6696d790ee119b0de93919050a642d3dca502a2ae1864700b6b06fa2b955ec9d

Analysis

max time kernel
63s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WhatsappWeb.msi
Size

4.7MB
MD5

82f3f74379c6dbdbca3a64c5717c2faa
SHA1

ba5562e233c1f83d6929db8dd03860a99bf58fa4
SHA256

6696d790ee119b0de93919050a642d3dca502a2ae1864700b6b06fa2b955ec9d
SHA512

8bdf61555de4b7e249201462a0f942a1cc671d9bcc514635297e08ce25bcb90de8d0d64fd513da32d4be731e5af6db13d039040a83c8e50c2887009b091e58a1
SSDEEP

98304:wph2BBopK5X4MkjkZMiWFLH/qJ/YOKa4RpnoYbO:eQuKl5kjQMr/qJ/YFaO9DO

Score

6^/10

execution persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	4080	msiexec.exe
7	4080	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rundll32.exe.log	rundll32.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\PDQ\PDQConnectAgent\LICENSE.html	msiexec.exe
File created	C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe	msiexec.exe
File created	C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe	msiexec.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\SFXCA1030B9F85D4DAAAB6102AB63472E4EE8\pdqconnectupdater-setup.exe	rundll32.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA0CC5ACCC79432AEBD3097F07CA0B4BBF\pdqconnectagent-setup.pdb	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCA6ADB76A8674B548A75E25EF06AFB834A\WixToolset.Dtf.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCA78F241D23449C368967ED1E2C7874284\pdqconnectagent-setup.pdb	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCA78F241D23449C368967ED1E2C7874284\WixSharp.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIE33D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA0CC5ACCC79432AEBD3097F07CA0B4BBF\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIEE5F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA1030B9F85D4DAAAB6102AB63472E4EE8\pdqconnectupdater-setup.pdb	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIE862.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF47C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI21D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA78F241D23449C368967ED1E2C7874284\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCA5914EE75864AFFEBD8A9497E939104D5\pdqconnectagent-setup.pdb	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIF3BF.tmp	msiexec.exe
File created	C:\Windows\Installer\wix{F03416B2-8C97-4CC4-8578-5F6A58033B84}.SchedServiceConfig.rmi	MsiExec.exe
File opened for modification	C:\Windows\Installer\SFXCA5914EE75864AFFEBD8A9497E939104D5\WixToolset.Dtf.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\{F03416B2-8C97-4CC4-8578-5F6A58033B84}\app_icon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDF34.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCAF1BE9835AB43523BA44A3CE311DB0CC2\CustomAction.config	rundll32.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA0CC5ACCC79432AEBD3097F07CA0B4BBF\WixSharp.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCAD488F4282B4439D93EC5B4F8B876E26B\WixToolset.Dtf.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCA6ADB76A8674B548A75E25EF06AFB834A\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIE7C5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEBDE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA5914EE75864AFFEBD8A9497E939104D5\WixSharp.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCAF1BE9835AB43523BA44A3CE311DB0CC2\WixToolset.Dtf.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCA6ADB76A8674B548A75E25EF06AFB834A\pdqconnectagent-setup.exe	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCA0CC5ACCC79432AEBD3097F07CA0B4BBF\WixToolset.Dtf.WindowsInstaller.dll	rundll32.exe
File created	C:\Windows\Installer\{F03416B2-8C97-4CC4-8578-5F6A58033B84}\app_icon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\e57de8c.msi	msiexec.exe
File created	C:\Windows\Installer\e57de90.msi	msiexec.exe
File created	C:\Windows\Installer\e57de89.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCAF1BE9835AB43523BA44A3CE311DB0CC2\WixSharp.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCA78F241D23449C368967ED1E2C7874284\pdqconnectagent-setup.exe	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCA78F241D23449C368967ED1E2C7874284\WixToolset.Dtf.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIFA88.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCAD488F4282B4439D93EC5B4F8B876E26B\WixSharp.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCA1030B9F85D4DAAAB6102AB63472E4EE8\WixSharp.dll	rundll32.exe
File created	C:\Windows\Installer\wix{0EC05CD8-8D17-472C-86DA-AF1E5356256F}.SchedServiceConfig.rmi	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSIE3CA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE776.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA5914EE75864AFFEBD8A9497E939104D5\CustomAction.config	rundll32.exe
File created	C:\Windows\Installer\e57de8c.msi	msiexec.exe
File created	C:\Windows\Installer\{0EC05CD8-8D17-472C-86DA-AF1E5356256F}\app_icon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCAF1BE9835AB43523BA44A3CE311DB0CC2\pdqconnectagent-setup.exe	rundll32.exe
File created	C:\Windows\Installer\e57de8b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFEEE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFF1E.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{F03416B2-8C97-4CC4-8578-5F6A58033B84}	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA5914EE75864AFFEBD8A9497E939104D5\pdqconnectagent-setup.exe	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIFFAB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{0EC05CD8-8D17-472C-86DA-AF1E5356256F}\app_icon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA1030B9F85D4DAAAB6102AB63472E4EE8\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCA1030B9F85D4DAAAB6102AB63472E4EE8\WixToolset.Dtf.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCA0CC5ACCC79432AEBD3097F07CA0B4BBF\pdqconnectagent-setup.exe	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCAD488F4282B4439D93EC5B4F8B876E26B\CustomAction.config	rundll32.exe
File created	C:\Windows\Installer\SourceHash{0EC05CD8-8D17-472C-86DA-AF1E5356256F}	msiexec.exe
File opened for modification	C:\Windows\Installer\e57de89.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE3EB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA6ADB76A8674B548A75E25EF06AFB834A\WixSharp.dll	rundll32.exe

Executes dropped EXE 2 IoCs

pid	Process
2076	pdq-connect-agent.exe
1304	pdq-connect-updater.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4272	sc.exe

