6696d790ee119b0de93919050a642d3dca502a2ae1864700b6b06fa2b955ec9d

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 02:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6696d790ee119b0de93919050a642d3dca502a2ae1864700b6b06fa2b955ec9d.msi
Size

4.7MB
MD5

82f3f74379c6dbdbca3a64c5717c2faa
SHA1

ba5562e233c1f83d6929db8dd03860a99bf58fa4
SHA256

6696d790ee119b0de93919050a642d3dca502a2ae1864700b6b06fa2b955ec9d
SHA512

8bdf61555de4b7e249201462a0f942a1cc671d9bcc514635297e08ce25bcb90de8d0d64fd513da32d4be731e5af6db13d039040a83c8e50c2887009b091e58a1
SSDEEP

98304:wph2BBopK5X4MkjkZMiWFLH/qJ/YOKa4RpnoYbO:eQuKl5kjQMr/qJ/YFaO9DO

Score

6^/10

execution persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	5116	msiexec.exe
6	5116	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in System32 directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rundll32.exe.log	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\PDQ\PDQConnectAgent\LICENSE.html	msiexec.exe
File created	C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe	msiexec.exe
File created	C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe	msiexec.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e57a131.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA46C6D083674AA27AF43252274DDB175E\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCA30F657EA1546AB89739EB1EBC40A8AF8\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCA30F657EA1546AB89739EB1EBC40A8AF8\WixToolset.Dtf.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCA8DECD1E8BF4D52C98818EE967561833B\WixSharp.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIAE3B.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Installer\SFXCAFCDEFB06BF41515914BD497A68CE3E06\WixSharp.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCA6E56CD022643C1EAABBCBEF4E19D0F12\WixSharp.dll	rundll32.exe
File created	C:\Windows\Installer\SourceHash{0EC05CD8-8D17-472C-86DA-AF1E5356256F}	msiexec.exe
File created	C:\Windows\Installer\e57a138.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA995.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCAFCDEFB06BF41515914BD497A68CE3E06\pdqconnectagent-setup.pdb	rundll32.exe
File created	C:\Windows\Installer\{0EC05CD8-8D17-472C-86DA-AF1E5356256F}\app_icon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA4BF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA6D4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA7DADC0F62D48531A3CDABCD2DDC844F1\pdqconnectagent-setup.pdb	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCA0A0037D70B42ECE9DBF04DF51E66D3AB\pdqconnectupdater-setup.exe	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIABA9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA6E56CD022643C1EAABBCBEF4E19D0F12\CustomAction.config	rundll32.exe
File created	C:\Windows\Installer\wix{0EC05CD8-8D17-472C-86DA-AF1E5356256F}.SchedServiceConfig.rmi	MsiExec.exe
File opened for modification	C:\Windows\Installer\{0EC05CD8-8D17-472C-86DA-AF1E5356256F}\app_icon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA30F657EA1546AB89739EB1EBC40A8AF8\WixSharp.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCA7DADC0F62D48531A3CDABCD2DDC844F1\WixSharp.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\e57a134.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA704.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA8DECD1E8BF4D52C98818EE967561833B\pdqconnectagent-setup.pdb	rundll32.exe
File created	C:\Windows\Installer\wix{F03416B2-8C97-4CC4-8578-5F6A58033B84}.SchedServiceConfig.rmi	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSIB35D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA0A0037D70B42ECE9DBF04DF51E66D3AB\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCA0A0037D70B42ECE9DBF04DF51E66D3AB\pdqconnectupdater-setup.pdb	rundll32.exe
File created	C:\Windows\Installer\e57a131.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA6B4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA6E56CD022643C1EAABBCBEF4E19D0F12\WixToolset.Dtf.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIB5B1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA46C6D083674AA27AF43252274DDB175E\pdqconnectagent-setup.exe	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA49E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA7DADC0F62D48531A3CDABCD2DDC844F1\WixToolset.Dtf.WindowsInstaller.dll	rundll32.exe
File created	C:\Windows\Installer\e57a133.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA46C6D083674AA27AF43252274DDB175E\WixToolset.Dtf.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCAFCDEFB06BF41515914BD497A68CE3E06\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCAFCDEFB06BF41515914BD497A68CE3E06\WixToolset.Dtf.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCA7DADC0F62D48531A3CDABCD2DDC844F1\CustomAction.config	rundll32.exe
File created	C:\Windows\Installer\{F03416B2-8C97-4CC4-8578-5F6A58033B84}\app_icon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA0A0037D70B42ECE9DBF04DF51E66D3AB\WixToolset.Dtf.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA46C6D083674AA27AF43252274DDB175E\WixSharp.dll	rundll32.exe
File created	C:\Windows\Installer\SourceHash{F03416B2-8C97-4CC4-8578-5F6A58033B84}	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA8DECD1E8BF4D52C98818EE967561833B\WixToolset.Dtf.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\{F03416B2-8C97-4CC4-8578-5F6A58033B84}\app_icon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA1BE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA8DECD1E8BF4D52C98818EE967561833B\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCA7DADC0F62D48531A3CDABCD2DDC844F1\pdqconnectagent-setup.exe	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCA30F657EA1546AB89739EB1EBC40A8AF8\pdqconnectagent-setup.exe	rundll32.exe
File opened for modification	C:\Windows\Installer\SFXCAFCDEFB06BF41515914BD497A68CE3E06\pdqconnectagent-setup.exe	rundll32.exe
File created	C:\Windows\Installer\e57a134.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB5A0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\SFXCA0A0037D70B42ECE9DBF04DF51E66D3AB\WixSharp.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIB8B0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAE3C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB5F0.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
3288	pdq-connect-agent.exe
5000	pdq-connect-updater.exe
4516	dismhost.exe
4240	dismhost.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2340	sc.exe

