6696d790ee119b0de93919050a642d3dca502a2ae1864700b6b06fa2b955ec9d

Analysis

max time kernel
56s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20241007-es
resource tags

arch:x64arch:x86image:win10v2004-20241007-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
15-11-2024 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

InformeInfraccioneCONASET.msi
Size

4.7MB
MD5

82f3f74379c6dbdbca3a64c5717c2faa
SHA1

ba5562e233c1f83d6929db8dd03860a99bf58fa4
SHA256

6696d790ee119b0de93919050a642d3dca502a2ae1864700b6b06fa2b955ec9d
SHA512

8bdf61555de4b7e249201462a0f942a1cc671d9bcc514635297e08ce25bcb90de8d0d64fd513da32d4be731e5af6db13d039040a83c8e50c2887009b091e58a1
SSDEEP

98304:wph2BBopK5X4MkjkZMiWFLH/qJ/YOKa4RpnoYbO:eQuKl5kjQMr/qJ/YFaO9DO

Score

6^/10

execution persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	4916	msiexec.exe
6	4916	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rundll32.exe.log	rundll32.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe	msiexec.exe
File created	C:\Program Files\PDQ\PDQConnectAgent\LICENSE.html	msiexec.exe
File created	C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe	msiexec.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI2A50.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1B84.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA9E26B7ABE645EE98A19139A7329A479B\pdqconnectagent-setup.exe	rundll32.exe
File created	C:\Windows\Installer\e5816c1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI35FE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA794B3B23644B1B39C4CE4A95D9566F69\pdqconnectagent-setup.exe	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCA9E26B7ABE645EE98A19139A7329A479B\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI1E74.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI228E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA9E26B7ABE645EE98A19139A7329A479B\WixToolset.Dtf.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI2A61.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3157.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCABF140BCC6B4C045A322BAFDC5C36C577\pdqconnectupdater-setup.exe	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCA794B3B23644B1B39C4CE4A95D9566F69\WixSharp.dll	rundll32.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCABF140BCC6B4C045A322BAFDC5C36C577\pdqconnectupdater-setup.pdb	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCA119A8AAB2346CE3BE85BF2966ED154EB\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI1EC3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA9FC8C6E59F44B6A9A3D6D10DB0BCD7A1\CustomAction.config	rundll32.exe
File created	C:\Windows\Installer\wix{F03416B2-8C97-4CC4-8578-5F6A58033B84}.SchedServiceConfig.rmi	MsiExec.exe
File opened for modification	C:\Windows\Installer\SFXCA99C49C43F544134A4F33945851B6A2F2\WixToolset.Dtf.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCABF140BCC6B4C045A322BAFDC5C36C577\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI1C02.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA76D9D89CE2407BCA4F7B61156935B70A\pdqconnectagent-setup.pdb	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCA9E26B7ABE645EE98A19139A7329A479B\WixSharp.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\{F03416B2-8C97-4CC4-8578-5F6A58033B84}\app_icon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI17AA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA9E26B7ABE645EE98A19139A7329A479B\pdqconnectagent-setup.pdb	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCABF140BCC6B4C045A322BAFDC5C36C577\WixToolset.Dtf.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI3860.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA794B3B23644B1B39C4CE4A95D9566F69\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCA794B3B23644B1B39C4CE4A95D9566F69\WixToolset.Dtf.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI357F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1B64.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA9FC8C6E59F44B6A9A3D6D10DB0BCD7A1\WixToolset.Dtf.WindowsInstaller.dll	rundll32.exe
File created	C:\Windows\Installer\e5816c2.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{0EC05CD8-8D17-472C-86DA-AF1E5356256F}	msiexec.exe
File created	C:\Windows\Installer\wix{0EC05CD8-8D17-472C-86DA-AF1E5356256F}.SchedServiceConfig.rmi	MsiExec.exe
File opened for modification	C:\Windows\Installer\SFXCA119A8AAB2346CE3BE85BF2966ED154EB\pdqconnectagent-setup.exe	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCA76D9D89CE2407BCA4F7B61156935B70A\WixToolset.Dtf.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCA119A8AAB2346CE3BE85BF2966ED154EB\WixSharp.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCA76D9D89CE2407BCA4F7B61156935B70A\WixSharp.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\e5816c2.msi	msiexec.exe
File created	C:\Windows\Installer\{0EC05CD8-8D17-472C-86DA-AF1E5356256F}\app_icon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\e5816bf.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA9FC8C6E59F44B6A9A3D6D10DB0BCD7A1\pdqconnectagent-setup.exe	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCA99C49C43F544134A4F33945851B6A2F2\WixSharp.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\{0EC05CD8-8D17-472C-86DA-AF1E5356256F}\app_icon.ico	msiexec.exe
File created	C:\Windows\Installer\e5816bf.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1F31.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA119A8AAB2346CE3BE85BF2966ED154EB\WixToolset.Dtf.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI24E1.tmp	msiexec.exe
File created	C:\Windows\Installer\e5816c6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA76D9D89CE2407BCA4F7B61156935B70A\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI359F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA99C49C43F544134A4F33945851B6A2F2\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCA9FC8C6E59F44B6A9A3D6D10DB0BCD7A1\WixSharp.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCA76D9D89CE2407BCA4F7B61156935B70A\pdqconnectagent-setup.exe	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCA9FC8C6E59F44B6A9A3D6D10DB0BCD7A1\pdqconnectagent-setup.pdb	rundll32.exe
File created	C:\Windows\Installer\{F03416B2-8C97-4CC4-8578-5F6A58033B84}\app_icon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCABF140BCC6B4C045A322BAFDC5C36C577\WixSharp.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{F03416B2-8C97-4CC4-8578-5F6A58033B84}	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
5060	pdq-connect-agent.exe
1796	pdq-connect-updater.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
680	sc.exe

