6696d790ee119b0de93919050a642d3dca502a2ae1864700b6b06fa2b955ec9d

Analysis

max time kernel
71s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ArchivoNuevo.msi
Size

4.7MB
MD5

82f3f74379c6dbdbca3a64c5717c2faa
SHA1

ba5562e233c1f83d6929db8dd03860a99bf58fa4
SHA256

6696d790ee119b0de93919050a642d3dca502a2ae1864700b6b06fa2b955ec9d
SHA512

8bdf61555de4b7e249201462a0f942a1cc671d9bcc514635297e08ce25bcb90de8d0d64fd513da32d4be731e5af6db13d039040a83c8e50c2887009b091e58a1
SSDEEP

98304:wph2BBopK5X4MkjkZMiWFLH/qJ/YOKa4RpnoYbO:eQuKl5kjQMr/qJ/YFaO9DO

Score

6^/10

execution persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	1460	msiexec.exe
6	1460	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Drops file in System32 directory 28 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rundll32.exe.log	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\PDQ\PDQConnectAgent\LICENSE.html	msiexec.exe
File created	C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe	msiexec.exe
File created	C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe	msiexec.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\SFXCA8C7C914D8C44D138561FA573286B9FA3\WixSharp.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCA5F6B6481984417D94AC00A0BE4136010\WixSharp.dll	rundll32.exe
File created	C:\Windows\Installer\wix{0EC05CD8-8D17-472C-86DA-AF1E5356256F}.SchedServiceConfig.rmi	MsiExec.exe
File opened for modification	C:\Windows\Installer\{0EC05CD8-8D17-472C-86DA-AF1E5356256F}\app_icon.ico	msiexec.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	powershell.exe
File opened for modification	C:\Windows\Installer\SFXCAAE6924723E47E3B9A48E7B5CA0843A98\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI80C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA4524CA18C346A89A23FE20B245289506\WixToolset.Dtf.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI168B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7EB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA4076CED4B949DC9A46A41E7D4454D8CF\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Installer\SFXCA5F6B6481984417D94AC00A0BE4136010\pdqconnectagent-setup.pdb	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIF54.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA4C0C5670D344C9DB94028760CDCFC902\pdqconnectupdater-setup.pdb	rundll32.exe
File created	C:\Windows\Installer\SourceHash{F03416B2-8C97-4CC4-8578-5F6A58033B84}	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA5F6B6481984417D94AC00A0BE4136010\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCA4076CED4B949DC9A46A41E7D4454D8CF\pdqconnectagent-setup.pdb	rundll32.exe
File created	C:\Windows\Installer\{F03416B2-8C97-4CC4-8578-5F6A58033B84}\app_icon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI214D.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File created	C:\Windows\Installer\e580318.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA4C0C5670D344C9DB94028760CDCFC902\WixSharp.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI15FD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA4524CA18C346A89A23FE20B245289506\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCADF167E65DC4651AAE0002E72AB523C3E\WixSharp.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCA4C0C5670D344C9DB94028760CDCFC902\WixToolset.Dtf.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\e58031a.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{0EC05CD8-8D17-472C-86DA-AF1E5356256F}	msiexec.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	powershell.exe
File opened for modification	C:\Windows\Installer\MSIB4B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA4524CA18C346A89A23FE20B245289506\WixSharp.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCA8C7C914D8C44D138561FA573286B9FA3\WixToolset.Dtf.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCA5F6B6481984417D94AC00A0BE4136010\pdqconnectagent-setup.exe	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI1D04.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI23AF.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA4524CA18C346A89A23FE20B245289506\pdqconnectagent-setup.exe	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCA8C7C914D8C44D138561FA573286B9FA3\pdqconnectagent-setup.exe	rundll32.exe
File created	C:\Windows\Installer\wix{F03416B2-8C97-4CC4-8578-5F6A58033B84}.SchedServiceConfig.rmi	MsiExec.exe
File opened for modification	C:\Windows\Installer\SFXCAAE6924723E47E3B9A48E7B5CA0843A98\pdqconnectagent-setup.exe	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCA4076CED4B949DC9A46A41E7D4454D8CF\pdqconnectagent-setup.exe	rundll32.exe
File opened for modification	C:\Windows\Installer\e58031b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI88A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBC9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA8C7C914D8C44D138561FA573286B9FA3\pdqconnectagent-setup.pdb	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCA5F6B6481984417D94AC00A0BE4136010\WixToolset.Dtf.WindowsInstaller.dll	rundll32.exe
File created	C:\Windows\Installer\e58031b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA4C0C5670D344C9DB94028760CDCFC902\pdqconnectupdater-setup.exe	rundll32.exe
File created	C:\Windows\Installer\e58031f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCAAE6924723E47E3B9A48E7B5CA0843A98\WixSharp.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCAAE6924723E47E3B9A48E7B5CA0843A98\WixToolset.Dtf.WindowsInstaller.dll	rundll32.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3F3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA8C7C914D8C44D138561FA573286B9FA3\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCA4076CED4B949DC9A46A41E7D4454D8CF\WixToolset.Dtf.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCADF167E65DC4651AAE0002E72AB523C3E\WixToolset.Dtf.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI20AE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA4C0C5670D344C9DB94028760CDCFC902\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIAFC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA4076CED4B949DC9A46A41E7D4454D8CF\WixSharp.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\{F03416B2-8C97-4CC4-8578-5F6A58033B84}\app_icon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCADF167E65DC4651AAE0002E72AB523C3E\CustomAction.config	rundll32.exe

Executes dropped EXE 4 IoCs

pid	Process
4136	pdq-connect-agent.exe
2952	pdq-connect-updater.exe
5404	dismhost.exe
1496	dismhost.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2752	sc.exe

