79c5f5171dd3505e

SHA256
340e433c31f9f406b31ddd67109eb33a54f88947064a6bc6f9633212c76cf0af

SHA512
18130eb383375d5a6e9c499ce83ae8d0a6cd5e6784dca37f24f6d34085d65e3d385e27e69f37dde413908e8d9241afbace36a5dc2419be59594af8d41e1f185e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\Program Files 64\Raxco\PerfectDisk\AutoUpdGui.exe
MD5
75daaf623f4fd54f906009f5bf20eb35

SHA1
06aa083cf9aa70a130154b43ee9aba79d458869b

SHA256
ee7613f3d9100c40a766963022eac341f7b17244ba175248679fac185478fedc

SHA512
20d976c66fe7c279eeb55d707acbc2db28e98eb5ea471d08aed5dc36436f5ff922c8f68b7b17c69ce32715f2f6010ecdf800a34ef758246227c0a3eb19fc43d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\Program Files 64\Raxco\PerfectDisk\Config.ini
MD5
9e7ca7fbb42571ea4cf0ce62a4420175

SHA1
93fa3813b63d76aeb4e310bfb6f16c89c0dc64d5

SHA256
8072ca687e9e99dcc0c690d1c79f1a8fa083359dbd31414e6ddf0a0226dd2579

SHA512
baa9b6418dcec868bf7e1750bf81560ec3e61881b84d4ce6d82fadc9a79449de0776b0e88dc095ee9acaa178ef6b8af11b4f4b200bd16f53d06fbc6333f68514

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\Program Files 64\Raxco\PerfectDisk\DefragFS\DefragFS.inf
MD5
73e9b25a97b86c0d2a1fd9440ec7e7ce

SHA1
7f899d7cf889352dbdc6e88a77ac515005c8ce0b

SHA256
06bb14c1e0effc9b75e838b17168be1975db16d83c1ad09f5480f3feda1d3de9

SHA512
62284f1882ef768e4a09355dadb4cef275c3d2677b744703314466c81957c05673b13f0c5101ce1be8e33e054b7e12e813c32acd85edccaf4bd40ee2419c0a01

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\Program Files 64\Raxco\PerfectDisk\DefragFS\defragfs.cat
MD5
bd6e66477a4fd6b24cf3575e27d8600f

SHA1
790de0bcf2570cbc1e2e336e2e4d7e3618e8eb97

SHA256
69b507dc7923a9862d508c188ed9d9201125d260c18e22aaefc7f9fb8230f5ba

SHA512
e4689b0e4811e9456ec30df4eb745ea8337fc575a0dc10b07df3a6c1e89c97c8f246d572ff135d3e026762d92a98d4951fc8ecec1be061ad894a5bbacb8448bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\Program Files 64\Raxco\PerfectDisk\DefragFS_VS2015\defragfs.cat
MD5
8d5bcb5c34801ea3d84e9f9321c97526

SHA1
b328b7c112b09d9d4abe3671dc92a9fad5f17e90

SHA256
68e153c8ffd285a94baab78d4d16e6e671ba091d246fc3fbd58f2c9bb77afa4f

SHA512
1ddeb1cde556dc9256295f5f744a014ec6e28aba5aa741c9f0bcb409447940e81aea8ce3b470c60455a84729772801d26f34267398737a0fce5e4ed65eb0bcf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\Program Files 64\Raxco\PerfectDisk\DefragFS_VS2015\defragfs.inf
MD5
5ca71d49ae1d4f6218d1836dcef98e95

SHA1
434651879ee8b6e1a516d081eb6fd2c9cdef5214

SHA256
f62212eeaf2893cf9e1cd20ac0fae23ba8feecd300235c68f57f75533bbbc2a7

SHA512
f156ad17cef2573e23ceb1d184f12f4881519ffe71a65eafe03b3f7afe83ff4d76039c10bbae7d46448a812c21a358078b89e4d3946467c0939cf856abe512ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\Program Files 64\Raxco\PerfectDisk\English.tr
MD5
adfd9718491b750d5ad1653adfcab8ea

SHA1
3bcedb58c846df9531d93f4df7774bc87cd68571

SHA256
f61dd88d87ad636cb9fe88d59a0efcb7a144287e3111f035023d466c55fd1283

SHA512
da054a54584a13e1872dc3bbce8c09b9ba4c77f217ed003381cc82064b68dd430eb1e3ef1b32124b8009593f3aa97637dcf20bec7e0cf21607fee87e45bc6cfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\Program Files 64\Raxco\PerfectDisk\GPO\PerfectDisk14_0.admx
MD5
78be040f0edbe2815130b421a6c4b676