Loads dropped DLL 21 IoCs

pid	Process
956	MsiExec.exe
2716	rundll32.exe
956	MsiExec.exe
956	MsiExec.exe
4536	rundll32.exe
956	MsiExec.exe
956	MsiExec.exe
1740	MsiExec.exe
3432	rundll32.exe
1740	MsiExec.exe
2652	rundll32.exe
1740	MsiExec.exe
4380	rundll32.exe
1740	MsiExec.exe
1740	MsiExec.exe
2372	MsiExec.exe
4276	rundll32.exe
2372	MsiExec.exe
2372	MsiExec.exe
4868	rundll32.exe
2372	MsiExec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 63 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
6496	powershell.exe
1440	powershell.exe
6904	powershell.exe
2296	powershell.exe
5936	powershell.exe
4320	powershell.exe
5176	powershell.exe
7060	powershell.exe
3068	powershell.exe
5984	powershell.exe
3672	powershell.exe
5476	powershell.exe
2680	powershell.exe
5492	powershell.exe
980	powershell.exe
5180	powershell.exe
6276	powershell.exe
6940	powershell.exe
1640	powershell.exe
2160	powershell.exe
2736	powershell.exe
5976	powershell.exe
5616	powershell.exe
5260	powershell.exe
880	powershell.exe
2064	powershell.exe
3268	powershell.exe
6604	powershell.exe
2680	powershell.exe
3760	powershell.exe
6652	powershell.exe
6832	powershell.exe
6248	powershell.exe
2920	powershell.exe
5960	powershell.exe
6152	powershell.exe
6236	powershell.exe
4472	powershell.exe
3200	powershell.exe
5512	powershell.exe
5972	powershell.exe
3364	powershell.exe
5664	powershell.exe
5504	powershell.exe
3636	powershell.exe
3108	powershell.exe
3528	powershell.exe
7160	powershell.exe
2080	powershell.exe
2152	powershell.exe
2036	powershell.exe
5820	powershell.exe
4844	powershell.exe
5792	powershell.exe
2372	powershell.exe
1880	powershell.exe
5124	powershell.exe
3608	powershell.exe
1276	powershell.exe
6576	powershell.exe
6004	powershell.exe
5852	powershell.exe
5724	powershell.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
4916	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a47b29fbd6f9c3720000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a47b29fb0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a47b29fb000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da47b29fb000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a47b29fb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe

Modifies registry class 46 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8DC50CE071D8C27468ADFAE1356552F6\Complete	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\Version = "196608"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\ProductIcon = "C:\\Windows\\Installer\\{0EC05CD8-8D17-472C-86DA-AF1E5356256F}\\app_icon.ico"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\8DC50CE071D8C27468ADFAE1356251F6\8DC50CE071D8C27468ADFAE1356552F6	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\PackageCode = "F48D6C58CE73B4D449EDBD32ED6FF1F1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\ProductIcon = "C:\\Windows\\Installer\\{F03416B2-8C97-4CC4-8578-5F6A58033B84}\\app_icon.ico"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\SourceList\PackageName = "InformeInfraccioneCONASET.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2B61430F79C84CC45887F5A6803ABC48	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\ProductName = "PDQConnectAgent"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2B61430F79C84CC45887F5A6803ABC48\2B61430F79C84CC45887F5A68530B348	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\SourceList\PackageName = "PDQConnectUpdater-0.3.0.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\PDQ\\PDQConnectAgent\\Updates\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\ProductName = "PDQConnectUpdater"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\SourceList\Net\1 = "C:\\ProgramData\\PDQ\\PDQConnectAgent\\Updates\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2B61430F79C84CC45887F5A68530B348	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2B61430F79C84CC45887F5A68530B348\Complete	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8DC50CE071D8C27468ADFAE1356552F6	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\PackageCode = "434F680B9DE97584B94705A9B6D3133F"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\8DC50CE071D8C27468ADFAE1356251F6	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\Version = "84279302"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\SourceList\Media	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
552	msiexec.exe
552	msiexec.exe
552	msiexec.exe
552	msiexec.exe
4472	powershell.exe
4472	powershell.exe
4472	powershell.exe
4320	powershell.exe
4320	powershell.exe
4320	powershell.exe
2160	powershell.exe
2160	powershell.exe
2160	powershell.exe
2080	powershell.exe
2080	powershell.exe
2080	powershell.exe
1440	powershell.exe
1440	powershell.exe
980	powershell.exe
980	powershell.exe
1440	powershell.exe
3364	powershell.exe
3636	powershell.exe
3364	powershell.exe
3636	powershell.exe
2036	powershell.exe
2036	powershell.exe
2372	powershell.exe
2372	powershell.exe
2152	powershell.exe
2152	powershell.exe
3200	powershell.exe
3200	powershell.exe
2680	powershell.exe
2680	powershell.exe
980	powershell.exe
980	powershell.exe
3672	powershell.exe
3672	powershell.exe
2372	powershell.exe
1440	powershell.exe
1440	powershell.exe
3200	powershell.exe
3636	powershell.exe
3068	powershell.exe
3068	powershell.exe
2152	powershell.exe
2036	powershell.exe
3364	powershell.exe
2680	powershell.exe
3672	powershell.exe
3068	powershell.exe
5664	powershell.exe
5664	powershell.exe
5504	powershell.exe
5504	powershell.exe
6004	powershell.exe
6004	powershell.exe
5984	powershell.exe
5984	powershell.exe
5180	powershell.exe
5180	powershell.exe
5976	powershell.exe
5976	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4916	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4916	msiexec.exe
Token: SeSecurityPrivilege	552	msiexec.exe
Token: SeCreateTokenPrivilege	4916	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4916	msiexec.exe
Token: SeLockMemoryPrivilege	4916	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4916	msiexec.exe
Token: SeMachineAccountPrivilege	4916	msiexec.exe
Token: SeTcbPrivilege	4916	msiexec.exe
Token: SeSecurityPrivilege	4916	msiexec.exe
Token: SeTakeOwnershipPrivilege	4916	msiexec.exe
Token: SeLoadDriverPrivilege	4916	msiexec.exe
Token: SeSystemProfilePrivilege	4916	msiexec.exe
Token: SeSystemtimePrivilege	4916	msiexec.exe
Token: SeProfSingleProcessPrivilege	4916	msiexec.exe
Token: SeIncBasePriorityPrivilege	4916	msiexec.exe
Token: SeCreatePagefilePrivilege	4916	msiexec.exe
Token: SeCreatePermanentPrivilege	4916	msiexec.exe
Token: SeBackupPrivilege	4916	msiexec.exe
Token: SeRestorePrivilege	4916	msiexec.exe
Token: SeShutdownPrivilege	4916	msiexec.exe
Token: SeDebugPrivilege	4916	msiexec.exe
Token: SeAuditPrivilege	4916	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4916	msiexec.exe
Token: SeChangeNotifyPrivilege	4916	msiexec.exe
Token: SeRemoteShutdownPrivilege	4916	msiexec.exe
Token: SeUndockPrivilege	4916	msiexec.exe
Token: SeSyncAgentPrivilege	4916	msiexec.exe
Token: SeEnableDelegationPrivilege	4916	msiexec.exe
Token: SeManageVolumePrivilege	4916	msiexec.exe
Token: SeImpersonatePrivilege	4916	msiexec.exe
Token: SeCreateGlobalPrivilege	4916	msiexec.exe
Token: SeBackupPrivilege	5012	vssvc.exe
Token: SeRestorePrivilege	5012	vssvc.exe
Token: SeAuditPrivilege	5012	vssvc.exe
Token: SeBackupPrivilege	552	msiexec.exe
Token: SeRestorePrivilege	552	msiexec.exe
Token: SeRestorePrivilege	552	msiexec.exe
Token: SeTakeOwnershipPrivilege	552	msiexec.exe
Token: SeRestorePrivilege	552	msiexec.exe
Token: SeTakeOwnershipPrivilege	552	msiexec.exe
Token: SeRestorePrivilege	552	msiexec.exe
Token: SeTakeOwnershipPrivilege	552	msiexec.exe
Token: SeRestorePrivilege	552	msiexec.exe
Token: SeTakeOwnershipPrivilege	552	msiexec.exe
Token: SeRestorePrivilege	552	msiexec.exe
Token: SeTakeOwnershipPrivilege	552	msiexec.exe
Token: SeRestorePrivilege	552	msiexec.exe
Token: SeTakeOwnershipPrivilege	552	msiexec.exe
Token: SeRestorePrivilege	552	msiexec.exe
Token: SeTakeOwnershipPrivilege	552	msiexec.exe
Token: SeRestorePrivilege	552	msiexec.exe
Token: SeTakeOwnershipPrivilege	552	msiexec.exe
Token: SeBackupPrivilege	3432	rundll32.exe
Token: SeBackupPrivilege	3432	rundll32.exe
Token: SeBackupPrivilege	3432	rundll32.exe
Token: SeBackupPrivilege	3432	rundll32.exe
Token: SeBackupPrivilege	3432	rundll32.exe
Token: SeBackupPrivilege	3432	rundll32.exe
Token: SeBackupPrivilege	3432	rundll32.exe
Token: SeSecurityPrivilege	3432	rundll32.exe
Token: SeBackupPrivilege	3432	rundll32.exe
Token: SeSecurityPrivilege	3432	rundll32.exe
Token: SeBackupPrivilege	3432	rundll32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4916	msiexec.exe
4916	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 552 wrote to memory of 696	552	msiexec.exe	104
PID 552 wrote to memory of 696	552	msiexec.exe	104
PID 552 wrote to memory of 956	552	msiexec.exe	106
PID 552 wrote to memory of 956	552	msiexec.exe	106
PID 956 wrote to memory of 2716	956	MsiExec.exe	107
PID 956 wrote to memory of 2716	956	MsiExec.exe	107
PID 956 wrote to memory of 4536	956	MsiExec.exe	108
PID 956 wrote to memory of 4536	956	MsiExec.exe	108
PID 552 wrote to memory of 1740	552	msiexec.exe	109
PID 552 wrote to memory of 1740	552	msiexec.exe	109
PID 1740 wrote to memory of 3432	1740	MsiExec.exe	110
PID 1740 wrote to memory of 3432	1740	MsiExec.exe	110
PID 1740 wrote to memory of 2652	1740	MsiExec.exe	111
PID 1740 wrote to memory of 2652	1740	MsiExec.exe	111
PID 1740 wrote to memory of 4380	1740	MsiExec.exe	112
PID 1740 wrote to memory of 4380	1740	MsiExec.exe	112
PID 4380 wrote to memory of 680	4380	rundll32.exe	113
PID 4380 wrote to memory of 680	4380	rundll32.exe	113
PID 5060 wrote to memory of 3660	5060	pdq-connect-agent.exe	117
PID 5060 wrote to memory of 3660	5060	pdq-connect-agent.exe	117
PID 552 wrote to memory of 2372	552	msiexec.exe	118
PID 552 wrote to memory of 2372	552	msiexec.exe	118
PID 2372 wrote to memory of 4276	2372	MsiExec.exe	119
PID 2372 wrote to memory of 4276	2372	MsiExec.exe	119
PID 2372 wrote to memory of 4868	2372	MsiExec.exe	120
PID 2372 wrote to memory of 4868	2372	MsiExec.exe	120
PID 5060 wrote to memory of 4472	5060	pdq-connect-agent.exe	128
PID 5060 wrote to memory of 4472	5060	pdq-connect-agent.exe	128
PID 5060 wrote to memory of 4320	5060	pdq-connect-agent.exe	130
PID 5060 wrote to memory of 4320	5060	pdq-connect-agent.exe	130
PID 5060 wrote to memory of 2160	5060	pdq-connect-agent.exe	132
PID 5060 wrote to memory of 2160	5060	pdq-connect-agent.exe	132
PID 5060 wrote to memory of 2080	5060	pdq-connect-agent.exe	134
PID 5060 wrote to memory of 2080	5060	pdq-connect-agent.exe	134
PID 5060 wrote to memory of 1440	5060	pdq-connect-agent.exe	136
PID 5060 wrote to memory of 1440	5060	pdq-connect-agent.exe	136
PID 5060 wrote to memory of 980	5060	pdq-connect-agent.exe	138
PID 5060 wrote to memory of 980	5060	pdq-connect-agent.exe	138
PID 5060 wrote to memory of 3636	5060	pdq-connect-agent.exe	140
PID 5060 wrote to memory of 3636	5060	pdq-connect-agent.exe	140
PID 5060 wrote to memory of 3200	5060	pdq-connect-agent.exe	141
PID 5060 wrote to memory of 3200	5060	pdq-connect-agent.exe	141
PID 5060 wrote to memory of 2036	5060	pdq-connect-agent.exe	142
PID 5060 wrote to memory of 2036	5060	pdq-connect-agent.exe	142
PID 5060 wrote to memory of 2372	5060	pdq-connect-agent.exe	143
PID 5060 wrote to memory of 2372	5060	pdq-connect-agent.exe	143
PID 5060 wrote to memory of 2680	5060	pdq-connect-agent.exe	144
PID 5060 wrote to memory of 2680	5060	pdq-connect-agent.exe	144
PID 5060 wrote to memory of 2152	5060	pdq-connect-agent.exe	145
PID 5060 wrote to memory of 2152	5060	pdq-connect-agent.exe	145
PID 5060 wrote to memory of 3672	5060	pdq-connect-agent.exe	146
PID 5060 wrote to memory of 3672	5060	pdq-connect-agent.exe	146
PID 5060 wrote to memory of 3364	5060	pdq-connect-agent.exe	147
PID 5060 wrote to memory of 3364	5060	pdq-connect-agent.exe	147
PID 5060 wrote to memory of 3068	5060	pdq-connect-agent.exe	156
PID 5060 wrote to memory of 3068	5060	pdq-connect-agent.exe	156
PID 3364 wrote to memory of 6104	3364	powershell.exe	158
PID 3364 wrote to memory of 6104	3364	powershell.exe	158
PID 980 wrote to memory of 5568	980	powershell.exe	161
PID 980 wrote to memory of 5568	980	powershell.exe	161
PID 3068 wrote to memory of 5664	3068	powershell.exe	162
PID 3068 wrote to memory of 5664	3068	powershell.exe	162
PID 5568 wrote to memory of 3812	5568	csc.exe	164
PID 5568 wrote to memory of 3812	5568	csc.exe	164

