Windows Analysis Report
ArchivoNuevo.msi

Overview

General Information

Sample name: ArchivoNuevo.msi
Analysis ID: 1559920
MD5: 82f3f74379c6dbdbca3a64c5717c2faa
SHA1: ba5562e233c1f83d6929db8dd03860a99bf58fa4
SHA256: 6696d790ee119b0de93919050a642d3dca502a2ae1864700b6b06fa2b955ec9d
Tags: msiuser-NDA0E
Infos:

Detection

Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

AI detected suspicious sample
Bypasses PowerShell execution policy
Creates files in the system32 config directory
Loading BitLocker PowerShell Module
Queries the IP of a very long domain name
Reads the Security eventlog
Reads the System eventlog
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains executable resources (Code or Archives)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses code obfuscation techniques (call, push, ret)
Yara detected PDQ RMM Tool

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 97.9% probability
Source: pdq-connect-agent.exe, 0000000D.00000002.2569856499.00007FF64993A000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_b7c6f817-c
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\PDQ Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\PDQ\PDQConnectAgent Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\PDQ\PDQConnectAgent\LICENSE.html Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\PDQ\PDQConnectUpdater Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F03416B2-8C97-4CC4-8578-5F6A58033B84} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\ProgramData\PDQ\PDQConnectAgent\Updates\updater_install.log
Source: unknown HTTPS traffic detected: 104.16.77.47:443 -> 192.168.2.7:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.140.238:443 -> 192.168.2.7:49728 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.77.47:443 -> 192.168.2.7:49755 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.77.47:443 -> 192.168.2.7:49880 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.77.47:443 -> 192.168.2.7:49884 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.77.47:443 -> 192.168.2.7:49890 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.77.47:443 -> 192.168.2.7:49896 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.128.163.126:443 -> 192.168.2.7:49902 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.77.47:443 -> 192.168.2.7:49921 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.128.163.126:443 -> 192.168.2.7:49925 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.77.47:443 -> 192.168.2.7:49976 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.128.163.126:443 -> 192.168.2.7:49981 version: TLS 1.2
Source: Binary string: D:\dev\wixsharp-wix4\Source\src\WixSharp\obj\Release\WixSharp.pdbt~ source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr
Source: Binary string: pdqconnectagent-setup.pdbh source: ArchivoNuevo.msi, MSI3EBD.tmp.2.dr
Source: Binary string: pdq_connect_updater.pdb source: pdq-connect-updater.exe, 00000013.00000002.2568518477.00007FF792557000.00000002.00000001.01000000.0000000D.sdmp, pdq-connect-updater.exe, 00000013.00000000.1542227813.00007FF792557000.00000002.00000001.01000000.0000000D.sdmp, pdq-connect-updater.exe.2.dr
Source: Binary string: \??\C:\Windows\Installer\SFXCABB31053B1D4845A965C92D7ACB4427E9\pdqconnectagent-setup.pdbll source: rundll32.exe, 0000000A.00000002.1412721298.0000028BA71D8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: pdqconnectupdater-setup.pdb source: 54241c.msi.2.dr
Source: Binary string: WixToolset.Dtf.WindowsInstaller.pdbSHA256 source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\rover\rover\wix\pdqconnectupdater-setup\obj\Release\pdqconnectupdater-setup.pdb%??? 1?_CorExeMainmscoree.dll source: rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\dev\wixsharp-wix4\Source\src\WixSharp\obj\Release\WixSharp.pdb source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr
Source: Binary string: D:\a\rover\rover\wix\pdqconnectupdater-setup\obj\Release\pdqconnectupdater-setup.pdb source: rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\wix\wix\build\dtf\Release\x64\SfxCA.pdb source: ArchivoNuevo.msi, 54241c.msi.2.dr, MSI30BF.tmp.2.dr, MSI3EBD.tmp.2.dr
Source: Binary string: pdqconnectagent-setup.pdb source: ArchivoNuevo.msi, MSI3EBD.tmp.2.dr
Source: Binary string: VJYj| pdqconnectupdater-setup.pdbh source: 54241c.msi.2.dr
Source: Binary string: \??\C:\Windows\Installer\SFXCA2D62C371EC4462894F00FB8E155458C3\pdqconnectupdater-setup.pdbk source: rundll32.exe, 00000012.00000002.1538358999.000002256898B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\wix4\wix4\build\api\Release\v143\x86\mbanative.pdb source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr
Source: Binary string: \??\C:\Windows\Installer\SFXCA346E64854645062B71D18DA79DA4EE43\pdqconnectagent-setup.pdb source: rundll32.exe, 00000009.00000002.1390144164.000001DFF7638000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\wix\wix\build\Util.wixext\Release\x64\utilca.pdb source: ArchivoNuevo.msi, 54241c.msi.2.dr, MSI3861.tmp.2.dr
Source: Binary string: D:\a\rover\rover\wix\pdqconnectagent-setup\obj\Release\pdqconnectagent-setup.pdb source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, pdqconnectagent-setup.exe.6.dr
Source: Binary string: \??\C:\Windows\Installer\SFXCAC25C26A72E4A6B69ED3BA12DF4525456\pdqconnectagent-setup.pdbll source: rundll32.exe, 00000008.00000002.1375031231.00000232020D8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: cscs.exe.pdb!Build_CA_DLL.cmd source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr
Source: Binary string: WixToolset.Dtf.WindowsInstaller.pdb source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: pdq_connect_agent.pdb source: pdq-connect-agent.exe, 0000000D.00000002.2569856499.00007FF64993A000.00000002.00000001.01000000.0000000A.sdmp, pdq-connect-agent.exe, 0000000D.00000000.1403420378.00007FF64993A000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: D:\a\rover\rover\wix\pdqconnectagent-setup\obj\Release\pdqconnectagent-setup.pdb=MWM IM_CorExeMainmscoree.dll source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, pdqconnectagent-setup.exe.6.dr
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: c:
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF79251B840 FindFirstFileW,GetLastError, 19_2_00007FF79251B840