Loads dropped DLL 21 IoCs

pid	Process
3516	MsiExec.exe
5048	rundll32.exe
3516	MsiExec.exe
3516	MsiExec.exe
3820	rundll32.exe
3516	MsiExec.exe
3516	MsiExec.exe
4596	MsiExec.exe
4676	rundll32.exe
4596	MsiExec.exe
2548	rundll32.exe
4596	MsiExec.exe
216	rundll32.exe
4596	MsiExec.exe
4596	MsiExec.exe
4232	MsiExec.exe
4792	rundll32.exe
4232	MsiExec.exe
4232	MsiExec.exe
1396	rundll32.exe
4232	MsiExec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5160	powershell.exe
6108	powershell.exe
1600	powershell.exe
7084	powershell.exe
6280	powershell.exe
2564	powershell.exe
6612	powershell.exe
4268	powershell.exe
7008	powershell.exe
5400	powershell.exe
4076	powershell.exe
4884	powershell.exe
6044	powershell.exe
5040	powershell.exe
5864	powershell.exe
6416	powershell.exe
7156	powershell.exe
4876	powershell.exe
1492	powershell.exe
3080	powershell.exe
5712	powershell.exe
2904	powershell.exe
3844	powershell.exe
6816	powershell.exe
5428	powershell.exe
5416	powershell.exe
3204	powershell.exe
3284	powershell.exe
1160	powershell.exe
652	powershell.exe
5776	powershell.exe
6012	powershell.exe
6784	powershell.exe
6792	powershell.exe
1248	powershell.exe
5960	powershell.exe
3948	powershell.exe
4432	powershell.exe
2228	powershell.exe
6844	powershell.exe
6016	powershell.exe
5352	powershell.exe
216	powershell.exe
6312	powershell.exe
216	powershell.exe
3308	powershell.exe
2672	powershell.exe
2556	powershell.exe
1440	powershell.exe
1936	powershell.exe
2196	powershell.exe
6688	powershell.exe
6540	powershell.exe
7076	powershell.exe
4376	powershell.exe
5496	powershell.exe
6960	powershell.exe
3744	powershell.exe
6320	powershell.exe
4144	powershell.exe
1436	powershell.exe
6036	powershell.exe
2168	powershell.exe
6532	powershell.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
4080	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001a73a27760024bf60000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001a73a2770000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001a73a277000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1a73a277000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001a73a27700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "1"	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe

Modifies registry class 46 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\ProductIcon = "C:\\Windows\\Installer\\{F03416B2-8C97-4CC4-8578-5F6A58033B84}\\app_icon.ico"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2B61430F79C84CC45887F5A6803ABC48	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\ProductName = "PDQConnectAgent"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\PackageCode = "F48D6C58CE73B4D449EDBD32ED6FF1F1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\Version = "84279302"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\ProductIcon = "C:\\Windows\\Installer\\{0EC05CD8-8D17-472C-86DA-AF1E5356256F}\\app_icon.ico"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\8DC50CE071D8C27468ADFAE1356251F6	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\SourceList\Net\1 = "C:\\ProgramData\\PDQ\\PDQConnectAgent\\Updates\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8DC50CE071D8C27468ADFAE1356552F6	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\ProductName = "PDQConnectUpdater"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\PackageCode = "434F680B9DE97584B94705A9B6D3133F"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\SourceList\PackageName = "WhatsappWeb.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\SourceList	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2B61430F79C84CC45887F5A68530B348\Complete	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8DC50CE071D8C27468ADFAE1356552F6\Complete	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\Version = "196608"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\PDQ\\PDQConnectAgent\\Updates\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\8DC50CE071D8C27468ADFAE1356251F6\8DC50CE071D8C27468ADFAE1356552F6	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2B61430F79C84CC45887F5A68530B348	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2B61430F79C84CC45887F5A6803ABC48\2B61430F79C84CC45887F5A68530B348	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\SourceList\PackageName = "PDQConnectUpdater-0.3.0.msi"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2148	msiexec.exe
2148	msiexec.exe
2148	msiexec.exe
2148	msiexec.exe
1160	powershell.exe
1160	powershell.exe
1160	powershell.exe
652	powershell.exe
652	powershell.exe
652	powershell.exe
4876	powershell.exe
4876	powershell.exe
4876	powershell.exe
4144	powershell.exe
4144	powershell.exe
4144	powershell.exe
4676	powershell.exe
4676	powershell.exe
4076	powershell.exe
4076	powershell.exe
4676	powershell.exe
4676	powershell.exe
2556	powershell.exe
2556	powershell.exe
1600	powershell.exe
1600	powershell.exe
5040	powershell.exe
5040	powershell.exe
1492	powershell.exe
1492	powershell.exe
2672	powershell.exe
2672	powershell.exe
3948	powershell.exe
3948	powershell.exe
2564	powershell.exe
2564	powershell.exe
4076	powershell.exe
4076	powershell.exe
3308	powershell.exe
3308	powershell.exe
1436	powershell.exe
1436	powershell.exe
5040	powershell.exe
1436	powershell.exe
1600	powershell.exe
2556	powershell.exe
2564	powershell.exe
1492	powershell.exe
3948	powershell.exe
3308	powershell.exe
2672	powershell.exe
4676	powershell.exe
4676	powershell.exe
5496	powershell.exe
5496	powershell.exe
5496	powershell.exe
216	powershell.exe
216	powershell.exe
6012	powershell.exe
6012	powershell.exe
4432	powershell.exe
4432	powershell.exe
6016	powershell.exe
6016	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4080	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4080	msiexec.exe
Token: SeSecurityPrivilege	2148	msiexec.exe
Token: SeCreateTokenPrivilege	4080	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4080	msiexec.exe
Token: SeLockMemoryPrivilege	4080	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4080	msiexec.exe
Token: SeMachineAccountPrivilege	4080	msiexec.exe
Token: SeTcbPrivilege	4080	msiexec.exe
Token: SeSecurityPrivilege	4080	msiexec.exe
Token: SeTakeOwnershipPrivilege	4080	msiexec.exe
Token: SeLoadDriverPrivilege	4080	msiexec.exe
Token: SeSystemProfilePrivilege	4080	msiexec.exe
Token: SeSystemtimePrivilege	4080	msiexec.exe
Token: SeProfSingleProcessPrivilege	4080	msiexec.exe
Token: SeIncBasePriorityPrivilege	4080	msiexec.exe
Token: SeCreatePagefilePrivilege	4080	msiexec.exe
Token: SeCreatePermanentPrivilege	4080	msiexec.exe
Token: SeBackupPrivilege	4080	msiexec.exe
Token: SeRestorePrivilege	4080	msiexec.exe
Token: SeShutdownPrivilege	4080	msiexec.exe
Token: SeDebugPrivilege	4080	msiexec.exe
Token: SeAuditPrivilege	4080	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4080	msiexec.exe
Token: SeChangeNotifyPrivilege	4080	msiexec.exe
Token: SeRemoteShutdownPrivilege	4080	msiexec.exe
Token: SeUndockPrivilege	4080	msiexec.exe
Token: SeSyncAgentPrivilege	4080	msiexec.exe
Token: SeEnableDelegationPrivilege	4080	msiexec.exe
Token: SeManageVolumePrivilege	4080	msiexec.exe
Token: SeImpersonatePrivilege	4080	msiexec.exe
Token: SeCreateGlobalPrivilege	4080	msiexec.exe
Token: SeBackupPrivilege	1500	vssvc.exe
Token: SeRestorePrivilege	1500	vssvc.exe
Token: SeAuditPrivilege	1500	vssvc.exe
Token: SeBackupPrivilege	2148	msiexec.exe
Token: SeRestorePrivilege	2148	msiexec.exe
Token: SeRestorePrivilege	2148	msiexec.exe
Token: SeTakeOwnershipPrivilege	2148	msiexec.exe
Token: SeRestorePrivilege	2148	msiexec.exe
Token: SeTakeOwnershipPrivilege	2148	msiexec.exe
Token: SeRestorePrivilege	2148	msiexec.exe
Token: SeTakeOwnershipPrivilege	2148	msiexec.exe
Token: SeRestorePrivilege	2148	msiexec.exe
Token: SeTakeOwnershipPrivilege	2148	msiexec.exe
Token: SeRestorePrivilege	2148	msiexec.exe
Token: SeTakeOwnershipPrivilege	2148	msiexec.exe
Token: SeRestorePrivilege	2148	msiexec.exe
Token: SeTakeOwnershipPrivilege	2148	msiexec.exe
Token: SeRestorePrivilege	2148	msiexec.exe
Token: SeTakeOwnershipPrivilege	2148	msiexec.exe
Token: SeRestorePrivilege	2148	msiexec.exe
Token: SeTakeOwnershipPrivilege	2148	msiexec.exe
Token: SeBackupPrivilege	4676	rundll32.exe
Token: SeBackupPrivilege	4676	rundll32.exe
Token: SeBackupPrivilege	4676	rundll32.exe
Token: SeBackupPrivilege	4676	rundll32.exe
Token: SeBackupPrivilege	4676	rundll32.exe
Token: SeBackupPrivilege	4676	rundll32.exe
Token: SeBackupPrivilege	4676	rundll32.exe
Token: SeSecurityPrivilege	4676	rundll32.exe
Token: SeBackupPrivilege	4676	rundll32.exe
Token: SeSecurityPrivilege	4676	rundll32.exe
Token: SeBackupPrivilege	4676	rundll32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4080	msiexec.exe
4080	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 1656	2148	msiexec.exe	103
PID 2148 wrote to memory of 1656	2148	msiexec.exe	103
PID 2148 wrote to memory of 3516	2148	msiexec.exe	105
PID 2148 wrote to memory of 3516	2148	msiexec.exe	105
PID 3516 wrote to memory of 5048	3516	MsiExec.exe	106
PID 3516 wrote to memory of 5048	3516	MsiExec.exe	106
PID 3516 wrote to memory of 3820	3516	MsiExec.exe	107
PID 3516 wrote to memory of 3820	3516	MsiExec.exe	107
PID 2148 wrote to memory of 4596	2148	msiexec.exe	108
PID 2148 wrote to memory of 4596	2148	msiexec.exe	108
PID 4596 wrote to memory of 4676	4596	MsiExec.exe	109
PID 4596 wrote to memory of 4676	4596	MsiExec.exe	109
PID 4596 wrote to memory of 2548	4596	MsiExec.exe	110
PID 4596 wrote to memory of 2548	4596	MsiExec.exe	110
PID 4596 wrote to memory of 216	4596	MsiExec.exe	111
PID 4596 wrote to memory of 216	4596	MsiExec.exe	111
PID 216 wrote to memory of 4272	216	rundll32.exe	112
PID 216 wrote to memory of 4272	216	rundll32.exe	112
PID 2076 wrote to memory of 1688	2076	pdq-connect-agent.exe	116
PID 2076 wrote to memory of 1688	2076	pdq-connect-agent.exe	116
PID 2148 wrote to memory of 4232	2148	msiexec.exe	117
PID 2148 wrote to memory of 4232	2148	msiexec.exe	117
PID 4232 wrote to memory of 4792	4232	MsiExec.exe	118
PID 4232 wrote to memory of 4792	4232	MsiExec.exe	118
PID 4232 wrote to memory of 1396	4232	MsiExec.exe	119
PID 4232 wrote to memory of 1396	4232	MsiExec.exe	119
PID 2076 wrote to memory of 1160	2076	pdq-connect-agent.exe	125
PID 2076 wrote to memory of 1160	2076	pdq-connect-agent.exe	125
PID 2076 wrote to memory of 652	2076	pdq-connect-agent.exe	127
PID 2076 wrote to memory of 652	2076	pdq-connect-agent.exe	127
PID 2076 wrote to memory of 4876	2076	pdq-connect-agent.exe	129
PID 2076 wrote to memory of 4876	2076	pdq-connect-agent.exe	129
PID 2076 wrote to memory of 4144	2076	pdq-connect-agent.exe	131
PID 2076 wrote to memory of 4144	2076	pdq-connect-agent.exe	131
PID 2076 wrote to memory of 4676	2076	pdq-connect-agent.exe	135
PID 2076 wrote to memory of 4676	2076	pdq-connect-agent.exe	135
PID 2076 wrote to memory of 4076	2076	pdq-connect-agent.exe	137
PID 2076 wrote to memory of 4076	2076	pdq-connect-agent.exe	137
PID 2076 wrote to memory of 1600	2076	pdq-connect-agent.exe	139
PID 2076 wrote to memory of 1600	2076	pdq-connect-agent.exe	139
PID 2076 wrote to memory of 5040	2076	pdq-connect-agent.exe	140
PID 2076 wrote to memory of 5040	2076	pdq-connect-agent.exe	140
PID 2076 wrote to memory of 3308	2076	pdq-connect-agent.exe	142
PID 2076 wrote to memory of 3308	2076	pdq-connect-agent.exe	142
PID 2076 wrote to memory of 2556	2076	pdq-connect-agent.exe	143
PID 2076 wrote to memory of 2556	2076	pdq-connect-agent.exe	143
PID 2076 wrote to memory of 2672	2076	pdq-connect-agent.exe	144
PID 2076 wrote to memory of 2672	2076	pdq-connect-agent.exe	144
PID 2076 wrote to memory of 2564	2076	pdq-connect-agent.exe	145
PID 2076 wrote to memory of 2564	2076	pdq-connect-agent.exe	145
PID 2076 wrote to memory of 1436	2076	pdq-connect-agent.exe	146
PID 2076 wrote to memory of 1436	2076	pdq-connect-agent.exe	146
PID 2076 wrote to memory of 1492	2076	pdq-connect-agent.exe	148
PID 2076 wrote to memory of 1492	2076	pdq-connect-agent.exe	148
PID 2076 wrote to memory of 3948	2076	pdq-connect-agent.exe	155
PID 2076 wrote to memory of 3948	2076	pdq-connect-agent.exe	155
PID 2556 wrote to memory of 6044	2556	powershell.exe	158
PID 2556 wrote to memory of 6044	2556	powershell.exe	158
PID 4076 wrote to memory of 6112	4076	powershell.exe	159
PID 4076 wrote to memory of 6112	4076	powershell.exe	159
PID 6112 wrote to memory of 3772	6112	csc.exe	160
PID 6112 wrote to memory of 3772	6112	csc.exe	160
PID 3948 wrote to memory of 5496	3948	powershell.exe	162
PID 3948 wrote to memory of 5496	3948	powershell.exe	162