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\InformeInfraccioneCONASET.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4916

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:552
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:696
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding DCECCC5445269422580C691F724819A0
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI17AA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240654343 2 WixSharp!WixSharp.ManagedProjectActions.WixSharp_InitRuntime_Action
    3⤵
    - Drops file in Windows directory
    - Loads dropped DLL
    PID:2716
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI1C02.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240655421 16 WixSharp!WixSharp.ManagedProjectActions.WixSharp_BeforeInstall_Action
    3⤵
    - Drops file in Windows directory
    - Loads dropped DLL
    PID:4536
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 1F0B3882AB6F76ACC9B2693A8471D6D3 E Global\MSI0000
  2⤵
  - Drops file in Windows directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI1F31.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240656281 38 pdqconnectagent-setup!pdqconnectagent_setup.CustomActions.CreateEventSource
    3⤵
    - Drops file in Windows directory
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:3432
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI228E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240657062 44 pdqconnectagent-setup!pdqconnectagent_setup.CustomActions.WriteToken
    3⤵
    - Drops file in Windows directory
    - Loads dropped DLL
    PID:2652
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI24E1.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240657718 50 pdqconnectagent-setup!pdqconnectagent_setup.CustomActions.StartService
    3⤵
    - Drops file in Windows directory
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4380
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" start "PDQConnectAgent"
      4⤵
      Launches sc.exe
      PID:680
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 751304BEC49308601D82B92945D51B1F E Global\MSI0000
  2⤵
  - Drops file in Windows directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI3157.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240661000 61 WixSharp!WixSharp.ManagedProjectActions.WixSharp_InitRuntime_Action
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Loads dropped DLL
    PID:4276
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI35FE.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240662078 77 pdqconnectupdater-setup!pdqconnectupdater_setup.CustomActions.CreateEventSource
    3⤵
    - Drops file in Windows directory
    - Loads dropped DLL
    PID:4868

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe
"C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe" --service
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Windows\system32\msiexec.exe
  "msiexec" /i C:\ProgramData\PDQ\PDQConnectAgent\Updates\PDQConnectUpdater-0.3.0.msi /quiet /qn /norestart /L*V C:\ProgramData\PDQ\PDQConnectAgent\Updates\updater_install.log
  2⤵
  PID:3660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\4gbj2gww\4gbj2gww.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5568
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RES9FD5.tmp" "c:\Windows\Temp\4gbj2gww\CSC281741EAC0B945369FB518F1AD73E06.TMP"
      4⤵
      PID:3812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:3636
- - C:\Windows\TEMP\830B0B17-72F8-4FE0-BC02-F6EDE69E003B\dismhost.exe
    C:\Windows\TEMP\830B0B17-72F8-4FE0-BC02-F6EDE69E003B\dismhost.exe {78A29109-B1B5-4DB1-8ED0-BE35E7BE3761}
    3⤵
    PID:5544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:3672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3364
- - C:\Windows\system32\dsregcmd.exe
    "C:\Windows\system32\dsregcmd.exe" /status
    3⤵
    PID:6104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:5664
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6152
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5176
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6236
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6904
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6276
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5820
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6940
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4844
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3268
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2680
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5724
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6248
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5792
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:5504
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\r4lzbgdy\r4lzbgdy.cmdline"
    3⤵
    PID:6292
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RESBE88.tmp" "c:\Windows\Temp\r4lzbgdy\CSC11E998CB5A6E426199CCA4833474F57B.TMP"
      4⤵
      PID:1972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:5984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:5976
- - C:\Windows\TEMP\ADD7D517-8CD3-4BFF-85B8-7D17D0E49707\dismhost.exe
    C:\Windows\TEMP\ADD7D517-8CD3-4BFF-85B8-7D17D0E49707\dismhost.exe {7CB91EDA-2B96-4FC1-B141-D1F951F15F5F}
    3⤵
    PID:6628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  PID:5960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:6004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:5180
- - C:\Windows\system32\dsregcmd.exe
    "C:\Windows\system32\dsregcmd.exe" /status
    3⤵
    PID:5680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  PID:3108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  PID:5616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  PID:1880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  PID:3528
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5124
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3760
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2736
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6652
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:7160
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2296
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:7060
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5512
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5972
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6832
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5852
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1640
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1276
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5260
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5476
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6496
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2920

C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe
"C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe" --service
1⤵
- Executes dropped EXE
PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5816c0.rbs