Networking
barindex
Queries the IP of a very long domain name
Source: unknown DNS traffic detected: query: pdqinstallers.e9d69694c3d8f7465fd531512c22bd0f.r2.cloudflarestorage.com
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /v1/devices/release-channels/stable/manifest.json HTTP/1.1x-pdq-key-ids: ask_b357915753b14d77946accept: */*host: app.pdq.com
Source: global traffic HTTP traffic detected: GET /v1/devices/release-channels/emergency/manifest.json HTTP/1.1x-pdq-key-ids: ask_b357915753b14d77946accept: */*host: app.pdq.com
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.128.163.126 34.128.163.126
Source: Joe Sandbox View IP Address: 104.16.77.47 104.16.77.47
Source: Joe Sandbox View IP Address: 162.159.140.238 162.159.140.238
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /v1/devices/release-channels/stable/manifest.json HTTP/1.1x-pdq-key-ids: ask_b357915753b14d77946accept: */*host: app.pdq.com
Source: global traffic HTTP traffic detected: GET /connect-agent/PDQConnectUpdater-0.3.0.msi?x-amz-acl=private&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=796077fae8f70edb91a7fc855e7e36ea%2F20241121%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241121T052331Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=66d7604bfbebca061b1e7170061768cc4e4ce92a70dbee4b17231235f8c15c29 HTTP/1.1accept: */*user-agent: PDQ rover 5.6.6host: pdqinstallers.e9d69694c3d8f7465fd531512c22bd0f.r2.cloudflarestorage.com
Source: global traffic HTTP traffic detected: GET /v1/devices/release-channels/emergency/manifest.json HTTP/1.1x-pdq-key-ids: ask_b357915753b14d77946accept: */*host: app.pdq.com
Source: global traffic HTTP traffic detected: GET /v1/devices/auth-token HTTP/1.1x-auth-challenge-token: SFMyNTY.g2gDdAAAAAJtAAAACWNoYWxsZW5nZW0AAABAMDBFODgzRjg2MDRGQjlDNEE1RjNDRDJCQUIxMTcwMUFEODg5NjFCQzRFRkQyNEIwMzNFNTY5NTUwOTYyRDdBOW0AAAAJZGV2aWNlX2lkbQAAACRkdmNfNjNmNTVlYmMxMzAyYjkzZDE3OGM1ZDUxYmQzZDA3MTduBgBjCi5NkwFiAAFRgA._rUz7VRc1geQ1LuFmk91ckNQS28VorV_R4RyVhwH0JQx-auth-challenge-signature: 05bb039c890fc04542d7ef89c7445ada76389449fcb82e415dd34ccc93c7fb267e88038a2d45adbda1a45cda14eb36cfcf5dea11f9a007ad88cc3da1f568900ax-pdq-key-ids: ask_b357915753b14d77946user-agent: PDQ rover 5.6.6accept: */*host: app.pdq.com