Loads dropped DLL 31 IoCs

pid	Process
668	MsiExec.exe
1748	rundll32.exe
668	MsiExec.exe
668	MsiExec.exe
2596	rundll32.exe
668	MsiExec.exe
668	MsiExec.exe
4388	MsiExec.exe
3200	rundll32.exe
4388	MsiExec.exe
1812	rundll32.exe
4388	MsiExec.exe
2444	rundll32.exe
4388	MsiExec.exe
4388	MsiExec.exe
2284	MsiExec.exe
1072	rundll32.exe
2284	MsiExec.exe
2284	MsiExec.exe
3984	rundll32.exe
2284	MsiExec.exe
5404	dismhost.exe
5404	dismhost.exe
5404	dismhost.exe
5404	dismhost.exe
5404	dismhost.exe
1496	dismhost.exe
1496	dismhost.exe
1496	dismhost.exe
1496	dismhost.exe
1496	dismhost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
6052	powershell.exe
6076	powershell.exe
2244	powershell.exe
5780	powershell.exe
5680	powershell.exe
2580	powershell.exe
4456	powershell.exe
6060	powershell.exe
4736	powershell.exe
5644	powershell.exe
5888	powershell.exe
632	powershell.exe
5576	powershell.exe
1460	powershell.exe
2936	powershell.exe
2892	powershell.exe
2720	powershell.exe
5272	powershell.exe
4788	powershell.exe
2848	powershell.exe
5324	powershell.exe
4448	powershell.exe
5676	powershell.exe
2428	powershell.exe
2976	powershell.exe
5388	powershell.exe
2384	powershell.exe
4340	powershell.exe
1420	powershell.exe
6100	powershell.exe
4888	powershell.exe
5104	powershell.exe
3516	powershell.exe
5452	powershell.exe
5408	powershell.exe
1364	powershell.exe
6068	powershell.exe
6044	powershell.exe
5608	powershell.exe
3700	powershell.exe
5308	powershell.exe
3320	powershell.exe
2400	powershell.exe
880	powershell.exe
4448	powershell.exe
1544	powershell.exe
452	powershell.exe
4128	powershell.exe
4516	powershell.exe
6084	powershell.exe
5360	powershell.exe
1840	powershell.exe
2548	powershell.exe
2468	powershell.exe
5368	powershell.exe
2404	powershell.exe
6124	powershell.exe
2400	powershell.exe
4184	powershell.exe
5776	powershell.exe
4512	powershell.exe
3580	powershell.exe
4456	powershell.exe
5028	powershell.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1460	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009fc5eef0dbaffe7c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009fc5eef00000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809009fc5eef0000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d9fc5eef0000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009fc5eef000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe

Modifies registry class 46 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\SourceList\PackageName = "ArchivoNuevo.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\ProductName = "PDQConnectUpdater"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\Version = "196608"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\ProductName = "PDQConnectAgent"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\PackageCode = "F48D6C58CE73B4D449EDBD32ED6FF1F1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\ProductIcon = "C:\\Windows\\Installer\\{F03416B2-8C97-4CC4-8578-5F6A58033B84}\\app_icon.ico"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\SourceList\Net\1 = "C:\\ProgramData\\PDQ\\PDQConnectAgent\\Updates\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\PDQ\\PDQConnectAgent\\Updates\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2B61430F79C84CC45887F5A6803ABC48\2B61430F79C84CC45887F5A68530B348	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8DC50CE071D8C27468ADFAE1356552F6	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\PackageCode = "434F680B9DE97584B94705A9B6D3133F"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\ProductIcon = "C:\\Windows\\Installer\\{0EC05CD8-8D17-472C-86DA-AF1E5356256F}\\app_icon.ico"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\Version = "84279302"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2B61430F79C84CC45887F5A6803ABC48	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\SourceList\PackageName = "PDQConnectUpdater-0.3.0.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\DeploymentFlags = "3"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2B61430F79C84CC45887F5A68530B348\Complete	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8DC50CE071D8C27468ADFAE1356552F6\Complete	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\8DC50CE071D8C27468ADFAE1356251F6\8DC50CE071D8C27468ADFAE1356552F6	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2B61430F79C84CC45887F5A68530B348	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\8DC50CE071D8C27468ADFAE1356251F6	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4568	msiexec.exe
4568	msiexec.exe
4568	msiexec.exe
4568	msiexec.exe
3320	powershell.exe
3320	powershell.exe
3320	powershell.exe
1460	powershell.exe
1460	powershell.exe
1460	powershell.exe
4512	powershell.exe
4512	powershell.exe
4512	powershell.exe
2936	powershell.exe
2936	powershell.exe
2936	powershell.exe
2404	powershell.exe
2404	powershell.exe
1364	powershell.exe
1364	powershell.exe
2404	powershell.exe
4456	powershell.exe
4456	powershell.exe
2720	powershell.exe
2720	powershell.exe
2976	powershell.exe
2976	powershell.exe
4300	powershell.exe
4300	powershell.exe
3580	powershell.exe
3580	powershell.exe
2580	powershell.exe
2580	powershell.exe
1364	powershell.exe
1364	powershell.exe
2892	powershell.exe
2892	powershell.exe
2400	powershell.exe
2400	powershell.exe
2848	powershell.exe
2848	powershell.exe
4456	powershell.exe
2400	powershell.exe
2976	powershell.exe
4300	powershell.exe
3580	powershell.exe
2580	powershell.exe
2892	powershell.exe
2720	powershell.exe
2848	powershell.exe
2404	powershell.exe
2404	powershell.exe
6052	powershell.exe
6052	powershell.exe
6068	powershell.exe
6068	powershell.exe
6060	powershell.exe
6060	powershell.exe
5272	powershell.exe
5272	powershell.exe
6044	powershell.exe
6044	powershell.exe
5324	powershell.exe
5324	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1460	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1460	msiexec.exe
Token: SeSecurityPrivilege	4568	msiexec.exe
Token: SeCreateTokenPrivilege	1460	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1460	msiexec.exe
Token: SeLockMemoryPrivilege	1460	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1460	msiexec.exe
Token: SeMachineAccountPrivilege	1460	msiexec.exe
Token: SeTcbPrivilege	1460	msiexec.exe
Token: SeSecurityPrivilege	1460	msiexec.exe
Token: SeTakeOwnershipPrivilege	1460	msiexec.exe
Token: SeLoadDriverPrivilege	1460	msiexec.exe
Token: SeSystemProfilePrivilege	1460	msiexec.exe
Token: SeSystemtimePrivilege	1460	msiexec.exe
Token: SeProfSingleProcessPrivilege	1460	msiexec.exe
Token: SeIncBasePriorityPrivilege	1460	msiexec.exe
Token: SeCreatePagefilePrivilege	1460	msiexec.exe
Token: SeCreatePermanentPrivilege	1460	msiexec.exe
Token: SeBackupPrivilege	1460	msiexec.exe
Token: SeRestorePrivilege	1460	msiexec.exe
Token: SeShutdownPrivilege	1460	msiexec.exe
Token: SeDebugPrivilege	1460	msiexec.exe
Token: SeAuditPrivilege	1460	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1460	msiexec.exe
Token: SeChangeNotifyPrivilege	1460	msiexec.exe
Token: SeRemoteShutdownPrivilege	1460	msiexec.exe
Token: SeUndockPrivilege	1460	msiexec.exe
Token: SeSyncAgentPrivilege	1460	msiexec.exe
Token: SeEnableDelegationPrivilege	1460	msiexec.exe
Token: SeManageVolumePrivilege	1460	msiexec.exe
Token: SeImpersonatePrivilege	1460	msiexec.exe
Token: SeCreateGlobalPrivilege	1460	msiexec.exe
Token: SeBackupPrivilege	512	vssvc.exe
Token: SeRestorePrivilege	512	vssvc.exe
Token: SeAuditPrivilege	512	vssvc.exe
Token: SeBackupPrivilege	4568	msiexec.exe
Token: SeRestorePrivilege	4568	msiexec.exe
Token: SeRestorePrivilege	4568	msiexec.exe
Token: SeTakeOwnershipPrivilege	4568	msiexec.exe
Token: SeRestorePrivilege	4568	msiexec.exe
Token: SeTakeOwnershipPrivilege	4568	msiexec.exe
Token: SeRestorePrivilege	4568	msiexec.exe
Token: SeTakeOwnershipPrivilege	4568	msiexec.exe
Token: SeRestorePrivilege	4568	msiexec.exe
Token: SeTakeOwnershipPrivilege	4568	msiexec.exe
Token: SeRestorePrivilege	4568	msiexec.exe
Token: SeTakeOwnershipPrivilege	4568	msiexec.exe
Token: SeRestorePrivilege	4568	msiexec.exe
Token: SeTakeOwnershipPrivilege	4568	msiexec.exe
Token: SeRestorePrivilege	4568	msiexec.exe
Token: SeTakeOwnershipPrivilege	4568	msiexec.exe
Token: SeRestorePrivilege	4568	msiexec.exe
Token: SeTakeOwnershipPrivilege	4568	msiexec.exe
Token: SeBackupPrivilege	3200	rundll32.exe
Token: SeBackupPrivilege	3200	rundll32.exe
Token: SeBackupPrivilege	3200	rundll32.exe
Token: SeBackupPrivilege	3200	rundll32.exe
Token: SeBackupPrivilege	3200	rundll32.exe
Token: SeBackupPrivilege	3200	rundll32.exe
Token: SeBackupPrivilege	3200	rundll32.exe
Token: SeSecurityPrivilege	3200	rundll32.exe
Token: SeBackupPrivilege	3200	rundll32.exe
Token: SeSecurityPrivilege	3200	rundll32.exe
Token: SeBackupPrivilege	3200	rundll32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1460	msiexec.exe
1460	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4568 wrote to memory of 4344	4568	msiexec.exe	94
PID 4568 wrote to memory of 4344	4568	msiexec.exe	94
PID 4568 wrote to memory of 668	4568	msiexec.exe	96
PID 4568 wrote to memory of 668	4568	msiexec.exe	96
PID 668 wrote to memory of 1748	668	MsiExec.exe	97
PID 668 wrote to memory of 1748	668	MsiExec.exe	97
PID 668 wrote to memory of 2596	668	MsiExec.exe	98
PID 668 wrote to memory of 2596	668	MsiExec.exe	98
PID 4568 wrote to memory of 4388	4568	msiexec.exe	99
PID 4568 wrote to memory of 4388	4568	msiexec.exe	99
PID 4388 wrote to memory of 3200	4388	MsiExec.exe	100
PID 4388 wrote to memory of 3200	4388	MsiExec.exe	100
PID 4388 wrote to memory of 1812	4388	MsiExec.exe	101
PID 4388 wrote to memory of 1812	4388	MsiExec.exe	101
PID 4388 wrote to memory of 2444	4388	MsiExec.exe	102
PID 4388 wrote to memory of 2444	4388	MsiExec.exe	102
PID 2444 wrote to memory of 2752	2444	rundll32.exe	103
PID 2444 wrote to memory of 2752	2444	rundll32.exe	103
PID 4136 wrote to memory of 4744	4136	pdq-connect-agent.exe	106
PID 4136 wrote to memory of 4744	4136	pdq-connect-agent.exe	106
PID 4568 wrote to memory of 2284	4568	msiexec.exe	107
PID 4568 wrote to memory of 2284	4568	msiexec.exe	107
PID 2284 wrote to memory of 1072	2284	MsiExec.exe	108
PID 2284 wrote to memory of 1072	2284	MsiExec.exe	108
PID 2284 wrote to memory of 3984	2284	MsiExec.exe	109
PID 2284 wrote to memory of 3984	2284	MsiExec.exe	109
PID 4136 wrote to memory of 3320	4136	pdq-connect-agent.exe	112
PID 4136 wrote to memory of 3320	4136	pdq-connect-agent.exe	112
PID 4136 wrote to memory of 1460	4136	pdq-connect-agent.exe	115
PID 4136 wrote to memory of 1460	4136	pdq-connect-agent.exe	115
PID 4136 wrote to memory of 4512	4136	pdq-connect-agent.exe	117
PID 4136 wrote to memory of 4512	4136	pdq-connect-agent.exe	117
PID 4136 wrote to memory of 2936	4136	pdq-connect-agent.exe	119
PID 4136 wrote to memory of 2936	4136	pdq-connect-agent.exe	119
PID 4136 wrote to memory of 2404	4136	pdq-connect-agent.exe	121
PID 4136 wrote to memory of 2404	4136	pdq-connect-agent.exe	121
PID 4136 wrote to memory of 1364	4136	pdq-connect-agent.exe	123
PID 4136 wrote to memory of 1364	4136	pdq-connect-agent.exe	123
PID 4136 wrote to memory of 2400	4136	pdq-connect-agent.exe	125
PID 4136 wrote to memory of 2400	4136	pdq-connect-agent.exe	125
PID 4136 wrote to memory of 2720	4136	pdq-connect-agent.exe	126
PID 4136 wrote to memory of 2720	4136	pdq-connect-agent.exe	126
PID 4136 wrote to memory of 4300	4136	pdq-connect-agent.exe	127
PID 4136 wrote to memory of 4300	4136	pdq-connect-agent.exe	127
PID 4136 wrote to memory of 4456	4136	pdq-connect-agent.exe	128
PID 4136 wrote to memory of 4456	4136	pdq-connect-agent.exe	128
PID 4136 wrote to memory of 2580	4136	pdq-connect-agent.exe	129
PID 4136 wrote to memory of 2580	4136	pdq-connect-agent.exe	129
PID 4136 wrote to memory of 2892	4136	pdq-connect-agent.exe	130
PID 4136 wrote to memory of 2892	4136	pdq-connect-agent.exe	130
PID 4136 wrote to memory of 3580	4136	pdq-connect-agent.exe	131
PID 4136 wrote to memory of 3580	4136	pdq-connect-agent.exe	131
PID 4136 wrote to memory of 2976	4136	pdq-connect-agent.exe	132
PID 4136 wrote to memory of 2976	4136	pdq-connect-agent.exe	132
PID 4136 wrote to memory of 2848	4136	pdq-connect-agent.exe	141
PID 4136 wrote to memory of 2848	4136	pdq-connect-agent.exe	141
PID 4456 wrote to memory of 5808	4456	powershell.exe	144
PID 4456 wrote to memory of 5808	4456	powershell.exe	144
PID 1364 wrote to memory of 5912	1364	powershell.exe	145
PID 1364 wrote to memory of 5912	1364	powershell.exe	145
PID 5912 wrote to memory of 5992	5912	csc.exe	146
PID 5912 wrote to memory of 5992	5912	csc.exe	146
PID 4136 wrote to memory of 6044	4136	pdq-connect-agent.exe	203
PID 4136 wrote to memory of 6044	4136	pdq-connect-agent.exe	203