Loads dropped DLL 31 IoCs

pid	Process
3964	MsiExec.exe
2912	rundll32.exe
3964	MsiExec.exe
3964	MsiExec.exe
2140	rundll32.exe
3964	MsiExec.exe
3964	MsiExec.exe
2052	MsiExec.exe
4236	rundll32.exe
2052	MsiExec.exe
2208	rundll32.exe
2052	MsiExec.exe
4540	rundll32.exe
2052	MsiExec.exe
2052	MsiExec.exe
3400	MsiExec.exe
2248	rundll32.exe
3400	MsiExec.exe
3400	MsiExec.exe
4628	rundll32.exe
3400	MsiExec.exe
4516	dismhost.exe
4516	dismhost.exe
4516	dismhost.exe
4516	dismhost.exe
4516	dismhost.exe
4240	dismhost.exe
4240	dismhost.exe
4240	dismhost.exe
4240	dismhost.exe
4240	dismhost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2984	powershell.exe
1920	powershell.exe
5480	powershell.exe
4364	powershell.exe
1496	powershell.exe
5548	powershell.exe
1488	powershell.exe
5876	powershell.exe
5696	powershell.exe
4640	powershell.exe
2008	powershell.exe
2744	powershell.exe
852	powershell.exe
5516	powershell.exe
5592	powershell.exe
5412	powershell.exe
4216	powershell.exe
5608	powershell.exe
212	powershell.exe
5140	powershell.exe
2780	powershell.exe
1248	powershell.exe
5132	powershell.exe
988	powershell.exe
5752	powershell.exe
4576	powershell.exe
2020	powershell.exe
2544	powershell.exe
5552	powershell.exe
4572	powershell.exe
4056	powershell.exe
4332	powershell.exe
4300	powershell.exe
1972	powershell.exe
5920	powershell.exe
5944	powershell.exe
4300	powershell.exe
4628	powershell.exe
5088	powershell.exe
1140	powershell.exe
4300	powershell.exe
4356	powershell.exe
4984	powershell.exe
8	powershell.exe
4112	powershell.exe
2364	powershell.exe
5336	powershell.exe
4116	powershell.exe
1620	powershell.exe
5532	powershell.exe
3468	powershell.exe
4496	powershell.exe
3204	powershell.exe
400	powershell.exe
5500	powershell.exe
3208	powershell.exe
5488	powershell.exe
5684	powershell.exe
5712	powershell.exe
3976	powershell.exe
4496	powershell.exe
5472	powershell.exe
1796	powershell.exe
5680	powershell.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
5116	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001d4141155d34ac580000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001d4141150000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001d414115000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1d414115000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001d41411500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe

Modifies registry class 46 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2B61430F79C84CC45887F5A6803ABC48	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8DC50CE071D8C27468ADFAE1356552F6	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\PackageCode = "434F680B9DE97584B94705A9B6D3133F"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\8DC50CE071D8C27468ADFAE1356251F6\8DC50CE071D8C27468ADFAE1356552F6	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2B61430F79C84CC45887F5A68530B348	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2B61430F79C84CC45887F5A68530B348\Complete	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\DeploymentFlags = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\8DC50CE071D8C27468ADFAE1356251F6	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\PDQ\\PDQConnectAgent\\Updates\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\ProductName = "PDQConnectAgent"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\SourceList\Net\1 = "C:\\ProgramData\\PDQ\\PDQConnectAgent\\Updates\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\PackageCode = "F48D6C58CE73B4D449EDBD32ED6FF1F1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2B61430F79C84CC45887F5A6803ABC48\2B61430F79C84CC45887F5A68530B348	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\ProductName = "PDQConnectUpdater"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\ProductIcon = "C:\\Windows\\Installer\\{F03416B2-8C97-4CC4-8578-5F6A58033B84}\\app_icon.ico"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\SourceList\PackageName = "6696d790ee119b0de93919050a642d3dca502a2ae1864700b6b06fa2b955ec9d.msi"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\Version = "196608"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\SourceList\PackageName = "PDQConnectUpdater-0.3.0.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\Version = "84279302"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\SourceList	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B61430F79C84CC45887F5A68530B348\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8DC50CE071D8C27468ADFAE1356552F6\Complete	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\ProductIcon = "C:\\Windows\\Installer\\{0EC05CD8-8D17-472C-86DA-AF1E5356256F}\\app_icon.ico"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8DC50CE071D8C27468ADFAE1356552F6\SourceList\Media\1 = ";"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
208	msiexec.exe
208	msiexec.exe
208	msiexec.exe
208	msiexec.exe
2364	powershell.exe
2364	powershell.exe
2364	powershell.exe
4576	powershell.exe
4576	powershell.exe
4576	powershell.exe
4496	powershell.exe
4496	powershell.exe
4496	powershell.exe
4628	powershell.exe
4628	powershell.exe
4628	powershell.exe
4116	powershell.exe
5088	powershell.exe
4116	powershell.exe
5088	powershell.exe
5088	powershell.exe
4116	powershell.exe
1140	powershell.exe
1140	powershell.exe
852	powershell.exe
852	powershell.exe
1796	powershell.exe
1796	powershell.exe
2788	powershell.exe
2788	powershell.exe
1496	powershell.exe
1496	powershell.exe
852	powershell.exe
212	powershell.exe
212	powershell.exe
1140	powershell.exe
1620	powershell.exe
1620	powershell.exe
4300	powershell.exe
4300	powershell.exe
1620	powershell.exe
1248	powershell.exe
1248	powershell.exe
1796	powershell.exe
1496	powershell.exe
2788	powershell.exe
212	powershell.exe
1248	powershell.exe
4300	powershell.exe
4116	powershell.exe
4116	powershell.exe
5312	powershell.exe
5312	powershell.exe
5312	powershell.exe
5472	powershell.exe
5472	powershell.exe
5132	powershell.exe
5132	powershell.exe
1488	powershell.exe
1488	powershell.exe
4332	powershell.exe
4332	powershell.exe
5696	powershell.exe
5696	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5116	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5116	msiexec.exe
Token: SeSecurityPrivilege	208	msiexec.exe
Token: SeCreateTokenPrivilege	5116	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5116	msiexec.exe
Token: SeLockMemoryPrivilege	5116	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5116	msiexec.exe
Token: SeMachineAccountPrivilege	5116	msiexec.exe
Token: SeTcbPrivilege	5116	msiexec.exe
Token: SeSecurityPrivilege	5116	msiexec.exe
Token: SeTakeOwnershipPrivilege	5116	msiexec.exe
Token: SeLoadDriverPrivilege	5116	msiexec.exe
Token: SeSystemProfilePrivilege	5116	msiexec.exe
Token: SeSystemtimePrivilege	5116	msiexec.exe
Token: SeProfSingleProcessPrivilege	5116	msiexec.exe
Token: SeIncBasePriorityPrivilege	5116	msiexec.exe
Token: SeCreatePagefilePrivilege	5116	msiexec.exe
Token: SeCreatePermanentPrivilege	5116	msiexec.exe
Token: SeBackupPrivilege	5116	msiexec.exe
Token: SeRestorePrivilege	5116	msiexec.exe
Token: SeShutdownPrivilege	5116	msiexec.exe
Token: SeDebugPrivilege	5116	msiexec.exe
Token: SeAuditPrivilege	5116	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5116	msiexec.exe
Token: SeChangeNotifyPrivilege	5116	msiexec.exe
Token: SeRemoteShutdownPrivilege	5116	msiexec.exe
Token: SeUndockPrivilege	5116	msiexec.exe
Token: SeSyncAgentPrivilege	5116	msiexec.exe
Token: SeEnableDelegationPrivilege	5116	msiexec.exe
Token: SeManageVolumePrivilege	5116	msiexec.exe
Token: SeImpersonatePrivilege	5116	msiexec.exe
Token: SeCreateGlobalPrivilege	5116	msiexec.exe
Token: SeBackupPrivilege	316	vssvc.exe
Token: SeRestorePrivilege	316	vssvc.exe
Token: SeAuditPrivilege	316	vssvc.exe
Token: SeBackupPrivilege	208	msiexec.exe
Token: SeRestorePrivilege	208	msiexec.exe
Token: SeRestorePrivilege	208	msiexec.exe
Token: SeTakeOwnershipPrivilege	208	msiexec.exe
Token: SeRestorePrivilege	208	msiexec.exe
Token: SeTakeOwnershipPrivilege	208	msiexec.exe
Token: SeRestorePrivilege	208	msiexec.exe
Token: SeTakeOwnershipPrivilege	208	msiexec.exe
Token: SeRestorePrivilege	208	msiexec.exe
Token: SeTakeOwnershipPrivilege	208	msiexec.exe
Token: SeRestorePrivilege	208	msiexec.exe
Token: SeTakeOwnershipPrivilege	208	msiexec.exe
Token: SeRestorePrivilege	208	msiexec.exe
Token: SeTakeOwnershipPrivilege	208	msiexec.exe
Token: SeRestorePrivilege	208	msiexec.exe
Token: SeTakeOwnershipPrivilege	208	msiexec.exe
Token: SeRestorePrivilege	208	msiexec.exe
Token: SeTakeOwnershipPrivilege	208	msiexec.exe
Token: SeBackupPrivilege	4236	rundll32.exe
Token: SeBackupPrivilege	4236	rundll32.exe
Token: SeBackupPrivilege	4236	rundll32.exe
Token: SeBackupPrivilege	4236	rundll32.exe
Token: SeBackupPrivilege	4236	rundll32.exe
Token: SeBackupPrivilege	4236	rundll32.exe
Token: SeBackupPrivilege	4236	rundll32.exe
Token: SeSecurityPrivilege	4236	rundll32.exe
Token: SeBackupPrivilege	4236	rundll32.exe
Token: SeSecurityPrivilege	4236	rundll32.exe
Token: SeBackupPrivilege	4236	rundll32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5116	msiexec.exe
5116	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 748	208	msiexec.exe	94
PID 208 wrote to memory of 748	208	msiexec.exe	94
PID 208 wrote to memory of 3964	208	msiexec.exe	96
PID 208 wrote to memory of 3964	208	msiexec.exe	96
PID 3964 wrote to memory of 2912	3964	MsiExec.exe	97
PID 3964 wrote to memory of 2912	3964	MsiExec.exe	97
PID 3964 wrote to memory of 2140	3964	MsiExec.exe	98
PID 3964 wrote to memory of 2140	3964	MsiExec.exe	98
PID 208 wrote to memory of 2052	208	msiexec.exe	99
PID 208 wrote to memory of 2052	208	msiexec.exe	99
PID 2052 wrote to memory of 4236	2052	MsiExec.exe	100
PID 2052 wrote to memory of 4236	2052	MsiExec.exe	100
PID 2052 wrote to memory of 2208	2052	MsiExec.exe	101
PID 2052 wrote to memory of 2208	2052	MsiExec.exe	101
PID 2052 wrote to memory of 4540	2052	MsiExec.exe	102
PID 2052 wrote to memory of 4540	2052	MsiExec.exe	102
PID 4540 wrote to memory of 2340	4540	rundll32.exe	103
PID 4540 wrote to memory of 2340	4540	rundll32.exe	103
PID 3288 wrote to memory of 1644	3288	pdq-connect-agent.exe	106
PID 3288 wrote to memory of 1644	3288	pdq-connect-agent.exe	106
PID 208 wrote to memory of 3400	208	msiexec.exe	107
PID 208 wrote to memory of 3400	208	msiexec.exe	107
PID 3400 wrote to memory of 2248	3400	MsiExec.exe	108
PID 3400 wrote to memory of 2248	3400	MsiExec.exe	108
PID 3400 wrote to memory of 4628	3400	MsiExec.exe	109
PID 3400 wrote to memory of 4628	3400	MsiExec.exe	109
PID 3288 wrote to memory of 2364	3288	pdq-connect-agent.exe	111
PID 3288 wrote to memory of 2364	3288	pdq-connect-agent.exe	111
PID 3288 wrote to memory of 4576	3288	pdq-connect-agent.exe	113
PID 3288 wrote to memory of 4576	3288	pdq-connect-agent.exe	113
PID 3288 wrote to memory of 4496	3288	pdq-connect-agent.exe	116
PID 3288 wrote to memory of 4496	3288	pdq-connect-agent.exe	116
PID 3288 wrote to memory of 4628	3288	pdq-connect-agent.exe	118
PID 3288 wrote to memory of 4628	3288	pdq-connect-agent.exe	118
PID 3288 wrote to memory of 4116	3288	pdq-connect-agent.exe	120
PID 3288 wrote to memory of 4116	3288	pdq-connect-agent.exe	120
PID 3288 wrote to memory of 5088	3288	pdq-connect-agent.exe	122
PID 3288 wrote to memory of 5088	3288	pdq-connect-agent.exe	122
PID 3288 wrote to memory of 1140	3288	pdq-connect-agent.exe	124
PID 3288 wrote to memory of 1140	3288	pdq-connect-agent.exe	124
PID 3288 wrote to memory of 1620	3288	pdq-connect-agent.exe	125
PID 3288 wrote to memory of 1620	3288	pdq-connect-agent.exe	125
PID 3288 wrote to memory of 852	3288	pdq-connect-agent.exe	126
PID 3288 wrote to memory of 852	3288	pdq-connect-agent.exe	126
PID 3288 wrote to memory of 212	3288	pdq-connect-agent.exe	127
PID 3288 wrote to memory of 212	3288	pdq-connect-agent.exe	127
PID 3288 wrote to memory of 1796	3288	pdq-connect-agent.exe	128
PID 3288 wrote to memory of 1796	3288	pdq-connect-agent.exe	128
PID 3288 wrote to memory of 2788	3288	pdq-connect-agent.exe	129
PID 3288 wrote to memory of 2788	3288	pdq-connect-agent.exe	129
PID 3288 wrote to memory of 1496	3288	pdq-connect-agent.exe	132
PID 3288 wrote to memory of 1496	3288	pdq-connect-agent.exe	132
PID 3288 wrote to memory of 4300	3288	pdq-connect-agent.exe	138
PID 3288 wrote to memory of 4300	3288	pdq-connect-agent.exe	138
PID 3288 wrote to memory of 1248	3288	pdq-connect-agent.exe	140
PID 3288 wrote to memory of 1248	3288	pdq-connect-agent.exe	140
PID 5088 wrote to memory of 724	5088	powershell.exe	142
PID 5088 wrote to memory of 724	5088	powershell.exe	142
PID 724 wrote to memory of 5208	724	csc.exe	143
PID 724 wrote to memory of 5208	724	csc.exe	143
PID 212 wrote to memory of 5544	212	powershell.exe	145
PID 212 wrote to memory of 5544	212	powershell.exe	145
PID 1248 wrote to memory of 5312	1248	powershell.exe	149
PID 1248 wrote to memory of 5312	1248	powershell.exe	149