Source: global traffic HTTP traffic detected: GET /v1/devices/socket/websocket?device_id=dvc_63f55ebc1302b93d178c5d51bd3d0717 HTTP/1.1Host: websocket.app.pdq.com:443Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: 7IE60p6bKqlieS/wiEfCSg==authorization: Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJ3ZWJzb2NrZXQtcHJveHkiLCJleHAiOjE3MzIyNTMwODUsImlhdCI6MTczMjE2NjY4NSwiaXNzIjoiaG91c3RvbiIsImp0aSI6IjA1NzIzYzM1LTc2YTAtNGNmNy1hN2IyLWExNDY2NjIyMDczYiIsIm5iZiI6MTczMjE2NjY4NCwib3JnYW5pemF0aW9uX2lkIjoib3JnXzlmNzUyNDIwNTk3MjQ2Y2NhMjMiLCJwdWJsaWNfa2V5IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVOdmQwSlJXVVJMTWxaM1FYbEZRVUZZV1VwNldTdEVXakJRVWtNdlpGTmxabmhoZDFCR05Ya3dkMVEyV0dobGRFVjJkSFl6VjB4RlFrMDlDaTB0TFMwdFJVNUVJRkJWUWt4SlF5QkxSVmt0TFMwdExRbyIsInN1YiI6ImR2Y182M2Y1NWViYzEzMDJiOTNkMTc4YzVkNTFiZDNkMDcxNyIsInR5cCI6ImFjY2VzcyJ9.aaK2PTnY48DQIE9Tuvq6THCYCM6WjROTcGimNn4n4asn8rYV0jiMaD1zafbZAg1TtiAy5Y92kAzHtAfbhi6otQuser-agent: PDQ rover 5.6.6x-release-channel: stablex-pdq-key-ids: ask_b357915753b14d77946x-auth-challenge-signature: 43debe5f618be88f7422ef84d7798c2988c1814eb7015ba6fa2ce6e05f78a88602f2c1020b0c78e9c9b5d3b3a134b5f294d778b829b648a6bcc89e91b7286202x-auth-challenge-token: SFMyNTY.g2gDdAAAAAJtAAAACWNoYWxsZW5nZW0AAABAN0Q0REUxNUExMTg3MTRBOTkxNTFENjk0NDBERDIxQkJGODE0ODAyQTA1Mzg1OTdCNDA3M0Y5RTIyNjE2OEM4OW0AAAAJZGV2aWNlX2lkbQAAACRkdmNfNjNmNTVlYmMxMzAyYjkzZDE3OGM1ZDUxYmQzZDA3MTduBgBRAy5NkwFiAAFRgA.i4xnqD1afxC_K8Q6IY8JZSXiblIWLFuZe3f6v3ekLx4
Source: global traffic HTTP traffic detected: GET /v1/devices/socket/websocket?device_id=dvc_63f55ebc1302b93d178c5d51bd3d0717 HTTP/1.1Host: websocket.app.pdq.com:443Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: qkkoXnqiBbf+5iPOU12auQ==authorization: Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJ3ZWJzb2NrZXQtcHJveHkiLCJleHAiOjE3MzIyNTMwODUsImlhdCI6MTczMjE2NjY4NSwiaXNzIjoiaG91c3RvbiIsImp0aSI6IjA1NzIzYzM1LTc2YTAtNGNmNy1hN2IyLWExNDY2NjIyMDczYiIsIm5iZiI6MTczMjE2NjY4NCwib3JnYW5pemF0aW9uX2lkIjoib3JnXzlmNzUyNDIwNTk3MjQ2Y2NhMjMiLCJwdWJsaWNfa2V5IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVOdmQwSlJXVVJMTWxaM1FYbEZRVUZZV1VwNldTdEVXakJRVWtNdlpGTmxabmhoZDFCR05Ya3dkMVEyV0dobGRFVjJkSFl6VjB4RlFrMDlDaTB0TFMwdFJVNUVJRkJWUWt4SlF5QkxSVmt0TFMwdExRbyIsInN1YiI6ImR2Y182M2Y1NWViYzEzMDJiOTNkMTc4YzVkNTFiZDNkMDcxNyIsInR5cCI6ImFjY2VzcyJ9.aaK2PTnY48DQIE9Tuvq6THCYCM6WjROTcGimNn4n4asn8rYV0jiMaD1zafbZAg1TtiAy5Y92kAzHtAfbhi6otQuser-agent: PDQ rover 5.6.6x-release-channel: stablex-pdq-key-ids: ask_b357915753b14d77946x-auth-challenge-signature: 1a5f5827556a44726926eaaba8e31ca7958110a5208160c941d51dc22d77e4c2e608034ce1b340632059b28c23a55236ce17dac95d5082e0d265879ddd11c206x-auth-challenge-token: SFMyNTY.g2gDdAAAAAJtAAAACWNoYWxsZW5nZW0AAABAMDE5OUJFQjA4QTI3QjVCRkEyMzI3N0RDMTk4MEQyM0M5RTBEQjMwRkIxQTlFQjAyMjI1NkQxMzU4RjQzOTM0NW0AAAAJZGV2aWNlX2lkbQAAACRkdmNfNjNmNTVlYmMxMzAyYjkzZDE3OGM1ZDUxYmQzZDA3MTduBgB1PS5NkwFiAAFRgA.3JvwfboNIVu7CpY5OqB7V4vUr24ynST6g_w1QY7HPc8