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\WhatsappWeb.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4080

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1656
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding A291106E63D28D8A3CB0923687CDDA32
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3516
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIDF34.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240639906 2 WixSharp!WixSharp.ManagedProjectActions.WixSharp_InitRuntime_Action
    3⤵
    - Drops file in Windows directory
    - Loads dropped DLL
    PID:5048
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIE3EB.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240641125 16 WixSharp!WixSharp.ManagedProjectActions.WixSharp_BeforeInstall_Action
    3⤵
    - Drops file in Windows directory
    - Loads dropped DLL
    PID:3820
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 672FE21BDACFFDF6A05C439B24F15BB9 E Global\MSI0000
  2⤵
  - Drops file in Windows directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIE862.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240642250 38 pdqconnectagent-setup!pdqconnectagent_setup.CustomActions.CreateEventSource
    3⤵
    - Drops file in Windows directory
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4676
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIEBDE.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240643093 44 pdqconnectagent-setup!pdqconnectagent_setup.CustomActions.WriteToken
    3⤵
    - Drops file in Windows directory
    - Loads dropped DLL
    PID:2548
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIEE5F.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240643734 50 pdqconnectagent-setup!pdqconnectagent_setup.CustomActions.StartService
    3⤵
    - Drops file in Windows directory
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:216
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" start "PDQConnectAgent"
      4⤵
      Launches sc.exe
      PID:4272
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 18B9994932C6D061C86854F454A8059E E Global\MSI0000
  2⤵
  - Drops file in Windows directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4232
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIFA88.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240647000 61 WixSharp!WixSharp.ManagedProjectActions.WixSharp_InitRuntime_Action
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Loads dropped DLL
    PID:4792
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIFFAB.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240648156 77 pdqconnectupdater-setup!pdqconnectupdater_setup.CustomActions.CreateEventSource
    3⤵
    - Drops file in Windows directory
    - Loads dropped DLL
    PID:1396

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe
"C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe" --service
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\system32\msiexec.exe
  "msiexec" /i C:\ProgramData\PDQ\PDQConnectAgent\Updates\PDQConnectUpdater-0.3.0.msi /quiet /qn /norestart /L*V C:\ProgramData\PDQ\PDQConnectAgent\Updates\updater_install.log
  2⤵
  PID:1688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\dx4anh3j\dx4anh3j.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:6112
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RES6230.tmp" "c:\Windows\Temp\dx4anh3j\CSC807DBE293344934B4BCED7D8F7EA979.TMP"
      4⤵
      PID:3772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:5040
- - C:\Windows\TEMP\5C14C485-5FB9-4AED-A7F6-0EB280E6D213\dismhost.exe
    C:\Windows\TEMP\5C14C485-5FB9-4AED-A7F6-0EB280E6D213\dismhost.exe {D684F080-CB65-4BAA-8F8A-E27FCDE1D2E5}
    3⤵
    PID:3764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:3308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\system32\dsregcmd.exe
    "C:\Windows\system32\dsregcmd.exe" /status
    3⤵
    PID:6044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:5496
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6612
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5428
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5416
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:7084
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5960
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6540
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6044
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      PID:6240
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2168
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6960
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5160
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6320
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4376
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6532
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3844
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3080
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6108
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6816
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5400
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:7156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:6016
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    PID:6784
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4884
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2228
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6792
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1248
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6312
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3204
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2904
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    PID:6972
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6844
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3284
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6280
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:7076
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4268
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3744
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:216
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6416
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      PID:5820
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1440
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:7008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1936
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:6012
- - C:\Windows\TEMP\BFD33B93-1685-473A-99EE-09ABEF6EDF7D\dismhost.exe
    C:\Windows\TEMP\BFD33B93-1685-473A-99EE-09ABEF6EDF7D\dismhost.exe {2AD1E093-8D20-4C56-BBEE-E1E43A2EF90E}
    3⤵
    PID:5340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  PID:2228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:3488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:216
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\g52e0hst\g52e0hst.cmdline"
    3⤵
    PID:6244
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RES7CBD.tmp" "c:\Windows\Temp\g52e0hst\CSCE03727C271324EFFB491AAB8FE41B47.TMP"
      4⤵
      PID:6380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  PID:5352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  PID:5712
- - C:\Windows\system32\dsregcmd.exe
    "C:\Windows\system32\dsregcmd.exe" /status
    3⤵
    PID:6356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  PID:5864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  PID:6036

C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe
"C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe" --service
1⤵
- Executes dropped EXE
PID:1304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57de8a.rbs