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\6696d790ee119b0de93919050a642d3dca502a2ae1864700b6b06fa2b955ec9d.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5116

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:208
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:748
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 0D933E5E7352EAE2EB3120C34842CAA8
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3964
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIA1BE.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240624125 2 WixSharp!WixSharp.ManagedProjectActions.WixSharp_InitRuntime_Action
    3⤵
    - Drops file in Windows directory
    - Loads dropped DLL
    PID:2912
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIA4BF.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240624875 16 WixSharp!WixSharp.ManagedProjectActions.WixSharp_BeforeInstall_Action
    3⤵
    - Drops file in Windows directory
    - Loads dropped DLL
    PID:2140
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding DA52AB7EE56DA0C1352AF93953285671 E Global\MSI0000
  2⤵
  - Drops file in Windows directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIA704.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240625484 38 pdqconnectagent-setup!pdqconnectagent_setup.CustomActions.CreateEventSource
    3⤵
    - Drops file in Windows directory
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4236
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIA995.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240626078 44 pdqconnectagent-setup!pdqconnectagent_setup.CustomActions.WriteToken
    3⤵
    - Drops file in Windows directory
    - Loads dropped DLL
    PID:2208
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIABA9.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240626640 50 pdqconnectagent-setup!pdqconnectagent_setup.CustomActions.StartService
    3⤵
    - Drops file in Windows directory
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4540
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" start "PDQConnectAgent"
      4⤵
      Launches sc.exe
      PID:2340
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 29723AFC1277241163E04DD19549E40F E Global\MSI0000
  2⤵
  - Drops file in Windows directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3400
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIB35D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240628593 61 WixSharp!WixSharp.ManagedProjectActions.WixSharp_InitRuntime_Action
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Loads dropped DLL
    PID:2248
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIB5F0.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240629234 77 pdqconnectupdater-setup!pdqconnectupdater_setup.CustomActions.CreateEventSource
    3⤵
    - Drops file in Windows directory
    - Loads dropped DLL
    PID:4628

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:316

C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe
"C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe" --service
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3288
- C:\Windows\system32\msiexec.exe
  "msiexec" /i C:\ProgramData\PDQ\PDQConnectAgent\Updates\PDQConnectUpdater-0.3.0.msi /quiet /qn /norestart /L*V C:\ProgramData\PDQ\PDQConnectAgent\Updates\updater_install.log
  2⤵
  PID:1644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5088
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\jwlpptv0\jwlpptv0.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:724
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RESF8D7.tmp" "c:\Windows\Temp\jwlpptv0\CSC5F9B8562C7094F2D9E5682678C598B4.TMP"
      4⤵
      PID:5208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1620
- - C:\Windows\TEMP\C76A070D-F7CC-4594-832C-DDE5EDBB5D9D\dismhost.exe
    C:\Windows\TEMP\C76A070D-F7CC-4594-832C-DDE5EDBB5D9D\dismhost.exe {393A254C-6B79-459B-8115-F269EB9E7E6F}
    3⤵
    - Drops file in Windows directory
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Windows\system32\dsregcmd.exe
    "C:\Windows\system32\dsregcmd.exe" /status
    3⤵
    PID:5544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5312
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4300
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4984
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      PID:3208
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5592
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      PID:5412
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    PID:8
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4216
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1972
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5920
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    PID:4112
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5500
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      PID:5532
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3208
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    PID:2020
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5752
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    PID:5552
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3468
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Modifies data under HKEY_USERS
    PID:5968
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5480
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4056
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      PID:2744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Modifies data under HKEY_USERS
    PID:5704
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      PID:5140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:5472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  PID:5500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5132
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\52gj1lj4\52gj1lj4.cmdline"
    3⤵
    PID:4272
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\TEMP\RES1846.tmp" "c:\Windows\Temp\52gj1lj4\CSC8BD2EE6378D64FFBAFA9D231F72960.TMP"
      4⤵
      PID:5176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1488
- - C:\Windows\TEMP\03E2DEEB-12B5-4FAC-BA05-B05FE5026F6B\dismhost.exe
    C:\Windows\TEMP\03E2DEEB-12B5-4FAC-BA05-B05FE5026F6B\dismhost.exe {CBE9E5D8-C9FB-41C3-AAC0-2D08873EC9D6}
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  PID:4356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  PID:2544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  PID:5548
- - C:\Windows\system32\dsregcmd.exe
    "C:\Windows\system32\dsregcmd.exe" /status
    3⤵
    PID:4888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  PID:3976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  PID:4640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    PID:5876
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      PID:3204
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    PID:5516
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      PID:5680
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    PID:5488
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      PID:5972
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    PID:988
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2984
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    PID:5944
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Modifies data under HKEY_USERS
      PID:4500
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1920
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      PID:2008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5684
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4496
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    PID:5712
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Modifies data under HKEY_USERS
      PID:1460
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    PID:5608
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5336
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      PID:400
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    PID:2780
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      PID:4364
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    PID:4300
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      PID:5508