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ArchivoNuevo.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1460

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4344
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding C9EE3B4D400FEA0094B5DE13A59B71EF
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI3F3.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240649328 2 WixSharp!WixSharp.ManagedProjectActions.WixSharp_InitRuntime_Action
    3⤵
    - Drops file in Windows directory
    - Loads dropped DLL
    PID:1748
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI88A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240650390 16 WixSharp!WixSharp.ManagedProjectActions.WixSharp_BeforeInstall_Action
    3⤵
    - Drops file in Windows directory
    - Loads dropped DLL
    PID:2596
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding B405301162D1E4B3A5F4E7D44E65A872 E Global\MSI0000
  2⤵
  - Drops file in Windows directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4388
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIBC9.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240651250 38 pdqconnectagent-setup!pdqconnectagent_setup.CustomActions.CreateEventSource
    3⤵
    - Drops file in Windows directory
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:3200
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIF54.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240652156 44 pdqconnectagent-setup!pdqconnectagent_setup.CustomActions.WriteToken
    3⤵
    - Drops file in Windows directory
    - Loads dropped DLL
    PID:1812
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI11C6.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240652796 50 pdqconnectagent-setup!pdqconnectagent_setup.CustomActions.StartService
    3⤵
    - Drops file in Windows directory
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" start "PDQConnectAgent"
      4⤵
      Launches sc.exe
      PID:2752
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 64BA67CFD94910198EF654AA3B1B1820 E Global\MSI0000
  2⤵
  - Drops file in Windows directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI1D04.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240655750 61 WixSharp!WixSharp.ManagedProjectActions.WixSharp_InitRuntime_Action
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Loads dropped DLL
    PID:1072
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI214D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240656750 77 pdqconnectupdater-setup!pdqconnectupdater_setup.CustomActions.CreateEventSource
    3⤵
    - Drops file in Windows directory
    - Loads dropped DLL
    PID:3984

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:512

C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe
"C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe" --service
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Windows\system32\msiexec.exe
  "msiexec" /i C:\ProgramData\PDQ\PDQConnectAgent\Updates\PDQConnectUpdater-0.3.0.msi /quiet /qn /norestart /L*V C:\ProgramData\PDQ\PDQConnectAgent\Updates\updater_install.log
  2⤵
  PID:4744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\043gxj3v\043gxj3v.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5912
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RES7B74.tmp" "c:\Windows\Temp\043gxj3v\CSC7EDA1F8AC3994ECBB25B5F182387DFC8.TMP"
      4⤵
      PID:5992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2400
- - C:\Windows\TEMP\F9634D40-4A1A-4995-8CC9-3D8F0EFDEB5C\dismhost.exe
    C:\Windows\TEMP\F9634D40-4A1A-4995-8CC9-3D8F0EFDEB5C\dismhost.exe {A57AE340-4B89-4E2C-9F38-C5C80ECD2104}
    3⤵
    - Drops file in Windows directory
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Windows\system32\dsregcmd.exe
    "C:\Windows\system32\dsregcmd.exe" /status
    3⤵
    PID:5808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:3580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2848
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5888
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      PID:880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    PID:4448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      PID:4888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5104
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      PID:3516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    PID:5452
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    PID:5236
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2384
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5676
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4184
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    PID:2700
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      PID:4976
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5776
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4788
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2468
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4340
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5780
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3700
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5408
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      PID:1324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:6044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:6052
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\bwcwitad\bwcwitad.cmdline"
    3⤵
    PID:5244
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RES999B.tmp" "c:\Windows\Temp\bwcwitad\CSC5BC1099B23D942C89FCC5B77E7672059.TMP"
      4⤵
      PID:3408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:6060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:6068
- - C:\Windows\TEMP\EC9996E1-0103-47A3-9B2C-D89CD0DB3DE7\dismhost.exe
    C:\Windows\TEMP\EC9996E1-0103-47A3-9B2C-D89CD0DB3DE7\dismhost.exe {86710B21-6987-48E7-952D-1A1A0C9A7E71}
    3⤵
    - Drops file in Windows directory
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  PID:6076
- - C:\Windows\system32\dsregcmd.exe
    "C:\Windows\system32\dsregcmd.exe" /status
    3⤵
    PID:4652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  PID:6084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  PID:6100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:6108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  PID:6124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:5324
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    PID:452
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      PID:5608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4736
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      PID:5644
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    PID:2400
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Modifies data under HKEY_USERS
      PID:6032
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5360
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6044
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4456
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5680
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1840
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4128
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      PID:1808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2428
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:632
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2244
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    PID:1952
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5388
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1544
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    PID:2860
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2548
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5308
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5368