SHA1
520c8163a27ca34af89f498cd57b9ce85c621f9c

SHA256
975ef796a3dce6609f8a1b83b186f885d8644fa026038c17dc8d4d13e58de7d6

SHA512
af26d9d25f0ee145c15a1e863b328c78793aff2fc68f289546e888ca4978d527e65f275c49eaa4b4f4b38648ea16aebc2e4837a93636339833af1012808ab071

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\Program Files 64\Raxco\PerfectDisk\GPO\en-us\PerfectDisk14_0.adml
MD5
3f70d9095fccc2b3cf39b360a291cf9d

SHA1
dae93449487352c01150bb0763a265a7c17e33d7

SHA256
00f610c2d041aa2c306806a810b66603c887b7c55b8084ef701271178d404d19

SHA512
734caf62b2e15cda1d5899d9c819390f5c97cf3cea74315d2529d1f89b8fb445094aa4f4d713a71c4c287e834ae2519dd705301240db192079f24c09febe6efc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\Program Files 64\Raxco\PerfectDisk\PDAgent.exe
MD5
33ecb75f16768dda8e75667d8954c9ab

SHA1
56d202560ece8bc5843961765bf53c2c94b70614

SHA256
ffc41a55740589c2d165fbc2e71ca570cccf4868e146fe041c0e2b70148f42d0

SHA512
dde2a2cd6424721175ef23eec913a28579720afc6e615975521ff2bdaee044359ada5ab7ffeff895b2aea657c40c98da83778a0828c574d3edd532db8fb34661

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\Program Files 64\Raxco\PerfectDisk\PDAgentS1.exe
MD5
9354cdb20205977beb113028e15184a9

SHA1
25dafd6ccb4cf46045a46876ecd78aaadef634b9

SHA256
1ff07ee74c435bdce0b7177e6bee7ddbaaff0f06cca9af093dc47c40ffefad2a

SHA512
e22846659ab018c59c312307b30cdcbe8881b9dcc8adf879a27d10ff94cd5d0889692a3fe77408916aa33dd9f7f9ff6aa227c6af49cfcbefea110dc477138cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\Program Files 64\Raxco\PerfectDisk\PDCmd.exe
MD5
1aebfb9d86dfeae78bf74bd569c79410

SHA1
83bd18b6aa32fb59e1bbfce02ae04b8629c0384f

SHA256
ec45dbe1d075a46c6fcb406fdb6e4ab35656deab423229d7e0dca32bd32a142c

SHA512
13545e921ec20e954675c1554a50fd214c9bfe3c590b44c502f827af1731cb022b3d58ca40007bf782325d865e029914ac097cb0b0febce9d14e502a743ff10f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\Program Files 64\Raxco\PerfectDisk\PDElevationWorker.exe
MD5
c22686653cf9509df252f1ef50b3f2dd

SHA1
39fdaec249a843097029ec20a9f2e828c35b75f8

SHA256
9863251f92fb7b88773a7d26ba0d745e42ba9c0ab7e704bc224f02f440aec142

SHA512
6216c95e85cbe045f79b4ade8ab7102974242bfaa66fcda6b75a02b60432f58329fed0d5aaeba4ff7bf69185df41681b15bbe8aa4d90b8ebc68c94d20d3bacf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\Program Files 64\Raxco\PerfectDisk\PDFsPerf.dll
MD5
0b981d6a6037fdccaba2e9615e44477e

SHA1
aabb5604aa93a73b808cabbef59455f4e808c6e7

SHA256
d8df92827c2d7c42139be5c571c10d37a7011baff0203c3398ed76cb523cfbb7

SHA512
f4490cca5894e4ff035b6d244bbb3e64419b02eb79986a4705f7fbc8583e355f5e9708a7bea5e39346fcca6e156ceb0758992c1c344db5d37625a81b9ff02f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\Program Files 64\Raxco\PerfectDisk\PDVmGuest.dll
MD5
e00a6513bb3aaf24e40901c12f155e36

SHA1
f3b2b14b817ff9ec1f864267368565c1573a0092

SHA256
140912d5bd7555355bf242b590c83c04bf50e8753ef7c2fac46807c91a8d79d7

SHA512
0b126a495688e592f4a9b8b3eb2a47cccc20c3d434efb41a47f282d66cd1cea3b6c03177c388a721cc8f521f74b4f2b2ae76675d2a4faa61560ff25678798652