C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe
"C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe" --service
1⤵
- Executes dropped EXE
PID:5000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57a132.rbs

Filesize
399KB

MD5
b9d0105c8613b868aea130529570a7bb

SHA1
7e69a72dd6cf16ec4857bbd9f7c979e53e69bc43

SHA256
5f3122bf387269d5a7d8970baa0fda7f7d531153738549ecf8d1c3aaeca23530

SHA512
02563e94ccf86be14d601fe6466163857ba9430af646bdd3c74462c4904d99a1353df5b10ff16f97b15859df31db69a4db49026f4a57ef778303ace8a8e7dae3

Download Submit
C:\Config.Msi\e57a137.rbs

Filesize
398KB

MD5
372b4d3bc532b540cd8c8c26c7e4b4ef

SHA1
a51f36a157764b8a8d55de436e19c83c6fb9c36e

SHA256
a8464262889681dcc49d90cd784b168c7971cb3d5ddb802d35eb78c9ab880871

SHA512
832a76bf392d988c5dbd2955e8b76879b7708ca04b4e8bd65b4491db64b336a0e593a000a7bdc09d869a616bf4aa8a233d647045cf6e4cb07e5285f7bf0dedba

Download Submit
C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe

Filesize
8.7MB

MD5
261615a6f6874fbd61b5ac3dc15d17fc

SHA1
605c394c5f4968f181cf8cdcf5642c250fd9a8e5

SHA256
56186e8c33ad8da8621134794f3a8dee38f9b0462e2dd679908c1374938ddb36

SHA512
5273ae4a371e8e0dd8db836a9e59d222e90c5aa619564ab4cfdb107ec5becb01b2f188f78d8b2cf10dd2bb0ab0cd288c7af537351ed65b21dde80c9aa0cf825d

Download Submit
C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe

Filesize
3.3MB

MD5
bb3ca7301fa7d4434ffa7e294b9827c4

SHA1
60ac464927553aea2c5ab33345f074fe1ede4217

SHA256
8daa7bc4f2e938960186dfd65ee38cc8917361c90dc9cfef5f2ce83306691988

SHA512
56e54e21806da03b9ad3806dcec1bb25cd371a438e1b78923df9c96a0d76ac00484c0caaeff72dd3720edf7bb120607b79dd30ceea8851c21cbb58d5679ffab4

Download Submit
C:\ProgramData\PDQ\PDQConnectAgent\Updates\PDQConnectUpdater-0.3.0.msi

Filesize
3.0MB

MD5
5b37244e2bdbaa4c00da0cc09928cb98

SHA1
39716cc8fbbcf23bf9e5b17b2ddfbf95668e53b7

SHA256
101665452ebc6e400550380510e8db10a9ce2af1e458f928ca4b0188daeceb9d

SHA512
377bf3868b41026680e11dde3086afdd48518187e3f831efddeae0a50fce74ba69b364b8a99bfed574c1c2349806602cef6e6d492b4b05f17eda6e3555f403d8

Download Submit
C:\ProgramData\PDQ\PDQConnectAgent\Updates\updater_install.log

Filesize
1KB

MD5
7a940c8eb934615c5ddb20fdddd170e2

SHA1
3e361939d4d4ec40bcfeecf787852b8653c032d8

SHA256
b4d961ce79d550bdfcc27e301e711f70bd1d2fd03b71adcc7a118a0b095f7bd8

SHA512
74e0ab536184da11f9a74fd1316d38878e24741511da627a41f2b22819da90cdd3a4b69d440ba76dc2caba4b7cd7ef869c208736ee90eef57c5a9eec12099a07

Download Submit
C:\ProgramData\PDQ\PDQConnectAgent\token

Filesize
86B

MD5
2a56b04396f6c0f9633aa1c7be624691

SHA1
5f9fb318948cc089cb53fe3cdd30fe189c465c9c

SHA256
b7cf14f5ae19b6000f07c4ce9d217236d4c220e1b6087c4e89230bb9ed3d5105

SHA512
fe7681852fb40f362d8dc68347038108cc2a7db9462df5d4bfd3a873ba5da23ea5ccd4abb4b68ddf957fca20f1f9da03c20c96d9e6da622e2459adaa640d63a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
719182e07998ae9226d45680aa1fe178

SHA1
8f8b03c110c129cb3a35841ed959de7a7266ffec

SHA256
8f1d64c2c4dbb6ca892083e4b4a8bdb4585597e1269c218340c6b12517bb3dbe

SHA512
2df474f0ac4d1ef93b14deda32c5476da130bc41f37c0a5cd0c271c990914613c3c788116a4b87d44876695f71e5a131847fdf96d609364c06cb2f5ed6ce76a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_8DBAD5A433D1F9275321E076E8B744D4

Filesize
727B

MD5
960818b90ace97aed45bb4b97f88ecb1

SHA1
c165689921f33f55e00840a7706237eac2b81198

SHA256
ac6905c108d9910dfe342e6430e67da929305be9717cd50e8c6376e58c3e3f85

SHA512
5d9138ef49b7ec7347dc571498dfd1d2a792e0567fb610acd5259e8c641f3e20bd5265b876dab7ee209e53cedb2450f847dacfcd12afbeb006f4e88b567f1781

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D9CB7DFFEEA63BAB482BD2705E7E24AB_D64C5BFAB2C28B4652E4AC7169A0D3DB

Filesize
727B

MD5
6f1110d00d087c05c5c3d3f6ba59a05e

SHA1
80d2642da0bb8fd62c7fc9b3cf6b9ec185fe7197

SHA256
dbd3f2be36b774724465293d871a29bd93e53da8fabbad60e0c69611d031ef03

SHA512
09968820a65bbaf76b6fac9e3105f91539977421ac5810fac984949aa5a0dbfb33f8bf8b96fa4a535082c4867f267b5fa18e955871d9e8b6581bf84e28a58289

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
39936ecce83f1f8bdc8328b814158b98

SHA1
7ee2ce416592f2f967992a9241063dc9933e7d89

SHA256
0a436672f62882cf88e781086df460dd4f9168216a7dbbb6889faa5391edecea

SHA512
1291b20cdd76b67af29d7985b509281902685550f3a58a7b19f793b7eacf8dcc2e0ed661f00765605f7f01669eebfdae6cbd96f599adad18186b2037c29488cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_8DBAD5A433D1F9275321E076E8B744D4