C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe
"C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe" --service
1⤵
- Executes dropped EXE
PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e580319.rbs

Filesize
399KB

MD5
5d87075c8468468969d1a918ba76b406

SHA1
a39cff28955e57bb2124fa595aff0b733d0525df

SHA256
4542dcf3b6ea668b38a0046acdbf7382e46dc1d5c8c04c8b4acc6af3f154c718

SHA512
7de7f140482f70314311b94a3a6979ba44e31bc9dc5219fec5c85bda93b4f613c5a489cf37bfb0650e8bb89b04e9722e5183d5bfa5a0b8e497535a915cbd223b

Download Submit
C:\Config.Msi\e58031e.rbs

Filesize
398KB

MD5
fe1a59ba31f11fb796c7ec3179d95a8d

SHA1
3c82932b2b78ce153faea8e4b09d36d1a7321899

SHA256
5fa609fdf7411a0ff472177b207b2c69e6801888651ca7867b7fb8f5ce6654ee

SHA512
5b94349c71336f4cb3ede984d8f545f75f252f8751dd86f1e2851703988265dd015f5da95d31d0f751e433e54666865ac01e72baa939136f869fb496fdf9756a

Download Submit
C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe

Filesize
8.7MB

MD5
261615a6f6874fbd61b5ac3dc15d17fc

SHA1
605c394c5f4968f181cf8cdcf5642c250fd9a8e5

SHA256
56186e8c33ad8da8621134794f3a8dee38f9b0462e2dd679908c1374938ddb36

SHA512
5273ae4a371e8e0dd8db836a9e59d222e90c5aa619564ab4cfdb107ec5becb01b2f188f78d8b2cf10dd2bb0ab0cd288c7af537351ed65b21dde80c9aa0cf825d

Download Submit
C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe

Filesize
3.3MB

MD5
bb3ca7301fa7d4434ffa7e294b9827c4

SHA1
60ac464927553aea2c5ab33345f074fe1ede4217

SHA256
8daa7bc4f2e938960186dfd65ee38cc8917361c90dc9cfef5f2ce83306691988

SHA512
56e54e21806da03b9ad3806dcec1bb25cd371a438e1b78923df9c96a0d76ac00484c0caaeff72dd3720edf7bb120607b79dd30ceea8851c21cbb58d5679ffab4

Download Submit
C:\ProgramData\PDQ\PDQConnectAgent\Updates\PDQConnectUpdater-0.3.0.msi

Filesize
3.0MB

MD5
5b37244e2bdbaa4c00da0cc09928cb98

SHA1
39716cc8fbbcf23bf9e5b17b2ddfbf95668e53b7

SHA256
101665452ebc6e400550380510e8db10a9ce2af1e458f928ca4b0188daeceb9d

SHA512
377bf3868b41026680e11dde3086afdd48518187e3f831efddeae0a50fce74ba69b364b8a99bfed574c1c2349806602cef6e6d492b4b05f17eda6e3555f403d8

Download Submit
C:\ProgramData\PDQ\PDQConnectAgent\Updates\updater_install.log

Filesize
1KB

MD5
39d6742feabff7c40b555d48a775b020

SHA1
806b51d28c050ff9469aff5fd32afbe25d81bb5d

SHA256
7c67f07a65059a77e07e1ab27a57c5f229a8c4246553b31d703af5f736eef10e

SHA512
ef318127462a9d6d56fe1ede95e0e140a65497990bdc0a83c6972d35350ff4611544e551e3df578795da0550126803e7aaef714b60481f2ec8d5d8bf7f72665a

Download Submit
C:\ProgramData\PDQ\PDQConnectAgent\token

Filesize
86B

MD5
2a56b04396f6c0f9633aa1c7be624691

SHA1
5f9fb318948cc089cb53fe3cdd30fe189c465c9c

SHA256
b7cf14f5ae19b6000f07c4ce9d217236d4c220e1b6087c4e89230bb9ed3d5105

SHA512
fe7681852fb40f362d8dc68347038108cc2a7db9462df5d4bfd3a873ba5da23ea5ccd4abb4b68ddf957fca20f1f9da03c20c96d9e6da622e2459adaa640d63a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
719182e07998ae9226d45680aa1fe178

SHA1
8f8b03c110c129cb3a35841ed959de7a7266ffec

SHA256
8f1d64c2c4dbb6ca892083e4b4a8bdb4585597e1269c218340c6b12517bb3dbe

SHA512
2df474f0ac4d1ef93b14deda32c5476da130bc41f37c0a5cd0c271c990914613c3c788116a4b87d44876695f71e5a131847fdf96d609364c06cb2f5ed6ce76a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_8DBAD5A433D1F9275321E076E8B744D4

Filesize
727B

MD5
960818b90ace97aed45bb4b97f88ecb1

SHA1
c165689921f33f55e00840a7706237eac2b81198

SHA256
ac6905c108d9910dfe342e6430e67da929305be9717cd50e8c6376e58c3e3f85

SHA512
5d9138ef49b7ec7347dc571498dfd1d2a792e0567fb610acd5259e8c641f3e20bd5265b876dab7ee209e53cedb2450f847dacfcd12afbeb006f4e88b567f1781

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D9CB7DFFEEA63BAB482BD2705E7E24AB_D64C5BFAB2C28B4652E4AC7169A0D3DB