Filesize
399KB

MD5
810a58db0819370cc693054bdf905789

SHA1
4e20fcee9638f067bf621c00e824fa84a130600b

SHA256
7fffafbd274513585d288b0aa9c0eec2eb9bdeef93a30d7f0849008e2913e88a

SHA512
a7038601626cfd2ef09cd759f38da34f63309f40405db68c5c8dcc33858cdec0e53e168d1eeb8fcfad2e24ec2b11c90d0e4d405a01a361fe6115cc0653155683

Download Submit
C:\Config.Msi\e57de8f.rbs

Filesize
398KB

MD5
b7b36aca3b01700a3a0a045edaf6c720

SHA1
e343ce8f0eadd0742cd6780f2b1ce453d2505539

SHA256
f99d415569419fdb630ad4381194f65f4d912adc5233631807b858bc422f64ee

SHA512
d74d6816bf15d753f2e9b851bd4a7bd6301bb5095b5491bae9ef4fa54e80142952f3778582a78d753a8be7d906444d88c4374cd04c7a89af3e8231c4f1a60540

Download Submit
C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe

Filesize
8.7MB

MD5
261615a6f6874fbd61b5ac3dc15d17fc

SHA1
605c394c5f4968f181cf8cdcf5642c250fd9a8e5

SHA256
56186e8c33ad8da8621134794f3a8dee38f9b0462e2dd679908c1374938ddb36

SHA512
5273ae4a371e8e0dd8db836a9e59d222e90c5aa619564ab4cfdb107ec5becb01b2f188f78d8b2cf10dd2bb0ab0cd288c7af537351ed65b21dde80c9aa0cf825d

Download Submit
C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe

Filesize
3.3MB

MD5
bb3ca7301fa7d4434ffa7e294b9827c4

SHA1
60ac464927553aea2c5ab33345f074fe1ede4217

SHA256
8daa7bc4f2e938960186dfd65ee38cc8917361c90dc9cfef5f2ce83306691988

SHA512
56e54e21806da03b9ad3806dcec1bb25cd371a438e1b78923df9c96a0d76ac00484c0caaeff72dd3720edf7bb120607b79dd30ceea8851c21cbb58d5679ffab4

Download Submit
C:\ProgramData\PDQ\PDQConnectAgent\Updates\PDQConnectUpdater-0.3.0.msi

Filesize
3.0MB

MD5
5b37244e2bdbaa4c00da0cc09928cb98

SHA1
39716cc8fbbcf23bf9e5b17b2ddfbf95668e53b7

SHA256
101665452ebc6e400550380510e8db10a9ce2af1e458f928ca4b0188daeceb9d

SHA512
377bf3868b41026680e11dde3086afdd48518187e3f831efddeae0a50fce74ba69b364b8a99bfed574c1c2349806602cef6e6d492b4b05f17eda6e3555f403d8

Download Submit
C:\ProgramData\PDQ\PDQConnectAgent\Updates\updater_install.log

Filesize
1KB

MD5
6d6120fc33317b7ec219e9d1b5817ac7

SHA1
c54d31fbc699a03b22557b25ae4970d80b831e9d

SHA256
2dc8aa5be403ce386c34916a8717067cea9078cacf61c3d8f0dffcdf54a52766

SHA512
5d58def748f69aed3dc196861a5bdd9f9855ce78e8479a8370e416ba12fc7f41248cef336fc9d9af1ec1fa528c4ba4b8f56ab41b97f55d42ea4e6a7556a41de8

Download Submit
C:\ProgramData\PDQ\PDQConnectAgent\token

Filesize
86B

MD5
2a56b04396f6c0f9633aa1c7be624691

SHA1
5f9fb318948cc089cb53fe3cdd30fe189c465c9c

SHA256
b7cf14f5ae19b6000f07c4ce9d217236d4c220e1b6087c4e89230bb9ed3d5105

SHA512
fe7681852fb40f362d8dc68347038108cc2a7db9462df5d4bfd3a873ba5da23ea5ccd4abb4b68ddf957fca20f1f9da03c20c96d9e6da622e2459adaa640d63a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
4302ac33571a665623f83caa83e9d7b7

SHA1
38e4b1f7626af38f558f00b7585a8821a3ef371e

SHA256
85d864fdf43320e3535ad37f3d946a3bd648df66622cbbcb079b976abfa7ff41

SHA512
cc7530d96b6cf2d390a660fccd64170b6a32fb4ed777f3369ef92180abcaabfd94f74ba0ba8730084510fdeb42ded2a9b799d14c787424d3d11d2f2043642c41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_8DBAD5A433D1F9275321E076E8B744D4

Filesize
727B

MD5
057d0af1f3bb46423b56e4c1c75393bf

SHA1
957beaee81115f862143aa455aa31a88223d6320

SHA256
6691143f23dd0b020f1b0a1551f5ad14cb0d8d8bb610e1cada0175992e9bb9cc

SHA512
fa448dbb849184f1f6765731c948eee3885561f473489cdf41ccaf16b0189fe18321b3e8b92e906fd66d508671ccefd172406ae4723b0c810c9184f709920af5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D9CB7DFFEEA63BAB482BD2705E7E24AB_D64C5BFAB2C28B4652E4AC7169A0D3DB

Filesize
727B

MD5
29feaa220e7dc2d386fedebeff4cb068

SHA1
07d8e8f5c90a7dff1ba61253b8b49ef6188d86a0

SHA256
eecb268820b5be9d0cda58bddaa3185561c42a48ff000500c72c86d0caa31ebb

SHA512
b4c8ff2535ef5ceb06c9f872524a8b8cc4966960a6b1a94576b0b6912e612f014de053acbf88bbfb07b52eb1148af637b2470523af55143b9e15d93a28009b33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
71bb0be3a69104394902a1b83fbc52b3

SHA1
141819a839c39f9b051d8855ab4944da932431b2

SHA256
6a865e3d354923859818eb3e0e4a5bff486d9e4fe253a345a976dcad57b01ab1

SHA512
a03b118dc1c903809662ec6a4648f896be25917f13627a681ae81744e910c05f89fed59f78b8b4edcda80aab8694077e124234fdb40508385b9483d41687148d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_8DBAD5A433D1F9275321E076E8B744D4