Filesize
416B

MD5
e5815e00390972dadf614a43fd06c3af

SHA1
0ec204c9522f351d3aee0e92d390a156b93fc0cc

SHA256
1d34b0ce54a658507414945ff0cef663178ea94664f4d506f64049909b5aba0f

SHA512
fed8f661226b98c04e84cd84f1aeb69ef8e8694f02f4aceb14efe4b3f8093d3a53bca37ea9835f4a37c0323b9caa3c4df8df29f0b43d1d4c11ae661b150291ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D9CB7DFFEEA63BAB482BD2705E7E24AB_D64C5BFAB2C28B4652E4AC7169A0D3DB

Filesize
408B

MD5
9fd0f3fa927003af5976254e4aabae65

SHA1
26774f9ddf7e2d55af04bc1c5c4a4efb3793061e

SHA256
b271c011f3832ae913f53e5c91c7aa06df3f5de6b49f9c3606f0f4011b73f091

SHA512
e1791a483ff9a3b4c1a9a9a37e67fa48429323467f3e38b66bf5bfd36b96fb510d7365fa080efff48abef9671cfdd560244707584d0b1dc7da5c84d164ffdf6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rundll32.exe.log

Filesize
651B

MD5
00bfeb783aeff425ce898d55718d506d

SHA1
aac7a973dc1f9ca7abc529c7ea37ad7eaf491b8f

SHA256
d06099ef43eb002055378b1b6d9853f9b1f891ada476932ba575d1f97065a580

SHA512
2209d5f4999cb36ebf26c6b8cb3195cc9fc0f0a103f4a28dd77b04605d7c6e79d47d806454c63b8d42bbe32864be7cdb56df3cccf71a6c27fe0b331d8304e1ff

Download Submit
C:\Windows\Installer\MSIA1BE.tmp

Filesize
549KB

MD5
45e153ef2e0aa13c55cd25fafa3bce90

SHA1
9805ae1f48e801df6df506f949b723e6553ce2e5

SHA256
2104d3c13e6b624a7d628534fcdf900730752f9ff389b0f4fe1de77c33d8d4c1

SHA512
87f967910b99a9833a1cb6de12225cf6c7b08239e49059ae5303bfcd1c69bcc691d35ee676a761456ec2a6ded199ac30adc28b933cb8ad0e09c0a99456db3d8a

Download Submit
C:\Windows\Installer\MSIA49E.tmp

Filesize
390KB

MD5
e8dc682f2c486075c6aba658971a62cc

SHA1
7cd0a2b5047a4074aa06a6caa3bb69124851e95d

SHA256
7aacd4c18710e9bc4ff2034895a0a0c8f80f21809fb177d520e93f7688216e6d

SHA512
a0a1f0f418bf2d4ffd079b840aeb0142c7faab7fa72b5e33b1841798569f55a25dfd305abf9c2ca89792f6499f695b69975882697dc53e99d5a975a9fa8c7d75

Download Submit
C:\Windows\Installer\MSIA704.tmp

Filesize
552KB

MD5
b8be9443eb257e5d64319aedd93006fb

SHA1
15d1195faa545c7ac3ab1fe6044047f6008fb0a8

SHA256
d81b62896e97bb77a7b7796665dce3ab9913352e9fe18d420818598cbeb4f34b

SHA512
429dfb4b845408d8c8c045d3295a05f817f4a03c037c9259a9867342bd5919c4d87d7fbae3d6641db9bf273965d642da2ab194ea26b6ebc07f77b42abd26b1bf

Download Submit
C:\Windows\Installer\MSIB35D.tmp

Filesize
539KB

MD5
116108233cb1435bee51bbd8d05451f2

SHA1
e6f725c73bb9c68827a12706d6612ccf50cfd797

SHA256
85b6e5dc375ed84da40eb1571fb84b342a09daa040459aed737944cef22b3058

SHA512
d57f3fa1d365dc2e28c51a32c8bcd1316d5ee2a4fdd419df3354afbcea2a3ae6bcc6cef83d9ef283861ebf4f344d6d4f9a5e8596a24be74e209fa1e519e55bfa

Download Submit
C:\Windows\Installer\MSIB5F0.tmp

Filesize
550KB

MD5
2fd5cb19412a83cedd1949df65fdca84

SHA1
f6d19feee650f38f878236ec6ed32ec139d271bd

SHA256
11d26f41e4b4abcf60b38b4200873fd18f65cab415268fdd74bca5d6e590cb18

SHA512
926a4c1d11a909b5402d546d93e2ac3229c2c32b4e96302fede7fa0b223d0c14096e0c00f7c728a0389775adac24ed8a49b6013ba89dbc5a12fb1ddacc9df77e

Download Submit
C:\Windows\Installer\SFXCA30F657EA1546AB89739EB1EBC40A8AF8\CustomAction.config

Filesize
980B

MD5
c9c40af1656f8531eaa647caceb1e436

SHA1
907837497508de13d5a7e60697fc9d050e327e19

SHA256
1a67f60962ca1cbf19873b62a8518efe8c701a09cd609af4c50ecc7f0b468bb8

SHA512
0f7033686befa3f4acf3ed355c1674eaa6e349fba97e906446c8a7000be6876f157bc015bf5d3011fbbdc2c771bcbaea97918b8d24c064cbbd302741cc70cbc7

Download Submit
C:\Windows\Installer\SFXCA30F657EA1546AB89739EB1EBC40A8AF8\WixSharp.dll

Filesize
602KB

MD5
ebed2675d27b9383ee8e58bdeddd5da4

SHA1
4dc37974db638ec02363c784fa2c178125f4280f

SHA256
caa9da1c55e33446eaeb783957e990847369423c7dd652f07a5c93bf1d786a66

SHA512
b13538f58b766abd013f73d398eaa4e1adec3fc967415bf7f95198e6f55ac65a12a0c3863708b6fb525ef4a01f0ab88485bb990527bc0e4f5159c8419811dfab

Download Submit
C:\Windows\Installer\SFXCA30F657EA1546AB89739EB1EBC40A8AF8\WixToolset.Dtf.WindowsInstaller.dll

Filesize
193KB

MD5
b82b13d16e7f3d3607026f61b7295224

SHA1
d17b76907ea442b6cc5a79361a8fcec91075e20d

SHA256
bcc548e72b190d8f39dcb19538444e2576617a21caba6adcb4116511e1d2ddee

SHA512
be8c0b8b585fc77693e7481ca5d3f57a8b213c1190782fd4700676af9c0b671523c1a4fa58f15947a14c1ff6d4cda65d7353c6ba848a3a247dfcda864869e93f