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\Program Files 64\Raxco\PerfectDisk\PDVmGuestPS.dll
MD5
00b979959182770fa5b5262896c6f7cf

SHA1
f12f3871551c11482519a6792635a432d01eb020

SHA256
b7eec2fe03fa3522bb0945db0c2db6cdd62c8e6d439dea75d76b22966b919eab

SHA512
bddf8bc960972700c19deac7cc0e8b87efde947c33df644d6ac7162cacaee975b6b88477a9500cd812743e7630f4c3d06f6893c88608b9ada86e7694af74bce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\Program Files 64\Raxco\PerfectDisk\PatchPDLocalDB.sql
MD5
c7efb813e548f84c73332c72a8aff183

SHA1
f8e9c5d84182cb82d70930cfcf3edb628aecf13a

SHA256
c35285565b4b28f2b0190eb7b7750a5462f79e6527783fde5ee87680f4cf2501

SHA512
105bfe5d9f8036058da4f06884c5bdce1c6e282d0fbb1ef3674e99c8b5813089f6f32d7ce2463fc79f47b0f64f5b59cf287e4f580a3cd256539a457557d37bda

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\Program Files 64\Raxco\PerfectDisk\PerfectDisk.exe
MD5
e6bc636d4901c987255b9302d4c57afe

SHA1
461b149f7ae7bf5221da8d63562ff0222afb89a1

SHA256
e4abed34082e87ceaa42028f7d23ac4c86ceb51bae63e6cb9c0cf0c86842692a

SHA512
2c4f1c38013f7d0261115f4acde57c54872fa98637decccabdf86654917c39f91fc8cbf05a4b60c076fa653b9f1226a9dee731b2afdb801796a9a5efe50bd7f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\Program Files 64\Raxco\PerfectDisk\QtCore4.dll
MD5
b69cffa206c22a7526443d34546242c1

SHA1
2293672e2ad3dbfb02c7629818d4a70b232385bf

SHA256
85440b8ce0f96b282356c03b0fac0a5432e82c4f82e537aed25d3bb3c66c8a4c

SHA512
5da817680af5e3b074ab6226f4cd301bb8dbf4f2e53a8ddb2bb4bf1d8bc7af7bd2ad914140293726f40b948002e472082ceb7ca2d9fe34a81a610a07063fbf9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\Program Files 64\Raxco\PerfectDisk\QtGui4.dll
MD5
b7d54e5b6e3d12e265532fdf3dcd4ca1

SHA1
97865d822af7c18f5ad46495e17bc810d8566274

SHA256
2ade60ec58047ef67e9bdc1c15f9ebbdeea632a97a15c9dc33d8776410accc61

SHA512
28ae85ad6ef2665bc76a7a037bcda926000e6d7e6732c22ea441b08c9333e32f0fc5290fd27bdd8f11ca3429c7a2c1448e38e84e92e11b3255272a39db70d592

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\Program Files 64\Raxco\PerfectDisk\chartdir50.dll
MD5
f5981f1397a06467ac1c495b72d896b3

SHA1
4d16ebff9ae935348a28e6ff21c63fe7a5a113ab

SHA256
1c4291eb5399f93cdee926bf8803ce4444b37cec1aa9c9eb6d30c7640a7172ad

SHA512
16dd57869a57aeef90ef7aded3055d0e26aa3a42f1398458ae5893a9942db52018c3867be5974f28e20732bb2c3dcf6a808f68a943c30c91ad069a9cc9c513ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\Program Files 64\Raxco\PerfectDisk\libeay32.dll
MD5
d1528ae31e69cb304104f953cda8814b

SHA1
67462e86ad05c4307214ffb1d2b9d61ddbf7036b

SHA256
26385762a483af231428244e433a7d8e41a43829e5c958f62b000f2dcafb6002

SHA512
939825bea5b44c274888acf3476524c74cd496052569fb9468bf87a3d74b81df5695d7836fd702cdf4243aa6b5ab166f5cc5eb9579e7928dee600e414eb82583

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\Program Files 64\Raxco\PerfectDisk\ssleay32.dll
MD5
f624d3bde983667da51d73bd11dff4db

SHA1
887472fe2ccb4a0a7441c5ff9aff6f938d2165e3

SHA256
030dade09d6b3e2a000468e3647d5503d942ac0569be2140edc75787eb5006d1

SHA512
e8a186e25308aca3f050a86ce492359d42f0ee477cd949a4002995f6740f53c85056938c8ed42aeef2c755ddcb5e250d8fce36fd075953a286e83ef379cd7f9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\System64\Drivers\DefragFs.sys
MD5
7194353a9303e80ba0b22187e559eb13