Filesize
416B

MD5
4d51a55b9983c47539368590c912baa9

SHA1
c3aac380335869e052465cbde793e2e76b3c1b95

SHA256
c724511a42c40a1fa7287da288b8656a56af3f7abeb64cfcbd394265f598b304

SHA512
01a038a44e53e134261937856e108cfb9fdddcfb7c9241103492c40f80d514c3c5a382b2069ba1ea4ea95ae8dacabc920abd488deadc9d416e42c5457a54a3f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D9CB7DFFEEA63BAB482BD2705E7E24AB_D64C5BFAB2C28B4652E4AC7169A0D3DB

Filesize
408B

MD5
86e98a7b7dd0081a92617989d882b64b

SHA1
f843691adbcd0faa871719f3b412caccc5016da3

SHA256
e748a2dc033ed800ccf975beb529ead426349842182cfe0936d6f3276deed288

SHA512
56cb3d0c9265066ef52bce2de52f8fad702990f2ef183d25ed4ac37067933a795b6fe0573c09e3e57251f1fe854bdd3d1929da628d0fcde52474c16cd08c4739

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rundll32.exe.log

Filesize
651B

MD5
00bfeb783aeff425ce898d55718d506d

SHA1
aac7a973dc1f9ca7abc529c7ea37ad7eaf491b8f

SHA256
d06099ef43eb002055378b1b6d9853f9b1f891ada476932ba575d1f97065a580

SHA512
2209d5f4999cb36ebf26c6b8cb3195cc9fc0f0a103f4a28dd77b04605d7c6e79d47d806454c63b8d42bbe32864be7cdb56df3cccf71a6c27fe0b331d8304e1ff

Download Submit
C:\Windows\Installer\MSIDF34.tmp

Filesize
549KB

MD5
45e153ef2e0aa13c55cd25fafa3bce90

SHA1
9805ae1f48e801df6df506f949b723e6553ce2e5

SHA256
2104d3c13e6b624a7d628534fcdf900730752f9ff389b0f4fe1de77c33d8d4c1

SHA512
87f967910b99a9833a1cb6de12225cf6c7b08239e49059ae5303bfcd1c69bcc691d35ee676a761456ec2a6ded199ac30adc28b933cb8ad0e09c0a99456db3d8a

Download Submit
C:\Windows\Installer\MSIE3CA.tmp

Filesize
390KB

MD5
e8dc682f2c486075c6aba658971a62cc

SHA1
7cd0a2b5047a4074aa06a6caa3bb69124851e95d

SHA256
7aacd4c18710e9bc4ff2034895a0a0c8f80f21809fb177d520e93f7688216e6d

SHA512
a0a1f0f418bf2d4ffd079b840aeb0142c7faab7fa72b5e33b1841798569f55a25dfd305abf9c2ca89792f6499f695b69975882697dc53e99d5a975a9fa8c7d75

Download Submit
C:\Windows\Installer\MSIE862.tmp

Filesize
552KB

MD5
b8be9443eb257e5d64319aedd93006fb

SHA1
15d1195faa545c7ac3ab1fe6044047f6008fb0a8

SHA256
d81b62896e97bb77a7b7796665dce3ab9913352e9fe18d420818598cbeb4f34b

SHA512
429dfb4b845408d8c8c045d3295a05f817f4a03c037c9259a9867342bd5919c4d87d7fbae3d6641db9bf273965d642da2ab194ea26b6ebc07f77b42abd26b1bf

Download Submit
C:\Windows\Installer\MSIFA88.tmp

Filesize
539KB

MD5
116108233cb1435bee51bbd8d05451f2

SHA1
e6f725c73bb9c68827a12706d6612ccf50cfd797

SHA256
85b6e5dc375ed84da40eb1571fb84b342a09daa040459aed737944cef22b3058

SHA512
d57f3fa1d365dc2e28c51a32c8bcd1316d5ee2a4fdd419df3354afbcea2a3ae6bcc6cef83d9ef283861ebf4f344d6d4f9a5e8596a24be74e209fa1e519e55bfa

Download Submit
C:\Windows\Installer\MSIFFAB.tmp

Filesize
550KB

MD5
2fd5cb19412a83cedd1949df65fdca84

SHA1
f6d19feee650f38f878236ec6ed32ec139d271bd

SHA256
11d26f41e4b4abcf60b38b4200873fd18f65cab415268fdd74bca5d6e590cb18

SHA512
926a4c1d11a909b5402d546d93e2ac3229c2c32b4e96302fede7fa0b223d0c14096e0c00f7c728a0389775adac24ed8a49b6013ba89dbc5a12fb1ddacc9df77e

Download Submit
C:\Windows\Installer\SFXCA0CC5ACCC79432AEBD3097F07CA0B4BBF\pdqconnectagent-setup.exe

Filesize
24KB

MD5
75f16349cafae8f37bd1e207e2ec83d2

SHA1
f16f6adf8fd8344749ee7c9afe899f11caa959fe

SHA256
f3bb2b9230b8a6066dfeeb172ad32ae3ea31d2d49c76bdcc8a1e2531fa61f5b7

SHA512
2b1cc8c0dfb787a01d8834f0193f7b30de04cbbec271a98502f98956c136aa16e9a0bd388b4e03c075a9cb1deb0f51fb4eecc92af3ce1c87b363ac5076fc823b

Download Submit
C:\Windows\Installer\SFXCA6ADB76A8674B548A75E25EF06AFB834A\CustomAction.config

Filesize
980B

MD5
c9c40af1656f8531eaa647caceb1e436

SHA1
907837497508de13d5a7e60697fc9d050e327e19

SHA256
1a67f60962ca1cbf19873b62a8518efe8c701a09cd609af4c50ecc7f0b468bb8

SHA512
0f7033686befa3f4acf3ed355c1674eaa6e349fba97e906446c8a7000be6876f157bc015bf5d3011fbbdc2c771bcbaea97918b8d24c064cbbd302741cc70cbc7

Download Submit
C:\Windows\Installer\SFXCA6ADB76A8674B548A75E25EF06AFB834A\WixSharp.dll

Filesize
602KB

MD5
ebed2675d27b9383ee8e58bdeddd5da4

SHA1
4dc37974db638ec02363c784fa2c178125f4280f

SHA256
caa9da1c55e33446eaeb783957e990847369423c7dd652f07a5c93bf1d786a66

SHA512
b13538f58b766abd013f73d398eaa4e1adec3fc967415bf7f95198e6f55ac65a12a0c3863708b6fb525ef4a01f0ab88485bb990527bc0e4f5159c8419811dfab