Download Submit
C:\Windows\Installer\SFXCA8DECD1E8BF4D52C98818EE967561833B\pdqconnectagent-setup.exe

Filesize
24KB

MD5
75f16349cafae8f37bd1e207e2ec83d2

SHA1
f16f6adf8fd8344749ee7c9afe899f11caa959fe

SHA256
f3bb2b9230b8a6066dfeeb172ad32ae3ea31d2d49c76bdcc8a1e2531fa61f5b7

SHA512
2b1cc8c0dfb787a01d8834f0193f7b30de04cbbec271a98502f98956c136aa16e9a0bd388b4e03c075a9cb1deb0f51fb4eecc92af3ce1c87b363ac5076fc823b

Download Submit
C:\Windows\Installer\e57a131.msi

Filesize
4.7MB

MD5
82f3f74379c6dbdbca3a64c5717c2faa

SHA1
ba5562e233c1f83d6929db8dd03860a99bf58fa4

SHA256
6696d790ee119b0de93919050a642d3dca502a2ae1864700b6b06fa2b955ec9d

SHA512
8bdf61555de4b7e249201462a0f942a1cc671d9bcc514635297e08ce25bcb90de8d0d64fd513da32d4be731e5af6db13d039040a83c8e50c2887009b091e58a1

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
2.1MB

MD5
41e5ec73aa6989ef6d76861ac8c7cef9

SHA1
f2e0721dceb938ec65b005799a28becd1b718552

SHA256
3ed5b2f54f928117ca2a1856a1d26ad0bb01ee3b8c0241f941c5b1daa0e0c738

SHA512
616d6eee8e5d3bf52954c7480eb5d0ddbc14ef921d63a514f22c2c43f176ca08f3fa4f814859ca469f1b14e02bb5de43d3cdd4de646195b717749b5af170f2ca

Download Submit
C:\Windows\TEMP\RESF8D7.tmp

Filesize
1KB

MD5
5ee0a3a8681b4e669d69e7079979b694

SHA1
b1974030a6259a3eefe22720bf98f83e379defd9

SHA256
d342638d91a3c77edae9a05e70b141c2aaf3cbd7b772129f990bb46df440f9b5

SHA512
fca95d80ff5ef4d52f8921bc719c600decec6907524ba7a1a2956284094962ece3bc8603517dbbfd1c56799e4b20e2652be1263d14fdb4d5a65d0d1c49e2dca9

Download Submit
C:\Windows\TEMP\jwlpptv0\jwlpptv0.dll

Filesize
3KB

MD5
dbcde9f8f1a4f0ec51f08bddca6c411d

SHA1
c80ce8fef828839f20147a43a2e54ab476fa72f2

SHA256
af42ee6421a7cdbd55b816509144b8c5f4499cb64490bcc3a0bb6a2da931b693

SHA512
e1b18193018caa57bd447c00f4676229a70c447eb7f87a035894b8696a008663f55e2e2ade3f103090dfb9cfbe9b050f37b2071b60525c53f3a2b3c6b3ace5b3

Download Submit
C:\Windows\Temp\03E2DEEB-12B5-4FAC-BA05-B05FE5026F6B\DismHost.exe

Filesize
142KB

MD5
e5d5e9c1f65b8ec7aa5b7f1b1acdd731

SHA1
dbb14dcda6502ab1d23a7c77d405dafbcbeb439e

SHA256
e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80

SHA512
7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_mdxn4u4a.3bx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
c24e9d1123bd6a335730119e7399c481

SHA1
53e88f378e61191fd1b0213e0beac692297cc5c2

SHA256
fbd6b175b9e1ffc92c569a6467172b6f1cebd4b8cd2d3bbb5119e1b4856cfe50

SHA512
3323e8e2d73cb4e986b25ccd7abfe350f5205f144999ffe01cf8e30e4eb6c6d68ac03b1f1a0c82e3d1ab292320e66c44263bcdf05e1c78b5953fa5bb5bf2a80d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6d87725a59cf3a05a4538388aa07e4e1

SHA1
1aaf726902dc55f250203d9c7710eeef7f12ce8d

SHA256
5f18ec20fc4a804095c47afff4c39bc3af5af32463787617c3056162505e771d

SHA512
c812ef325b97f7f762fd878b4a1104578be1f730c28485078513c4169f465c87806de19c895ac4219e7f24a9e7a259859766d078f05158f1b81356323c88f2a2

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5fdebdf793c17d9b93ab8e13d8a8b335

SHA1
0af46b46d208c9d7acc758ed13fab8e76400a69d

SHA256
21906a88d15b17748d504ba6ae618a66307fc139d919517a08cac1707c959293

SHA512
ec523320ece4b57cf871893e1b8d9cba3b8199f41f7b274530c20b3ffdb8f0822d90f5c71b855acadd3a65d4ec91b73cf91db4961827e5b937aaabe7a742d5f5

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
18e041339238f4aef72bde0d76f485dc

SHA1
f72e4539d877087b1509bf766e2bfaf6adcad4d9

SHA256
151b05ddc5001f42ae113873dfd7ce0953489ba642b9468fc105e499f6f97230

SHA512
0a8f8f2d8340f003200beb7b2f97baaa24edfa2837bf67d6258a946b305ab952104647b3d54a9197794584d0e0d5c4ab682c9f62f9d740d0d29257d69e578cf8

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
da81427f54ed89b184fd3116aa9fb011

SHA1
60d81a77ef4e15794fab3b8c5a3fd7edfe6ce0c4

SHA256
c146bf2019e40a19f026c08bb57cb04ef0216c5ea2b54d7242283d493e33d7cf

SHA512
6dd3666d7eb5f5d79d12edd3241783916bee463a52bb3ac0fa2558fad4f9ec3e585cc8169124f89a2eb676cb86c50233712b8889e4ee36efe8bbb6670a97f06d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f53f24147a9a341e808da8e4dc1bf0fa

SHA1
914f0bf8c6eb7ce5542eba1580fbd253905373fb

SHA256
1aaea7a5848e0ef95651184765619ff6e12d366e4565d3a1f7dbe6ee6c73f2b4

SHA512
5bacf2c03bf9fed73f2523b573135e54ae9d2c3aaa9f8784daba31cf2aaafe4f1dcf1866953b16e6117e4a0a40583827e3a095869b4399891cd3a7ec4f2d2a10

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7217d85baf9d0d8a0303362167ef4b8e