SHA1
33d96278cfd16ac76310083cf42c1e56ce2f1e6f

SHA256
80ab8fad012a712e3658541aceb66bbbf3518e839e3c32173f6fb0ffa7b699e3

SHA512
53c9b76bbab3ea54c3fd26f5fc2d3c015d562a000320f636cee8b4bc951d59f2ab491dbc745663b5c910ccb119747ed26350a58313bb14debbb1b138c4ce10f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\System64\Drivers\DefragFs_VS2013.sys
MD5
bc7e064c51979da835ccfdc5f66165de

SHA1
0784d88d7c0b2cd3902a8a12d40c29998b73c5bc

SHA256
ab6aff3e4084dbd37a02314dde624b97efda2cf15c143658b13339973c5834b2

SHA512
fc678532ca3591af3089153a81a5284ca9d62b904f56dc15187ee2992b2e4e1ecb09b3955bec68ed2ba7fbe57f9c3a31ca46adcf0840415d4d793b65935f4ad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\System64\Drivers\PDFsFilter.sys
MD5
9f5e27c8b88a8da1dc93e93a5c27bb9b

SHA1
ac7de98d0bc76a5fe4cfeb4ee5fc8f474e349e44

SHA256
296516c813f0afe1bc6b837b213141c0b07f06448f706988990b802fa89d45dc

SHA512
9346e9ca509859aa57bb15a4f650f9b10ae7daf2c6d577a25b692ff0f4ea92e2e8ca8e89eaabc35d50e3a97ade80d1c5f59a720be0122f801b60c6db53ae063e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\System64\Drivers\defragfs_VS2015.sys
MD5
38454c2221dfa19b4b7aa30f29e560d4

SHA1
438f00c0052764658cfac660b5b31a998654ad98

SHA256
c74469af2c476933b7cb0234269e7de601731cb2d7287c7b28023ba09a10b751

SHA512
016c2f78d7fc72f5e5e4f1a05a353778efddb1add8f1ff30fcd2759abe525ad1b48840b826269f3ec2a78f533c2b249a777c55d60024f08064d175adacb312e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaxcoTEMP\System64\PDBoot.exe
MD5
e70624d192be506059126948965a251d

SHA1
f1dbec0d32d0579b2ac6ffc705213def9ebb0413

SHA256
6a36934f01f7232306cbb5d51cf9a14430940a885b0b394b480bf9e66aac8d65

SHA512
ab402c3b78650e7143321b491502dda5971f38300566e5f653c5053fc6227150695882adef00213d4d4fca9671e9177575b12bfe8e00cd7264427ee8608f06db

Download Submit
C:\Windows\Installer\MSI60DB.tmp
MD5
fadffef98d0f28368b843c6e9afd9782

SHA1
578101fadf1034c4a928b978260b120b740cdfb9

SHA256
73f7e51214b775421f6679acabc51ac1d34b4271116f5f3dd3426df50d214886

SHA512
ba5ab56a7e5d2e54fc304d77c78a14b35b187fdd95a090d39193b3da6ab40ef1b38c3cd56b160edceded3d622c0b645376efaf3df8fc8c437f448f91587f3233

Download Submit
C:\Windows\Installer\MSI6262.tmp
MD5
9fa2b948b4e2140eaf523d0d92339d21

SHA1
f61696e21b768e850339013bf9dbaeca8f7656b9

SHA256
c4264759680511ac4d6138279992175bd7f2e09a5c1a94f0ec50503a12b11b0e

SHA512
176e1e1d1f20a9397c560c4dc4e6c4af5b2630b176f99a4d8ccef8184b46a74d4e77ab36387b4ead4c41445cf19367d6f16ce38c19cbf764b5063a8daf90f469

Download Submit
C:\Windows\Installer\MSI6502.tmp
MD5
9fa2b948b4e2140eaf523d0d92339d21

SHA1
f61696e21b768e850339013bf9dbaeca8f7656b9

SHA256
c4264759680511ac4d6138279992175bd7f2e09a5c1a94f0ec50503a12b11b0e

SHA512
176e1e1d1f20a9397c560c4dc4e6c4af5b2630b176f99a4d8ccef8184b46a74d4e77ab36387b4ead4c41445cf19367d6f16ce38c19cbf764b5063a8daf90f469