Filesize
399KB

MD5
d7556806b346688cf894b6e179387730

SHA1
8bbd6fdb052dfa3be26d01654ab20f22db2bd92c

SHA256
2ed285f2e1fba266d3233057202b19c2637e3f1a1876649f2a5a1ef94112cae6

SHA512
184df965d35d231f96ae5d44cffd6fd48d08542964b3ed767ef936e08e4cace9ba663f68cc884610297d4e875a686a5026b40bab332f3d6c0c64228b5587ebc5

Download Submit
C:\Config.Msi\e5816c5.rbs

Filesize
398KB

MD5
601211b5e3f50cfd57ada816c99c9432

SHA1
234726791b2e8eb4d98b5693423145471e4efd63

SHA256
c5fe9d19e9dea2c2bc7c0cd64cbf74962cfa42dce50b396d2d0ffb8c64cb54d1

SHA512
62712f15fd9023c96c5519ab058ecc26bb3525c5abba609576fa12d55070e609fbfd3fb7ed3812c5972f1c92980abd5f30e4c58c6cce8602ab02b502e713c44c

Download Submit
C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe

Filesize
8.7MB

MD5
261615a6f6874fbd61b5ac3dc15d17fc

SHA1
605c394c5f4968f181cf8cdcf5642c250fd9a8e5

SHA256
56186e8c33ad8da8621134794f3a8dee38f9b0462e2dd679908c1374938ddb36

SHA512
5273ae4a371e8e0dd8db836a9e59d222e90c5aa619564ab4cfdb107ec5becb01b2f188f78d8b2cf10dd2bb0ab0cd288c7af537351ed65b21dde80c9aa0cf825d

Download Submit
C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe

Filesize
3.3MB

MD5
bb3ca7301fa7d4434ffa7e294b9827c4

SHA1
60ac464927553aea2c5ab33345f074fe1ede4217

SHA256
8daa7bc4f2e938960186dfd65ee38cc8917361c90dc9cfef5f2ce83306691988

SHA512
56e54e21806da03b9ad3806dcec1bb25cd371a438e1b78923df9c96a0d76ac00484c0caaeff72dd3720edf7bb120607b79dd30ceea8851c21cbb58d5679ffab4

Download Submit
C:\ProgramData\PDQ\PDQConnectAgent\Updates\PDQConnectUpdater-0.3.0.msi

Filesize
3.0MB

MD5
5b37244e2bdbaa4c00da0cc09928cb98

SHA1
39716cc8fbbcf23bf9e5b17b2ddfbf95668e53b7

SHA256
101665452ebc6e400550380510e8db10a9ce2af1e458f928ca4b0188daeceb9d

SHA512
377bf3868b41026680e11dde3086afdd48518187e3f831efddeae0a50fce74ba69b364b8a99bfed574c1c2349806602cef6e6d492b4b05f17eda6e3555f403d8

Download Submit
C:\ProgramData\PDQ\PDQConnectAgent\Updates\updater_install.log

Filesize
1KB

MD5
b21fb37b03066a6058ac9c89dacbf704

SHA1
3bc605b0fd9d0923415d7680a13dc1f1e8297dfe

SHA256
003bf367f9b9913e59205c43f70fdd41f97507c69a7ee968a99048f43c22581b

SHA512
2427b44a36643f765fe8ca00114de276153c756290574b24e7fa9d670e8da1cc3acddb3cf9bda6fa1728e82a2bb20360760a713b248991881fc6a8993c3c86d3

Download Submit
C:\ProgramData\PDQ\PDQConnectAgent\token

Filesize
86B

MD5
2a56b04396f6c0f9633aa1c7be624691

SHA1
5f9fb318948cc089cb53fe3cdd30fe189c465c9c

SHA256
b7cf14f5ae19b6000f07c4ce9d217236d4c220e1b6087c4e89230bb9ed3d5105

SHA512
fe7681852fb40f362d8dc68347038108cc2a7db9462df5d4bfd3a873ba5da23ea5ccd4abb4b68ddf957fca20f1f9da03c20c96d9e6da622e2459adaa640d63a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
317a57949cf9ab438b72dc6351326be5

SHA1
6ae1b4e04ebc5918628f841ea12d858f306d731f

SHA256
9612633f30b56d10ba3c05ef02197266ffca484e8cdd373e87a5e509434c2479

SHA512
b282138bc9f1b827116512bd2cfd5d4d7e30962a1fb10088bd2348d36dd54ceac84a32acf6a812bd87313b32e99364db7268c343334d40136887d0f5e183c45c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_8DBAD5A433D1F9275321E076E8B744D4

Filesize
727B

MD5
0c4707fc50c21a6158897f7bf51dab48

SHA1
09e2cdbf14aa7d53d87cddb88c9068f28b350d8b

SHA256
12f9300e0bb8820e47b651cc18429d44d45d4386a5a56d533330ef77655aa504

SHA512
6db3697095287093575329519024ab98cf8812d9c5c1923664db98ceddd13c11096d067e328b3795a5d4b0ea1a31687c0388620b1d73391fa15edc1522bfbea3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D9CB7DFFEEA63BAB482BD2705E7E24AB_D64C5BFAB2C28B4652E4AC7169A0D3DB

Filesize
727B

MD5
8a1aea51eb477b7a13061790ac667ca9

SHA1
3289b357cca5c23365431824aa6c334b0cd70d4a

SHA256
9bb4897df29570868854be408d1dc8258d40049184484630bcc3f0c9911458b7

SHA512
84c7d1c92e485c863563d6d3059e20a91d52c70948cd84c9b58a6df8dd228855702144f73c32ab75c2dde6962dd55ae356b9de66a1827dcde00ac98564ad9501

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
711c3b384f4beaf7e3b788f483ac9dd3

SHA1
15eec60682c100ab1368e85e438eda07216125ab

SHA256
49cddcebff23d1636c4b590bfc458ff03428a9ccb17ae6ec3e0974c1e058a4c7

SHA512
ba2451190b530d30cea9aaf13b18a1160b7080e6613564a61b5501b484da90c7ac69cac0ad00fe1b4fb122144a92d98da264a7efb26a8c81dceee13321a36afa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_8DBAD5A433D1F9275321E076E8B744D4