Download Submit
C:\Windows\Installer\SFXCA6ADB76A8674B548A75E25EF06AFB834A\WixToolset.Dtf.WindowsInstaller.dll

Filesize
193KB

MD5
b82b13d16e7f3d3607026f61b7295224

SHA1
d17b76907ea442b6cc5a79361a8fcec91075e20d

SHA256
bcc548e72b190d8f39dcb19538444e2576617a21caba6adcb4116511e1d2ddee

SHA512
be8c0b8b585fc77693e7481ca5d3f57a8b213c1190782fd4700676af9c0b671523c1a4fa58f15947a14c1ff6d4cda65d7353c6ba848a3a247dfcda864869e93f

Download Submit
C:\Windows\Installer\e57de89.msi

Filesize
4.7MB

MD5
82f3f74379c6dbdbca3a64c5717c2faa

SHA1
ba5562e233c1f83d6929db8dd03860a99bf58fa4

SHA256
6696d790ee119b0de93919050a642d3dca502a2ae1864700b6b06fa2b955ec9d

SHA512
8bdf61555de4b7e249201462a0f942a1cc671d9bcc514635297e08ce25bcb90de8d0d64fd513da32d4be731e5af6db13d039040a83c8e50c2887009b091e58a1

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
2.1MB

MD5
19110dcf3431c8dd82a21904d040457e

SHA1
34909df065f79a8ca8e67cf539506b94dcb30788

SHA256
8ba97757689e207797df7dd9906c16e6d75d47eb8790fdb4efe10e6267e0560e

SHA512
ac8835cc40c8b397aeeeb21ac2dbf6daac23980e8dfcb681d2796481e6f07432a8f0c4c24fbbdf31b77f35867ce6c6705d6625216e3369cbc7604c8f3c558904

Download Submit
C:\Windows\TEMP\RES6230.tmp

Filesize
1KB

MD5
33e0bec74e8855b00ae01ef7a55ece0a

SHA1
125d54e78fe5e4d6bd2a593ca3bdab3562febf29

SHA256
4b430e0156012446d35bf3ba90a6fc8412bc2686fd2f7268893187d56e176b6c

SHA512
76d24e7a3035e58691454c3cb1dbc593a9eb5eed191576573471c4a5cd6f77ad74df6439a5985a0a237b2e9f5c8b3a4979e6a8171c8716b4da7bb3cec7b9b4ce

Download Submit
C:\Windows\TEMP\dx4anh3j\dx4anh3j.dll

Filesize
3KB

MD5
7d1628b75b1fdd6a35e70a11ccb246b5

SHA1
dddb6e9d5135ec004357ced9374bf048c6ed929f

SHA256
61e26bdf401c505da18e4273f578c4181f9ed2e544548f266daaf10fc839bbb0

SHA512
990456564eca324c1d25685c9de46ae6dad3f4e29dc469fb36f16ecf31ce0d3d6acb0cc73da1888ab4fc40e1b0648f6419bde58fefd7c234163894914fadd161

Download Submit
C:\Windows\Temp\BFD33B93-1685-473A-99EE-09ABEF6EDF7D\DismHost.exe

Filesize
142KB

MD5
e5d5e9c1f65b8ec7aa5b7f1b1acdd731

SHA1
dbb14dcda6502ab1d23a7c77d405dafbcbeb439e

SHA256
e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80

SHA512
7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_kvhshxtl.guf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
c24e9d1123bd6a335730119e7399c481

SHA1
53e88f378e61191fd1b0213e0beac692297cc5c2

SHA256
fbd6b175b9e1ffc92c569a6467172b6f1cebd4b8cd2d3bbb5119e1b4856cfe50

SHA512
3323e8e2d73cb4e986b25ccd7abfe350f5205f144999ffe01cf8e30e4eb6c6d68ac03b1f1a0c82e3d1ab292320e66c44263bcdf05e1c78b5953fa5bb5bf2a80d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6d87725a59cf3a05a4538388aa07e4e1

SHA1
1aaf726902dc55f250203d9c7710eeef7f12ce8d

SHA256
5f18ec20fc4a804095c47afff4c39bc3af5af32463787617c3056162505e771d

SHA512
c812ef325b97f7f762fd878b4a1104578be1f730c28485078513c4169f465c87806de19c895ac4219e7f24a9e7a259859766d078f05158f1b81356323c88f2a2

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2c13777632796fa3b990943b714d068a

SHA1
59c143a894266af1bd11041fe0d5b651adb80718

SHA256
cde6c9ab4a6b27fe0c44a4101e4a85e66c0bc872034684de72513bdd07981174

SHA512
97cd1975e516011094e21d593add09f43f1db97bc0f83f673e5f9be2f84ad58529752492a202cb807761691ae8e573615009a307f8582f5dfe4618ec08e4a65e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7ae6e86c96dcdf58e38d9f132568e6c3

SHA1
b2cd53c75a527bfa0173be8b2d0765e0628b0922

SHA256
124f08e0fa42affe82d244603d2d3baa9be89208f618a281193728add679c837

SHA512
487339a1e207267f32ff3674cc63cce8779182a96ed7a39d389abc4c708e13885fab4ae3f746350cff7bde4038efb62a5229de094bf871a324730beaa48f5228

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2fe1158cd98433030ead5933913088ff

SHA1
c4ea24e9148891a9d5654ab85c284f1e9256e018

SHA256
d8bade0f7daaff56332e3007cf2699630a222e9acb0670c03e2031c913db8e3c

SHA512
ed31161751e25f7db62c2da4ee0e3d52bea62d530cbfd82c1397f1f49a232695605f11586541c97c47daee1b3d045d7bee22c005f0002239de66523c01d97061

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5255fabcdaaea07d7e84cbffa401ae20

SHA1
c468935ab440500bc0f65ab9355a27c87bf84ea9

SHA256
d31d09d5025de60b56d9bd08c68969573b8ef5e9e07cf489c436c38bb7890ae3

SHA512
44ade541f4d38b3dd1e9808fb4cad9d99e08e9aa31f544cff6bc0c0dfa9ec690dd606bc4b6523d327001e714743db5ed6a62347c65a9ec681df199e5d1c16467