Filesize
727B

MD5
d35fefa00b97d7cda113a5ceb31d6c9c

SHA1
97f3c468b40ab904daddf00b2a84ea4ce7c14a15

SHA256
3e2111a1835ed86df0346435b07e86a13b7bfe9e0f9ce0c84acbabfb4f540bf8

SHA512
a246769c21cae9c341180c266f7042d5895107ca5fd34add16914d7d2b2d328fb12a0f71f54e8675da15a9392835d0137db64b81853cbfc0950997a2cf34bbb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
ea7d7e5164f329740fb032cdefebef49

SHA1
5439a33021d0c2eed9ba82ec013936eda3c7a033

SHA256
af759043ffee8f430d7484d538b884daa3dab504a50e8e5f6bed7b2ab66b9a59

SHA512
82c85898b27a4fea5b82ae82c87708f6815c64ac165f279eca1f95481d9875ee107d4786f95fd3a48c34b686ee56095f1a0c0ed4573afa246127e9e8b19455ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_8DBAD5A433D1F9275321E076E8B744D4

Filesize
416B

MD5
63ff48e5c3905e1bcfd3f3dd35d7336b

SHA1
d20bf70ba2425201dc9303a943557b7abbe66e6b

SHA256
f32370a6076276aa94d8bed9e91e710cbcea1db41945da50ff8dc42e880dde97

SHA512
979e6af8af00aa670ba7dde590436bc892e5a7e754fde035d41356091de3c580656aef2ef6d1302c332c2da4809314b4b90e2b65a90165bce582f8605cff07f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D9CB7DFFEEA63BAB482BD2705E7E24AB_D64C5BFAB2C28B4652E4AC7169A0D3DB

Filesize
408B

MD5
43b556b7d91f97ce6c050b11fe9b661a

SHA1
04ff26d00c47fd687f9011d07780550ab3cf459b

SHA256
47328328bacdc1027b091e7ea9b746257d233199d1a0eae294b351f6a343f5ed

SHA512
9f4a97ef547f5407e14993b673e6c3a014325d7feb00d19eed6b7435029a5cf0110458449f808fbb74d7474aa2b5ab860a9093e551c840ac6727cdc99f2a644f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rundll32.exe.log

Filesize
651B

MD5
00bfeb783aeff425ce898d55718d506d

SHA1
aac7a973dc1f9ca7abc529c7ea37ad7eaf491b8f

SHA256
d06099ef43eb002055378b1b6d9853f9b1f891ada476932ba575d1f97065a580

SHA512
2209d5f4999cb36ebf26c6b8cb3195cc9fc0f0a103f4a28dd77b04605d7c6e79d47d806454c63b8d42bbe32864be7cdb56df3cccf71a6c27fe0b331d8304e1ff

Download Submit
C:\Windows\Installer\MSI1D04.tmp

Filesize
539KB

MD5
116108233cb1435bee51bbd8d05451f2

SHA1
e6f725c73bb9c68827a12706d6612ccf50cfd797

SHA256
85b6e5dc375ed84da40eb1571fb84b342a09daa040459aed737944cef22b3058

SHA512
d57f3fa1d365dc2e28c51a32c8bcd1316d5ee2a4fdd419df3354afbcea2a3ae6bcc6cef83d9ef283861ebf4f344d6d4f9a5e8596a24be74e209fa1e519e55bfa

Download Submit
C:\Windows\Installer\MSI214D.tmp

Filesize
550KB

MD5
2fd5cb19412a83cedd1949df65fdca84

SHA1
f6d19feee650f38f878236ec6ed32ec139d271bd

SHA256
11d26f41e4b4abcf60b38b4200873fd18f65cab415268fdd74bca5d6e590cb18

SHA512
926a4c1d11a909b5402d546d93e2ac3229c2c32b4e96302fede7fa0b223d0c14096e0c00f7c728a0389775adac24ed8a49b6013ba89dbc5a12fb1ddacc9df77e

Download Submit
C:\Windows\Installer\MSI3F3.tmp

Filesize
549KB

MD5
45e153ef2e0aa13c55cd25fafa3bce90

SHA1
9805ae1f48e801df6df506f949b723e6553ce2e5

SHA256
2104d3c13e6b624a7d628534fcdf900730752f9ff389b0f4fe1de77c33d8d4c1

SHA512
87f967910b99a9833a1cb6de12225cf6c7b08239e49059ae5303bfcd1c69bcc691d35ee676a761456ec2a6ded199ac30adc28b933cb8ad0e09c0a99456db3d8a

Download Submit
C:\Windows\Installer\MSI80C.tmp

Filesize
390KB

MD5
e8dc682f2c486075c6aba658971a62cc

SHA1
7cd0a2b5047a4074aa06a6caa3bb69124851e95d

SHA256
7aacd4c18710e9bc4ff2034895a0a0c8f80f21809fb177d520e93f7688216e6d

SHA512
a0a1f0f418bf2d4ffd079b840aeb0142c7faab7fa72b5e33b1841798569f55a25dfd305abf9c2ca89792f6499f695b69975882697dc53e99d5a975a9fa8c7d75

Download Submit
C:\Windows\Installer\MSIBC9.tmp

Filesize
552KB

MD5
b8be9443eb257e5d64319aedd93006fb

SHA1
15d1195faa545c7ac3ab1fe6044047f6008fb0a8

SHA256
d81b62896e97bb77a7b7796665dce3ab9913352e9fe18d420818598cbeb4f34b

SHA512
429dfb4b845408d8c8c045d3295a05f817f4a03c037c9259a9867342bd5919c4d87d7fbae3d6641db9bf273965d642da2ab194ea26b6ebc07f77b42abd26b1bf

Download Submit
C:\Windows\Installer\SFXCA4524CA18C346A89A23FE20B245289506\CustomAction.config

Filesize
980B

MD5
c9c40af1656f8531eaa647caceb1e436

SHA1
907837497508de13d5a7e60697fc9d050e327e19

SHA256
1a67f60962ca1cbf19873b62a8518efe8c701a09cd609af4c50ecc7f0b468bb8

SHA512
0f7033686befa3f4acf3ed355c1674eaa6e349fba97e906446c8a7000be6876f157bc015bf5d3011fbbdc2c771bcbaea97918b8d24c064cbbd302741cc70cbc7