Filesize
416B

MD5
35e37978f399d3816529d4c9c38cd2c0

SHA1
aea5c90f50fb828b04f1e1aa2228d0c01f0226bb

SHA256
e96f2e88d7aec6fd2b6dbf5f2a1487002e9a892e5b0e37d7fddb85a6dc6b6af3

SHA512
74e551710eb38849125a9e21191d800c5dd06693d5f72eb3fd57711d3d3fedd292441e318f5d4e6402e9b3d5338f5fa330d0801a1d3b5a97f610458bef5ba7af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D9CB7DFFEEA63BAB482BD2705E7E24AB_D64C5BFAB2C28B4652E4AC7169A0D3DB

Filesize
408B

MD5
a0f593fac62395163b38871837db2ebf

SHA1
1b8994902b91849fe22463a8ffb2d094f6ee39da

SHA256
98923cf5e5770234e1c78c193f080a93ca98d3ea35c76cca2b27237d9807a2c6

SHA512
c054fa55d361c9b338fbc1103b94ab722df736c0714963f25a2c09645a234f3e52d9bb13e1d792f15b1dc2c09781877abedbe512c260fed31098f5a960b3090f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rundll32.exe.log

Filesize
651B

MD5
00bfeb783aeff425ce898d55718d506d

SHA1
aac7a973dc1f9ca7abc529c7ea37ad7eaf491b8f

SHA256
d06099ef43eb002055378b1b6d9853f9b1f891ada476932ba575d1f97065a580

SHA512
2209d5f4999cb36ebf26c6b8cb3195cc9fc0f0a103f4a28dd77b04605d7c6e79d47d806454c63b8d42bbe32864be7cdb56df3cccf71a6c27fe0b331d8304e1ff

Download Submit
C:\Windows\Installer\MSI17AA.tmp

Filesize
549KB

MD5
45e153ef2e0aa13c55cd25fafa3bce90

SHA1
9805ae1f48e801df6df506f949b723e6553ce2e5

SHA256
2104d3c13e6b624a7d628534fcdf900730752f9ff389b0f4fe1de77c33d8d4c1

SHA512
87f967910b99a9833a1cb6de12225cf6c7b08239e49059ae5303bfcd1c69bcc691d35ee676a761456ec2a6ded199ac30adc28b933cb8ad0e09c0a99456db3d8a

Download Submit
C:\Windows\Installer\MSI1B84.tmp

Filesize
390KB

MD5
e8dc682f2c486075c6aba658971a62cc

SHA1
7cd0a2b5047a4074aa06a6caa3bb69124851e95d

SHA256
7aacd4c18710e9bc4ff2034895a0a0c8f80f21809fb177d520e93f7688216e6d

SHA512
a0a1f0f418bf2d4ffd079b840aeb0142c7faab7fa72b5e33b1841798569f55a25dfd305abf9c2ca89792f6499f695b69975882697dc53e99d5a975a9fa8c7d75

Download Submit
C:\Windows\Installer\MSI1F31.tmp

Filesize
552KB

MD5
b8be9443eb257e5d64319aedd93006fb

SHA1
15d1195faa545c7ac3ab1fe6044047f6008fb0a8

SHA256
d81b62896e97bb77a7b7796665dce3ab9913352e9fe18d420818598cbeb4f34b

SHA512
429dfb4b845408d8c8c045d3295a05f817f4a03c037c9259a9867342bd5919c4d87d7fbae3d6641db9bf273965d642da2ab194ea26b6ebc07f77b42abd26b1bf

Download Submit
C:\Windows\Installer\MSI3157.tmp

Filesize
539KB

MD5
116108233cb1435bee51bbd8d05451f2

SHA1
e6f725c73bb9c68827a12706d6612ccf50cfd797

SHA256
85b6e5dc375ed84da40eb1571fb84b342a09daa040459aed737944cef22b3058

SHA512
d57f3fa1d365dc2e28c51a32c8bcd1316d5ee2a4fdd419df3354afbcea2a3ae6bcc6cef83d9ef283861ebf4f344d6d4f9a5e8596a24be74e209fa1e519e55bfa

Download Submit
C:\Windows\Installer\MSI35FE.tmp

Filesize
550KB

MD5
2fd5cb19412a83cedd1949df65fdca84

SHA1
f6d19feee650f38f878236ec6ed32ec139d271bd

SHA256
11d26f41e4b4abcf60b38b4200873fd18f65cab415268fdd74bca5d6e590cb18

SHA512
926a4c1d11a909b5402d546d93e2ac3229c2c32b4e96302fede7fa0b223d0c14096e0c00f7c728a0389775adac24ed8a49b6013ba89dbc5a12fb1ddacc9df77e

Download Submit
C:\Windows\Installer\SFXCA119A8AAB2346CE3BE85BF2966ED154EB\CustomAction.config

Filesize
980B

MD5
c9c40af1656f8531eaa647caceb1e436

SHA1
907837497508de13d5a7e60697fc9d050e327e19

SHA256
1a67f60962ca1cbf19873b62a8518efe8c701a09cd609af4c50ecc7f0b468bb8

SHA512
0f7033686befa3f4acf3ed355c1674eaa6e349fba97e906446c8a7000be6876f157bc015bf5d3011fbbdc2c771bcbaea97918b8d24c064cbbd302741cc70cbc7

Download Submit
C:\Windows\Installer\SFXCA119A8AAB2346CE3BE85BF2966ED154EB\WixSharp.dll

Filesize
602KB

MD5
ebed2675d27b9383ee8e58bdeddd5da4

SHA1
4dc37974db638ec02363c784fa2c178125f4280f

SHA256
caa9da1c55e33446eaeb783957e990847369423c7dd652f07a5c93bf1d786a66

SHA512
b13538f58b766abd013f73d398eaa4e1adec3fc967415bf7f95198e6f55ac65a12a0c3863708b6fb525ef4a01f0ab88485bb990527bc0e4f5159c8419811dfab

Download Submit
C:\Windows\Installer\SFXCA119A8AAB2346CE3BE85BF2966ED154EB\WixToolset.Dtf.WindowsInstaller.dll

Filesize
193KB

MD5
b82b13d16e7f3d3607026f61b7295224

SHA1
d17b76907ea442b6cc5a79361a8fcec91075e20d

SHA256
bcc548e72b190d8f39dcb19538444e2576617a21caba6adcb4116511e1d2ddee

SHA512
be8c0b8b585fc77693e7481ca5d3f57a8b213c1190782fd4700676af9c0b671523c1a4fa58f15947a14c1ff6d4cda65d7353c6ba848a3a247dfcda864869e93f