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
1061944f84326821efe15b822a564d5a

SHA1
1c308962da3bd27c4118e74695be1ac2f0b6f25c

SHA256
a53bf2cbdd6ecdff0c7a1a1b53dabbfc08fa2c018ff893d9553ccf59df7e85df

SHA512
34aca7c6fdb3a2a75c9e28c353186c5fdc4195c59714068ecbf9c4308764dab5e9387a87539279a5fc326105a774777709b05f58b2540fb6369136ef86e85c8f

Download Submit
\??\Volume{77a2731a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{feb45c59-bca3-4466-bc2e-343f3779b570}_OnDiskSnapshotProp

Filesize
6KB

MD5
7186817a07d35abdd54b1e5e2f0be8b5

SHA1
de158a0c023e10bc60f38f0f21df84224607ba0e

SHA256
ca85f9fd60d3e9f64187970d1f7d447761203c5391255e991a74ee9cb2be7213

SHA512
5218775fca1ddbfc3a7003b5a9a90e47baed2c5eae48b4859cee8cd1078530a987eddf8351bd444e93edf5558780a95eb2e0563021ac60549d5861ccea892d11

Download Submit
\??\c:\Windows\Temp\dx4anh3j\CSC807DBE293344934B4BCED7D8F7EA979.TMP

Filesize
652B

MD5
0b724fc10360d3da4a3d177e6ec9d4c2

SHA1
a51b3370e64de0da1fc103dc355e7ddbce5b6a65

SHA256
c3ee6113c6ecd5e4caf73dad26648c0b7acfefd5c7e3b3809091f815009ac492

SHA512
d5f8e8439f9b6a2ada35f4fd6a2d9a17170dfbfb1d6ad5afc380758b9b8b40af94fb83c432e98f45776d37c94ed7b537bf9e4e75081d97305cbbb9d84dd7ac19

Download Submit
\??\c:\Windows\Temp\dx4anh3j\dx4anh3j.0.cs

Filesize
889B

MD5
dc979c0e403543f9000fc7650c17d17e

SHA1
907cf70a5b63337e620ca3da119e46145cf40546

SHA256
4c2601bd3a1eb9214c16e66e3b677f91f1c4072f0cc95d515b8cdea9b7708b3a

SHA512
f544d9fcb4ea073d2c8741a23f75bb67e404480aa3e781688a7913e1bab2edb25a42f70c739eb2d47215400e6ff0f8f9cfe0e64ee42c81010f43bb0a34d9655b

Download Submit
\??\c:\Windows\Temp\dx4anh3j\dx4anh3j.cmdline

Filesize
333B

MD5
a1d8f2fcb57e2c9b6cfea60bdecc534d

SHA1
5b2850e73f1bac9db05faaebf01dd47ca36b2cb6

SHA256
ba15407cfa7c65c70e1962a5c25bb8c05b90f761290e130ecf754b1e58b2f2d9

SHA512
28d5883c5ee949b234a552901eb7a2b731c9e1685c382b0e382d6529adb7242c2a636eb2511ecc168a21a9cbb789b8296ed02ddd4d80733cede3a0bbd938c402

Download Submit
memory/216-761-0x0000022BE0800000-0x0000022BE0808000-memory.dmp

Filesize
32KB

Download
memory/1160-302-0x00000194F7340000-0x00000194F73F5000-memory.dmp

Filesize
724KB

Download
memory/1160-304-0x00000194F7690000-0x00000194F76BA000-memory.dmp

Filesize
168KB

Download
memory/1160-303-0x00000194F70F0000-0x00000194F70FA000-memory.dmp

Filesize
40KB

Download
memory/1160-305-0x00000194F7690000-0x00000194F76B4000-memory.dmp

Filesize
144KB

Download
memory/1160-291-0x00000194F7070000-0x00000194F7092000-memory.dmp

Filesize
136KB

Download
memory/1160-301-0x00000194F70D0000-0x00000194F70EC000-memory.dmp

Filesize
112KB

Download
memory/1396-243-0x00000225033C0000-0x00000225033C8000-memory.dmp

Filesize
32KB

Download
memory/1492-658-0x000001517D470000-0x000001517D480000-memory.dmp

Filesize
64KB

Download
memory/1492-664-0x000001517DAB0000-0x000001517DACA000-memory.dmp

Filesize
104KB

Download
memory/1492-526-0x000001517D6B0000-0x000001517D6CC000-memory.dmp

Filesize
112KB

Download
memory/3820-67-0x0000023D9B710000-0x0000023D9B71A000-memory.dmp

Filesize
40KB

Download
memory/3948-572-0x000001FB7A570000-0x000001FB7A6E6000-memory.dmp

Filesize
1.5MB

Download
memory/3948-573-0x000001FB7A900000-0x000001FB7AB0A000-memory.dmp

Filesize
2.0MB

Download
memory/4076-548-0x0000024617240000-0x0000024617248000-memory.dmp

Filesize
32KB

Download
memory/4268-1756-0x000001E125E10000-0x000001E125EC5000-memory.dmp

Filesize
724KB

Download
memory/4676-489-0x00000135EDA40000-0x00000135EDAF5000-memory.dmp

Filesize
724KB

Download
memory/4676-528-0x00000135EE520000-0x00000135EEA48000-memory.dmp

Filesize
5.2MB

Download
memory/4676-527-0x00000135EDE20000-0x00000135EDFE2000-memory.dmp

Filesize
1.8MB

Download
memory/4876-352-0x0000023D63B60000-0x0000023D63C15000-memory.dmp

Filesize
724KB

Download
memory/5040-705-0x0000017DB4690000-0x0000017DB469A000-memory.dmp

Filesize
40KB

Download
memory/5040-830-0x0000017DB4D40000-0x0000017DB4D64000-memory.dmp

Filesize
144KB

Download
memory/5048-38-0x0000017A3D5F0000-0x0000017A3D68C000-memory.dmp

Filesize
624KB

Download
memory/5048-36-0x0000017A3CA70000-0x0000017A3CAA4000-memory.dmp

Filesize
208KB

Download
memory/6312-1557-0x000001FCD7970000-0x000001FCD7A25000-memory.dmp

Filesize
724KB

Download