Download Submit
C:\Windows\Installer\MSI6689.tmp
MD5
9fa2b948b4e2140eaf523d0d92339d21

SHA1
f61696e21b768e850339013bf9dbaeca8f7656b9

SHA256
c4264759680511ac4d6138279992175bd7f2e09a5c1a94f0ec50503a12b11b0e

SHA512
176e1e1d1f20a9397c560c4dc4e6c4af5b2630b176f99a4d8ccef8184b46a74d4e77ab36387b4ead4c41445cf19367d6f16ce38c19cbf764b5063a8daf90f469

Download Submit
C:\Windows\Installer\MSI75E6.tmp
MD5
9fa2b948b4e2140eaf523d0d92339d21

SHA1
f61696e21b768e850339013bf9dbaeca8f7656b9

SHA256
c4264759680511ac4d6138279992175bd7f2e09a5c1a94f0ec50503a12b11b0e

SHA512
176e1e1d1f20a9397c560c4dc4e6c4af5b2630b176f99a4d8ccef8184b46a74d4e77ab36387b4ead4c41445cf19367d6f16ce38c19cbf764b5063a8daf90f469

Download Submit
C:\Windows\Installer\MSI75E7.tmp
MD5
85221b3bcba8dbe4b4a46581aa49f760

SHA1
746645c92594bfc739f77812d67cfd85f4b92474

SHA256
f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f

SHA512
060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d

Download Submit
C:\Windows\Installer\MSI7C40.tmp
MD5
9fa2b948b4e2140eaf523d0d92339d21

SHA1
f61696e21b768e850339013bf9dbaeca8f7656b9

SHA256
c4264759680511ac4d6138279992175bd7f2e09a5c1a94f0ec50503a12b11b0e

SHA512
176e1e1d1f20a9397c560c4dc4e6c4af5b2630b176f99a4d8ccef8184b46a74d4e77ab36387b4ead4c41445cf19367d6f16ce38c19cbf764b5063a8daf90f469

Download Submit
\Users\Admin\AppData\Local\Temp\nsdD683.tmp\Aero.dll
MD5
5155e506b908b41e113bbd7c10d4082f

SHA1
0e0d2d3a6c76c08d434ac7359eb9927f82ac6065

SHA256
9bbbdd180dac3cf4ce36cbc12bd862cdd00880d87027395f92ede5476d1f0dd0

SHA512
a43f04fffb05458a307054caaa45ba81c383b0265d7af798996806ecb07b72bb5350df7bf4d6d7b21a30c82f4308343845bb32cc8e0ad0cd36e352499ca7ccb1

Download Submit
\Users\Admin\AppData\Local\Temp\nsdD683.tmp\BrandingURL.dll
MD5
71c46b663baa92ad941388d082af97e7

SHA1
5a9fcce065366a526d75cc5ded9aade7cadd6421

SHA256
bb2b9c272b8b66bc1b414675c2acba7afad03fff66a63babee3ee57ed163d19e

SHA512
5965bd3f5369b9a1ed641c479f7b8a14af27700d0c27d482aa8eb62acc42f7b702b5947d82f9791b29bcba4d46e1409244f0a8ddce4ec75022b5e27f6d671bce

Download Submit
\Users\Admin\AppData\Local\Temp\nsdD683.tmp\LangDLL.dll
MD5
d6d8addfea0ee1bba9b841e3bec0b5cd

SHA1
a36ba78140600a7b1a502bea25c50c76666f5d3f

SHA256
ccb76172c2565356a838d7867a51e021478fed4d83eb41fe1dbb703f8efa28f9

SHA512
3f85eb0baca0794adbc7460af8b3b21d5b0b9d250eeba842f8524ea9736877aaabd5f51035bee8836ad46bf1d01e416119ca7f296bae32bacdad44622c1715ec

Download Submit
\Users\Admin\AppData\Local\Temp\nsdD683.tmp\System.dll
MD5
f4e3fa5c852d2bdc41756e58124b21d3

SHA1
a49ec55e50d25efa45ce93366fb64c4fbb1d8261

SHA256
e457505b7648838185fd971e19daf6fd626824d7935a2701342df7099315e62c

SHA512
3ccbd9bf27d7927fdf34aecf672d78cb85d00b2b53da631f60683e46d85eda73021d2ae2c7c3d533424b1f8d174093d2186e1bd821fe02312fc142048b75d243

Download Submit
\Users\Admin\AppData\Local\Temp\nsdD683.tmp\nsDialogs.dll
MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
\Windows\Installer\MSI60DB.tmp
MD5
fadffef98d0f28368b843c6e9afd9782