Download Submit
C:\Windows\Installer\SFXCA9FC8C6E59F44B6A9A3D6D10DB0BCD7A1\pdqconnectagent-setup.exe

Filesize
24KB

MD5
75f16349cafae8f37bd1e207e2ec83d2

SHA1
f16f6adf8fd8344749ee7c9afe899f11caa959fe

SHA256
f3bb2b9230b8a6066dfeeb172ad32ae3ea31d2d49c76bdcc8a1e2531fa61f5b7

SHA512
2b1cc8c0dfb787a01d8834f0193f7b30de04cbbec271a98502f98956c136aa16e9a0bd388b4e03c075a9cb1deb0f51fb4eecc92af3ce1c87b363ac5076fc823b

Download Submit
C:\Windows\Installer\e5816bf.msi

Filesize
4.7MB

MD5
82f3f74379c6dbdbca3a64c5717c2faa

SHA1
ba5562e233c1f83d6929db8dd03860a99bf58fa4

SHA256
6696d790ee119b0de93919050a642d3dca502a2ae1864700b6b06fa2b955ec9d

SHA512
8bdf61555de4b7e249201462a0f942a1cc671d9bcc514635297e08ce25bcb90de8d0d64fd513da32d4be731e5af6db13d039040a83c8e50c2887009b091e58a1

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
2.1MB

MD5
00d9eba8809926d57a55ca762b8e4ec6

SHA1
0810c413db7da916e7e27970a4517e83d548c184

SHA256
6a56183aa7dcc149ae617c5847cbe0709e42c7adba9c0e4833cdf7a5e6285521

SHA512
22ae0e824f99d828757f1d8b8cb1424b5ba00c65d57a8d31ee24c60640518c1176a432ae2fe07657928a613d0c9a6c6da4ea148bb3de367d5a0ac5b71fd26386

Download Submit
C:\Windows\TEMP\RES9FD5.tmp

Filesize
1KB

MD5
05f86e03d35b56e66bfe23a4b7852970

SHA1
1f57518462eafeb4db9723b65097d0837151afd1

SHA256
af0b14a020cbeffa5a49b3dbf4ec8e06dc65d076ce01687031976946594460d2

SHA512
c00440f171e11cd21cfe796d6ed9154777124a4c5382a3a5bf257b8292aed03e14b49f7bee1538769426fce924f18663edd6457a6e72aad415663bb207d25427

Download Submit
C:\Windows\Temp\ADD7D517-8CD3-4BFF-85B8-7D17D0E49707\DismHost.exe

Filesize
142KB

MD5
e5d5e9c1f65b8ec7aa5b7f1b1acdd731

SHA1
dbb14dcda6502ab1d23a7c77d405dafbcbeb439e

SHA256
e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80

SHA512
7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_rfwiqrlp.swn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
c24e9d1123bd6a335730119e7399c481

SHA1
53e88f378e61191fd1b0213e0beac692297cc5c2

SHA256
fbd6b175b9e1ffc92c569a6467172b6f1cebd4b8cd2d3bbb5119e1b4856cfe50

SHA512
3323e8e2d73cb4e986b25ccd7abfe350f5205f144999ffe01cf8e30e4eb6c6d68ac03b1f1a0c82e3d1ab292320e66c44263bcdf05e1c78b5953fa5bb5bf2a80d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6d87725a59cf3a05a4538388aa07e4e1

SHA1
1aaf726902dc55f250203d9c7710eeef7f12ce8d

SHA256
5f18ec20fc4a804095c47afff4c39bc3af5af32463787617c3056162505e771d

SHA512
c812ef325b97f7f762fd878b4a1104578be1f730c28485078513c4169f465c87806de19c895ac4219e7f24a9e7a259859766d078f05158f1b81356323c88f2a2

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4ed6e4b4ee1fa088d1c98187471b0817

SHA1
58d1a47197928c982be273b903d448819f666e90

SHA256
82acaa1a861346960a272f5f5d9fd3e2e4c099e56d56c3ed9cce28582e9da1bd

SHA512
3a0d5ad452401191702a389b60f174dce395e90c38e9e2f480e0efdfddff06540858e30707b63207291822f6271382d828bedfd7f91b264f45937fdf8cb84148

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f896be6ab82d83c834f970603ad36a1e

SHA1
328e7a58919c135563063cf7535f652e1bfae125

SHA256
303ab86386d600e1e44ecf86e19effb477cb268cb34a139645288dc3f7cb661b

SHA512
07c4dc81de7f473c412bc8d25fab3ef943f6ee6133f718f6ee160ca8614d8c4ccb906358cfd05ff8c245ef4ce334b791ad24fd860712a00b771358111bcf53c4

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2a25ddf68871ab6a1a27cfbcdc674e9c

SHA1
ba29b47b611483b5c9f96dc1a71918170563c4f2

SHA256
cba7d193fdabad0074fcca36eccf7f10e671565d45930a5755bdd7638a9d904d

SHA512
7f18969b00a52b6bd0daa8b034cd6b1953aa7a9c8119e25b13c1f56007c5179489f6f688812a3a631e7dd496f33d2a2549a1718b3a636593ad3c93a499d8b2f7

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ea4aca50fff7979e5c92affe9517de7f

SHA1
a7aca17f1be2109ca4f3a14f5c4a349abdc3a26d

SHA256
9f002342bff08b9a2a2b0d7bb08d9e88b89c85aef7ef24c3e5cd22fbb8cd2098

SHA512
d96db0c139463c8a915bdd8434c04437c1f70ff6429dd597ab054e77dcdf6fe194cfa4ee6c9165e0fa8b33fda27cc40d3d3e660e03b3bbc7a323112fa656d90e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9840d019a1c05d7f06ea7dd43aaa4b02

SHA1
62a13a95659612a60d6efdc4b9bd5544aa9d386f

SHA256
e2eb057fffbcfda2955b4539c1340184309aacb1266eae5288513be5a2b2fb6b

SHA512
9eafaee49c3bab82e3b37369fe8a9cb259b5798cd390e9fd934df81cbe53988711c11f1827bce667144cb0666b80f227962f91abed53f042968ce8c53828d8e9