Download Submit
C:\Windows\Installer\SFXCA4524CA18C346A89A23FE20B245289506\WixSharp.dll

Filesize
602KB

MD5
ebed2675d27b9383ee8e58bdeddd5da4

SHA1
4dc37974db638ec02363c784fa2c178125f4280f

SHA256
caa9da1c55e33446eaeb783957e990847369423c7dd652f07a5c93bf1d786a66

SHA512
b13538f58b766abd013f73d398eaa4e1adec3fc967415bf7f95198e6f55ac65a12a0c3863708b6fb525ef4a01f0ab88485bb990527bc0e4f5159c8419811dfab

Download Submit
C:\Windows\Installer\SFXCA4524CA18C346A89A23FE20B245289506\WixToolset.Dtf.WindowsInstaller.dll

Filesize
193KB

MD5
b82b13d16e7f3d3607026f61b7295224

SHA1
d17b76907ea442b6cc5a79361a8fcec91075e20d

SHA256
bcc548e72b190d8f39dcb19538444e2576617a21caba6adcb4116511e1d2ddee

SHA512
be8c0b8b585fc77693e7481ca5d3f57a8b213c1190782fd4700676af9c0b671523c1a4fa58f15947a14c1ff6d4cda65d7353c6ba848a3a247dfcda864869e93f

Download Submit
C:\Windows\Installer\SFXCA8C7C914D8C44D138561FA573286B9FA3\pdqconnectagent-setup.exe

Filesize
24KB

MD5
75f16349cafae8f37bd1e207e2ec83d2

SHA1
f16f6adf8fd8344749ee7c9afe899f11caa959fe

SHA256
f3bb2b9230b8a6066dfeeb172ad32ae3ea31d2d49c76bdcc8a1e2531fa61f5b7

SHA512
2b1cc8c0dfb787a01d8834f0193f7b30de04cbbec271a98502f98956c136aa16e9a0bd388b4e03c075a9cb1deb0f51fb4eecc92af3ce1c87b363ac5076fc823b

Download Submit
C:\Windows\Installer\e580318.msi

Filesize
4.7MB

MD5
82f3f74379c6dbdbca3a64c5717c2faa

SHA1
ba5562e233c1f83d6929db8dd03860a99bf58fa4

SHA256
6696d790ee119b0de93919050a642d3dca502a2ae1864700b6b06fa2b955ec9d

SHA512
8bdf61555de4b7e249201462a0f942a1cc671d9bcc514635297e08ce25bcb90de8d0d64fd513da32d4be731e5af6db13d039040a83c8e50c2887009b091e58a1

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
2.1MB

MD5
34efe56745f3acec547838781f78adbf

SHA1
3ae58fee79e595913485604f0842f9e2728fcb37

SHA256
2a5903157fde05da7f99138edc4b858439916bf7b6626b1a96180de0d63bc457

SHA512
f1ac6ffa1663b3497a87c5788f108df13dc864d73206bae4e30e56e4a7c870516a608530f5378d521cd39aad549ca35b1be30713476093edaeb73cd0b6ed1da6

Download Submit
C:\Windows\Temp\EC9996E1-0103-47A3-9B2C-D89CD0DB3DE7\DismHost.exe

Filesize
142KB

MD5
e5d5e9c1f65b8ec7aa5b7f1b1acdd731

SHA1
dbb14dcda6502ab1d23a7c77d405dafbcbeb439e

SHA256
e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80

SHA512
7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_qmszik5l.za0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
da9004526f284715088a18c46d4c7ff3

SHA1
bb613d032614d4719a18a48f6b0aa9a586070126

SHA256
ff03006fcaf63f80a861e66316c4398ba8122f0afd8634a5a2d4deec43a75a87

SHA512
95029b85a995982cf1fddcd3fe4aae0757a1e0583ba51c8b6f1b00952bd01db4c65b78694b01c390472a822f0fabf162f488842fa68ee63ed82d892cfc82fcae

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
77b25ee309729b58fbb68c8f37e86354

SHA1
127eaaf5b11b662c82641d1c3d32a0d23c97b9b3

SHA256
86d7559fc08655027bbe7b6ccbea8896d67d6a4716d989c91dc69f0f1e6d5f9e

SHA512
211b880fc3fee0621a72d5c6301b9978eb614523f712ea7a659524398d639d1fb3fac261994af675e372f7e0b09e2dd60a9ec0ee14c285d3cac8306e9b50a1f7

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0879445485f0b34f7b8dd675b909bd04

SHA1
47c903adeb4a1214cf6ffb700874f13bd6f63661

SHA256
c5b25eb26eaf6ada526db6c91ef3ed1c6deae353e28b4e9d13a190e12b196d8e

SHA512
ac5c99035936ebbceffc57ad43e8173c575e0239dd3d741f820193963e136c2ce897db9b6b9537c35c855296cc9967ef071b7aa6dafa8e259ebdf2cdade87b62

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4be540dbcf1b49e8561337b51ec4e4b3

SHA1
b74bb84009415dbafb2f352750bd65887b8614b5

SHA256
bb5357e7bea50544d0999ac46d220fb5f699677017bf097cc66e2ecfbd6d8402

SHA512
c26a06ee28ad396601f9377f16011398b9692f07bb017c267978a2bd95a4c5768503887dc7113403997d1bff90622903b5efb194aec7be453844ed107dd3cde9

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ca427f09eb7c0cf982da90770ca300e3

SHA1
e80b1c63ead6aa8c190fbb5666a1ecbcdaa05144

SHA256
e0a6b3afe4e64f12368979803d19fecdefb026cbb81656ad4f9e37ee72dafec4

SHA512
2107bc565ce4bbdadd5521b986b0e3380f966711cd9b619c474774696774982cdf72e0229fd1163204d8f85a8bb0cfe7ad6d87d6f454d328f7d75022ac21eae8

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
32f8c1086b3cecbb593c98c7a36e0679

SHA1
d188e6e4493253d74f2447047f29ab8a59421f6a

SHA256
8bd639b2bf84a2b2365f228608c592e929cd37f042a32fc18152bf0a6a77c70e

SHA512
5a4abb2deb80adab18ab44c9f2848640a62b1064c7b4a12d8b33d31b20ab69e3db0813a967f966d13bbc3a068866aa6bb1627b4efcf40172b7b079c8b38c078d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
725d14383d31e65c06060d0a67e4740b