SHA1
578101fadf1034c4a928b978260b120b740cdfb9

SHA256
73f7e51214b775421f6679acabc51ac1d34b4271116f5f3dd3426df50d214886

SHA512
ba5ab56a7e5d2e54fc304d77c78a14b35b187fdd95a090d39193b3da6ab40ef1b38c3cd56b160edceded3d622c0b645376efaf3df8fc8c437f448f91587f3233

Download Submit
\Windows\Installer\MSI6262.tmp
MD5
9fa2b948b4e2140eaf523d0d92339d21

SHA1
f61696e21b768e850339013bf9dbaeca8f7656b9

SHA256
c4264759680511ac4d6138279992175bd7f2e09a5c1a94f0ec50503a12b11b0e

SHA512
176e1e1d1f20a9397c560c4dc4e6c4af5b2630b176f99a4d8ccef8184b46a74d4e77ab36387b4ead4c41445cf19367d6f16ce38c19cbf764b5063a8daf90f469

Download Submit
\Windows\Installer\MSI6502.tmp
MD5
9fa2b948b4e2140eaf523d0d92339d21

SHA1
f61696e21b768e850339013bf9dbaeca8f7656b9

SHA256
c4264759680511ac4d6138279992175bd7f2e09a5c1a94f0ec50503a12b11b0e

SHA512
176e1e1d1f20a9397c560c4dc4e6c4af5b2630b176f99a4d8ccef8184b46a74d4e77ab36387b4ead4c41445cf19367d6f16ce38c19cbf764b5063a8daf90f469

Download Submit
\Windows\Installer\MSI6689.tmp
MD5
9fa2b948b4e2140eaf523d0d92339d21

SHA1
f61696e21b768e850339013bf9dbaeca8f7656b9

SHA256
c4264759680511ac4d6138279992175bd7f2e09a5c1a94f0ec50503a12b11b0e

SHA512
176e1e1d1f20a9397c560c4dc4e6c4af5b2630b176f99a4d8ccef8184b46a74d4e77ab36387b4ead4c41445cf19367d6f16ce38c19cbf764b5063a8daf90f469

Download Submit
\Windows\Installer\MSI75E6.tmp
MD5
9fa2b948b4e2140eaf523d0d92339d21

SHA1
f61696e21b768e850339013bf9dbaeca8f7656b9

SHA256
c4264759680511ac4d6138279992175bd7f2e09a5c1a94f0ec50503a12b11b0e

SHA512
176e1e1d1f20a9397c560c4dc4e6c4af5b2630b176f99a4d8ccef8184b46a74d4e77ab36387b4ead4c41445cf19367d6f16ce38c19cbf764b5063a8daf90f469

Download Submit
\Windows\Installer\MSI75E7.tmp
MD5
85221b3bcba8dbe4b4a46581aa49f760

SHA1
746645c92594bfc739f77812d67cfd85f4b92474

SHA256
f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f

SHA512
060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d

Download Submit
\Windows\Installer\MSI7C40.tmp
MD5
9fa2b948b4e2140eaf523d0d92339d21

SHA1
f61696e21b768e850339013bf9dbaeca8f7656b9

SHA256
c4264759680511ac4d6138279992175bd7f2e09a5c1a94f0ec50503a12b11b0e

SHA512
176e1e1d1f20a9397c560c4dc4e6c4af5b2630b176f99a4d8ccef8184b46a74d4e77ab36387b4ead4c41445cf19367d6f16ce38c19cbf764b5063a8daf90f469

Download Submit
memory/1400-131-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1452-59-0x0000000000000000-mapping.dmp

Download
memory/1568-67-0x0000000000000000-mapping.dmp

Download
memory/1576-129-0x0000000000000000-mapping.dmp

Download
memory/1592-133-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/1592-132-0x0000000000000000-mapping.dmp

Download
memory/1596-135-0x0000000000000000-mapping.dmp

Download
memory/1692-79-0x0000000000000000-mapping.dmp

Download
memory/1728-62-0x000007FEFBF91000-0x000007FEFBF93000-memory.dmp

Filesize
8KB

Download
memory/1760-63-0x0000000000000000-mapping.dmp

Download
memory/1780-134-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1796-127-0x0000000000000000-mapping.dmp

Download
memory/2040-53-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/2268-136-0x000000013FA60000-0x0000000140582000-memory.dmp

Filesize
11.1MB

Download