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d91be6a011643f10e1542929be390605

SHA1
fb3202403a09ee454fbcc1ccc5efe16c4f7877bc

SHA256
22b6211e17651e6e9de4761f0bde82188dec743c25c48c84272172a8976ee14a

SHA512
a457ee99912710cb61f98d685c3ac89e259bf5d82eb43f101c5aa5a59f93dd6dea15ea1d6cf9f9f19a2fae43e04283ffae679e94121cc25ed4453a55519c6dd1

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
c41ba909a158e0bab8912ec15227aad8

SHA1
be453dc8dbdcd773ca1f8467d05df4711667d64e

SHA256
92335f44ca1f5c09feecf1dba82f2da2bb332d529c90b91642ce3107ec55f43e

SHA512
4d759aecaf442f89936d8e7b18974571cd1a6eac24e4bd8387be702f9c3d4093ee7dda38a7a7485b533d7d1e06508fff87a32bb4c3776a7770c3ee91c5a93d11

Download Submit
\??\Volume{fb297ba4-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{68555607-c4f4-4aa1-84af-11c955bdc2aa}_OnDiskSnapshotProp

Filesize
6KB

MD5
2dfe43338b282e09760ee08b86c1b328

SHA1
4f0df52a39f1f1e756bab6024b18fde6a6fb3965

SHA256
7681750c65ad8ff190014481a9fc23ed3c4cb3d3ba1cf6e5514a7ec6a2f9a6b2

SHA512
1a467bad50e204088e2dfe14db19ff0cedafcc3d25fcc04116bd095fab06b216ca37e1a3cd877b3b6798872855f3ed4549c618c2514a276bd69131f204ccea8f

Download Submit
\??\c:\Windows\Temp\4gbj2gww\4gbj2gww.0.cs

Filesize
889B

MD5
dc979c0e403543f9000fc7650c17d17e

SHA1
907cf70a5b63337e620ca3da119e46145cf40546

SHA256
4c2601bd3a1eb9214c16e66e3b677f91f1c4072f0cc95d515b8cdea9b7708b3a

SHA512
f544d9fcb4ea073d2c8741a23f75bb67e404480aa3e781688a7913e1bab2edb25a42f70c739eb2d47215400e6ff0f8f9cfe0e64ee42c81010f43bb0a34d9655b

Download Submit
\??\c:\Windows\Temp\4gbj2gww\4gbj2gww.cmdline

Filesize
333B

MD5
4f06324708f34933c4ef5c2cf5efbfe0

SHA1
0d59f575854354a9ecd2e79bf96b99f77cf0338f

SHA256
5db9d32ed76e485e6c05988c8891282d0110574642f8ac5262ef87382f676610

SHA512
b598fae91964f1f7237ba0b335881b6212b023c55f516b72cd1a5f0cab62c529e6095a0248fd1b20b120ceca1061e6bcbb881c288e718154dc05810dac9a9c1d

Download Submit
\??\c:\Windows\Temp\4gbj2gww\CSC281741EAC0B945369FB518F1AD73E06.TMP

Filesize
652B

MD5
dcad7280bc0563ae77d0e4418f32ed2f

SHA1
4aa3c5b32f927275ee33b1879e59039b56d6d566

SHA256
14378ddd7af29ea574e939865e0592ff63957d14d41d83cc7d4ccd28474de87c

SHA512
9a5ece67303787c8605c59184910859c9b8518705333adfdf75eb0fe61c5061224dbb4ba09a1feaa96524725dc6af751f89d547d70a80aac9c46e0e9a4103212

Download Submit
memory/980-571-0x000002AE3E000000-0x000002AE3E008000-memory.dmp

Filesize
32KB

Download
memory/1440-489-0x000001E445A50000-0x000001E445C12000-memory.dmp

Filesize
1.8MB

Download
memory/1440-499-0x000001E446150000-0x000001E446678000-memory.dmp

Filesize
5.2MB

Download
memory/1440-479-0x000001E445680000-0x000001E445735000-memory.dmp

Filesize
724KB

Download
memory/2372-530-0x00000191EB540000-0x00000191EB55C000-memory.dmp

Filesize
112KB

Download
memory/2372-720-0x00000191EB940000-0x00000191EB95A000-memory.dmp

Filesize
104KB

Download
memory/2372-719-0x00000191EB300000-0x00000191EB310000-memory.dmp

Filesize
64KB

Download
memory/2716-36-0x0000026F4DB00000-0x0000026F4DB34000-memory.dmp

Filesize
208KB

Download
memory/2716-38-0x0000026F4E8D0000-0x0000026F4E96C000-memory.dmp

Filesize
624KB

Download
memory/3068-552-0x0000022A49AC0000-0x0000022A49C36000-memory.dmp

Filesize
1.5MB

Download
memory/3068-553-0x0000022A49E50000-0x0000022A4A05A000-memory.dmp

Filesize
2.0MB

Download
memory/3636-696-0x000001C458B30000-0x000001C458B3A000-memory.dmp

Filesize
40KB

Download
memory/3636-832-0x000001C4591E0000-0x000001C459204000-memory.dmp

Filesize
144KB

Download
memory/4472-303-0x00000225C01C0000-0x00000225C01CA000-memory.dmp

Filesize
40KB

Download
memory/4472-304-0x00000225C0340000-0x00000225C036A000-memory.dmp

Filesize
168KB

Download
memory/4472-305-0x00000225C0340000-0x00000225C0364000-memory.dmp

Filesize
144KB

Download
memory/4472-302-0x00000225C0100000-0x00000225C01B5000-memory.dmp

Filesize
724KB

Download
memory/4472-301-0x00000225C00E0000-0x00000225C00FC000-memory.dmp

Filesize
112KB

Download
memory/4472-287-0x00000225A76E0000-0x00000225A7702000-memory.dmp

Filesize
136KB

Download
memory/4536-67-0x0000019ED1EC0000-0x0000019ED1ECA000-memory.dmp

Filesize
40KB

Download
memory/4868-243-0x00000218C9C90000-0x00000218C9C98000-memory.dmp

Filesize
32KB

Download
memory/5504-789-0x0000022A77070000-0x0000022A77078000-memory.dmp

Filesize
32KB

Download