SHA1
244a275bfd7bbc7a5181545a36c993fdfb9c7994

SHA256
cfb67f99c276c4b3d8b8d16d9002882d2121b49c2a616db77ea505ee41d53365

SHA512
74b73133365c982ab9a03c8e43d1a47885d8922c8333106435cbaf3a153fc2f0f31577c7ae3cf743d670389cbea5064d078ae0b22041f3d601b9abff4e914259

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
09a8a81ee6102a2bfa04f51639e4d837

SHA1
fb9b0c84ae3b8859d2d060cebfbb8ee5b2ad0b34

SHA256
4b3661953b05001a11c09c2ed6bfc2fd3e1ce31db27bbd14c2d467e05d5aed5b

SHA512
0623f0f8ea75706c218113f7c0d2b418f24a141451f17a044d868c126a750e130bd01887a1067a1d339372a6c5cc7d9d4fa6030e4c6fca9a250482658fb2907b

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
fdeef4039af72d29a4b37762dc2f9132

SHA1
eaf1f1cd00b212d6972f92685ce367e37e2847c1

SHA256
d40072510c00f23ba17ea999b7a5ac9ae70e16a4cccf518536fe48e970c15acf

SHA512
b84df364c90009502434f7546a8ba4ee3ee9d5ca32dc0b4ee8d1080a20579911a202caeab26acf163b7cec22307b584b62d3cad2c3e3438525036b6b26b07d41

Download Submit
\??\Volume{f0eec59f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a213afda-ec80-4c66-a07e-2cbc6e39f115}_OnDiskSnapshotProp

Filesize
6KB

MD5
178342a35fdbe19f372312f068d0f07a

SHA1
02d7bada9080195df6f33ad818ed562bf480eafa

SHA256
28024a3111eb65fdd7751e2d37b1ae1437e52e42c184324181e1d1853d40ebc6

SHA512
50986d81d2915349117af0c5f98b09ce9dccb5b5d2f4f37e8ac1ea1a2601b1ea82599ff0cb87e8526f3cc82e7eb158a47335d23284abbbd8b4a3cf0cfaba02f4

Download Submit
\??\c:\Windows\Temp\043gxj3v\043gxj3v.0.cs

Filesize
889B

MD5
dc979c0e403543f9000fc7650c17d17e

SHA1
907cf70a5b63337e620ca3da119e46145cf40546

SHA256
4c2601bd3a1eb9214c16e66e3b677f91f1c4072f0cc95d515b8cdea9b7708b3a

SHA512
f544d9fcb4ea073d2c8741a23f75bb67e404480aa3e781688a7913e1bab2edb25a42f70c739eb2d47215400e6ff0f8f9cfe0e64ee42c81010f43bb0a34d9655b

Download Submit
\??\c:\Windows\Temp\043gxj3v\043gxj3v.cmdline

Filesize
333B

MD5
c14ef94bc1e5e49e147b22b249e13be6

SHA1
416c789259aed0111552efb1621e41925c5d3aa1

SHA256
b77dc54c45c663916e2e4d1d55bf7be7b6719a721c2cb127a099e0226b5a939e

SHA512
78f226094b8d1a79872832165e8f1b2b8ece70727191b0967acf39c95ef59c4a95363e620031829fe8f373876ccf9d964d1691ef152aafad9ed7958cbab1a632

Download Submit
memory/1364-575-0x00000226953E0000-0x00000226953E8000-memory.dmp

Filesize
32KB

Download
memory/1748-36-0x0000028B4FE40000-0x0000028B4FE74000-memory.dmp

Filesize
208KB

Download
memory/1748-38-0x0000028B4FF70000-0x0000028B5000C000-memory.dmp

Filesize
624KB

Download
memory/2400-799-0x0000026BEEC90000-0x0000026BEECB4000-memory.dmp

Filesize
144KB

Download
memory/2400-583-0x0000026BEE5F0000-0x0000026BEE5FA000-memory.dmp

Filesize
40KB

Download
memory/2404-535-0x000001C477850000-0x000001C477A12000-memory.dmp

Filesize
1.8MB

Download
memory/2404-536-0x000001C477F50000-0x000001C478478000-memory.dmp

Filesize
5.2MB

Download
memory/2596-67-0x000001B1F6E30000-0x000001B1F6E3A000-memory.dmp

Filesize
40KB

Download
memory/2848-692-0x000002895C770000-0x000002895C97A000-memory.dmp

Filesize
2.0MB

Download
memory/2848-691-0x000002895C3E0000-0x000002895C556000-memory.dmp

Filesize
1.5MB

Download
memory/2976-534-0x000002067F130000-0x000002067F14C000-memory.dmp

Filesize
112KB

Download
memory/2976-730-0x000002067F130000-0x000002067F14A000-memory.dmp

Filesize
104KB

Download
memory/2976-729-0x000002067E330000-0x000002067E340000-memory.dmp

Filesize
64KB

Download
memory/3320-305-0x00000294311C0000-0x00000294311E4000-memory.dmp

Filesize
144KB

Download
memory/3320-302-0x0000029430F80000-0x0000029431035000-memory.dmp

Filesize
724KB

Download
memory/3320-301-0x0000029430F60000-0x0000029430F7C000-memory.dmp

Filesize
112KB

Download
memory/3320-291-0x0000029430CD0000-0x0000029430CF2000-memory.dmp

Filesize
136KB

Download
memory/3320-303-0x0000029431040000-0x000002943104A000-memory.dmp

Filesize
40KB

Download
memory/3320-304-0x00000294311C0000-0x00000294311EA000-memory.dmp

Filesize
168KB

Download
memory/3320-309-0x0000029430940000-0x0000029430B5C000-memory.dmp

Filesize
2.1MB

Download
memory/3984-243-0x000001B4CF410000-0x000001B4CF418000-memory.dmp

Filesize
32KB

Download
memory/6052-768-0x000001C57C360000-0x000001C57C368000-memory.dmp

Filesize
32KB

Download