SHA1
c41c8ffc2b20234433f7d5ca7d46beae8483bf9d

SHA256
ab4ca46f4d5552e88070027eb465f2d68562f973c9af1bb5e09cbf9a5b72bc72

SHA512
286b55b0a22e4daefbd11c96f9eeec93d56352a98e3a06d304af60b218519a754ca9636aafa19f35cd90bf41e84780eab6ca1897228714a3a6747255c5511890

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
54ce1837fbb5db3d0bed0254cc1bdba3

SHA1
80b93690d02ca258b31a0c3481d0c457126164f5

SHA256
d7339012130d0f034c3559d426dec3f09de3616f4c77cc2add0fe97ad7550f33

SHA512
0aab89ba3526485bf3693f8832b6552f60b9238a37ed11b15045a2f97ac3e138cc3e95a10ec3db184f68ca376bab6c876e805254fccb5d989fad2f477e70e47e

Download Submit
\??\Volume{1541411d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{4afdcc24-27a8-4b6c-82d2-2c657cbd60a2}_OnDiskSnapshotProp

Filesize
6KB

MD5
7c817827197cb30eabf2e28d905c0ba7

SHA1
da3204078d2ad75b00ff8b5f37ee8224a59adfb3

SHA256
61b68287e59c243756cc0d7e735032a629bdf565a182c2d6adee82d8b1cbda62

SHA512
73e5f0c3154a524e6853e2258193e6bda9ad0bd46c115fce284a9c1be5a84eb10dc3dd02c7d684406abb05867e7b8de55e344391d5a6178f49f6aea5b69e0b91

Download Submit
\??\c:\Windows\Temp\jwlpptv0\CSC5F9B8562C7094F2D9E5682678C598B4.TMP

Filesize
652B

MD5
6215e38da8602a6828fac16bde60b464

SHA1
09fc9f21e86dfc8557e2a83c4ee5b598009ecd53

SHA256
4f84bd30267698cfcabc36a5d1b50fb7ea5a02954ebcf0b11320744f18284e5b

SHA512
1d47ceb7a9e798f6770958f262f5accf89bf33ded94c0dd8e1c2e61d9957fe0377f8399be0b65f52a6648dab0811573c8f8f14561524158a42bcfc0907b5d29f

Download Submit
\??\c:\Windows\Temp\jwlpptv0\jwlpptv0.0.cs

Filesize
889B

MD5
dc979c0e403543f9000fc7650c17d17e

SHA1
907cf70a5b63337e620ca3da119e46145cf40546

SHA256
4c2601bd3a1eb9214c16e66e3b677f91f1c4072f0cc95d515b8cdea9b7708b3a

SHA512
f544d9fcb4ea073d2c8741a23f75bb67e404480aa3e781688a7913e1bab2edb25a42f70c739eb2d47215400e6ff0f8f9cfe0e64ee42c81010f43bb0a34d9655b

Download Submit
\??\c:\Windows\Temp\jwlpptv0\jwlpptv0.cmdline

Filesize
333B

MD5
55933932fcf9353283aa728f3ecb4a03

SHA1
e0ad7028d6890377aa577fa75a1f28642e3ac67b

SHA256
06d9871863cb9117e559381cf19d275c5fdc2e90b8f3bc0efbf32aed51f71f71

SHA512
e3bc51de64954507acfd124d0e673dc11d43be59a95ad7f8ff2f7f050d0c34bcf499854e8b9fd7bd39ecbb6d0226421edccc468221a475fb7ff11faa6b6c5433

Download Submit
memory/400-1882-0x000002696ECD0000-0x000002696ED85000-memory.dmp

Filesize
724KB

Download
memory/852-499-0x000001BA1AF50000-0x000001BA1B005000-memory.dmp

Filesize
724KB

Download
memory/1248-585-0x000002B5461F0000-0x000002B546366000-memory.dmp

Filesize
1.5MB

Download
memory/1248-586-0x000002B546580000-0x000002B54678A000-memory.dmp

Filesize
2.0MB

Download
memory/1620-581-0x00000168C6890000-0x00000168C689A000-memory.dmp

Filesize
40KB

Download
memory/1620-818-0x00000168C6F40000-0x00000168C6F64000-memory.dmp

Filesize
144KB

Download
memory/2140-67-0x000001C9C97B0000-0x000001C9C97BA000-memory.dmp

Filesize
40KB

Download
memory/2364-301-0x000002DC37700000-0x000002DC3771C000-memory.dmp

Filesize
112KB

Download
memory/2364-291-0x000002DC37430000-0x000002DC37452000-memory.dmp

Filesize
136KB

Download
memory/2364-305-0x000002DC37960000-0x000002DC37984000-memory.dmp

Filesize
144KB

Download
memory/2364-304-0x000002DC37960000-0x000002DC3798A000-memory.dmp

Filesize
168KB

Download
memory/2364-303-0x000002DC377E0000-0x000002DC377EA000-memory.dmp

Filesize
40KB

Download
memory/2364-302-0x000002DC37720000-0x000002DC377D5000-memory.dmp

Filesize
724KB

Download
memory/2912-36-0x000002B1AD3A0000-0x000002B1AD3D4000-memory.dmp

Filesize
208KB

Download
memory/2912-38-0x000002B1C5A10000-0x000002B1C5AAC000-memory.dmp

Filesize
624KB

Download
memory/4116-531-0x000002CC40E50000-0x000002CC41378000-memory.dmp

Filesize
5.2MB

Download
memory/4116-530-0x000002CC40750000-0x000002CC40912000-memory.dmp

Filesize
1.8MB

Download
memory/4300-599-0x000002436D5E0000-0x000002436D5F0000-memory.dmp

Filesize
64KB

Download
memory/4300-600-0x00000243700A0000-0x00000243700BA000-memory.dmp

Filesize
104KB

Download
memory/4300-571-0x000002436FCA0000-0x000002436FCBC000-memory.dmp

Filesize
112KB

Download
memory/4628-243-0x0000014F6F8E0000-0x0000014F6F8E8000-memory.dmp

Filesize
32KB

Download
memory/5088-501-0x0000022F76DC0000-0x0000022F76DC8000-memory.dmp

Filesize
32KB

Download
memory/5132-764-0x0000011732FA0000-0x0000011732FA8000-memory.dmp

Filesize
32KB

Download
memory/5972-1562-0x000002B87AAD0000-0x000002B87AB85000-memory.dmp

Filesize
724KB

Download