Source: global traffic HTTP traffic detected: GET /v1/devices/socket/websocket?device_id=dvc_63f55ebc1302b93d178c5d51bd3d0717 HTTP/1.1Host: websocket.app.pdq.com:443Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: BWLvjLo367jBhpO3CihB7A==authorization: Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJ3ZWJzb2NrZXQtcHJveHkiLCJleHAiOjE3MzIyNTMwODUsImlhdCI6MTczMjE2NjY4NSwiaXNzIjoiaG91c3RvbiIsImp0aSI6IjA1NzIzYzM1LTc2YTAtNGNmNy1hN2IyLWExNDY2NjIyMDczYiIsIm5iZiI6MTczMjE2NjY4NCwib3JnYW5pemF0aW9uX2lkIjoib3JnXzlmNzUyNDIwNTk3MjQ2Y2NhMjMiLCJwdWJsaWNfa2V5IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVOdmQwSlJXVVJMTWxaM1FYbEZRVUZZV1VwNldTdEVXakJRVWtNdlpGTmxabmhoZDFCR05Ya3dkMVEyV0dobGRFVjJkSFl6VjB4RlFrMDlDaTB0TFMwdFJVNUVJRkJWUWt4SlF5QkxSVmt0TFMwdExRbyIsInN1YiI6ImR2Y182M2Y1NWViYzEzMDJiOTNkMTc4YzVkNTFiZDNkMDcxNyIsInR5cCI6ImFjY2VzcyJ9.aaK2PTnY48DQIE9Tuvq6THCYCM6WjROTcGimNn4n4asn8rYV0jiMaD1zafbZAg1TtiAy5Y92kAzHtAfbhi6otQuser-agent: PDQ rover 5.6.6x-release-channel: stablex-pdq-key-ids: ask_b357915753b14d77946x-auth-challenge-signature: 33e7711b70f88e0bb8a0ad08ffb2e31d138c61fcc92c89344abcb1a9c3fb689b566ea040bde81c05237738216b7e8eb4f491ae28b99e7441e622934c29467907x-auth-challenge-token: SFMyNTY.g2gDdAAAAAJtAAAACWNoYWxsZW5nZW0AAABAOEE0NTg2RUYyNThFODdDNjA1OUVDQUZBMjhCQ0UwNDYwNDU4NUY5OEVCNTZFNzNBODhCOTIzNEJFMjI5QjM1MG0AAAAJZGV2aWNlX2lkbQAAACRkdmNfNjNmNTVlYmMxMzAyYjkzZDE3OGM1ZDUxYmQzZDA3MTduBgAknS5NkwFiAAFRgA.1RHFgr6T6M2b5sovynu--8hd2dnN3tdk7Qgr-JLeO0I
Source: global traffic DNS traffic detected: DNS query: time.windows.com
Source: global traffic DNS traffic detected: DNS query: app.pdq.com
Source: global traffic DNS traffic detected: DNS query: pdqinstallers.e9d69694c3d8f7465fd531512c22bd0f.r2.cloudflarestorage.com
Source: global traffic DNS traffic detected: DNS query: websocket.app.pdq.com
Source: unknown HTTP traffic detected: POST /v1/devices/register HTTP/1.1content-type: application/x-www-form-urlencodedaccept: */*user-agent: PDQ rover 5.6.6host: app.pdq.comcontent-length: 506
Source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1327102244.000002D814761000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344451140.00000275426C2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364917927.0000023202102000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383536997.000001DFF7662000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398236340.0000028BA7201000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516673054.000001EF206AF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531254914.00000225689B0000.00000004.00000020.00020000.00000000.sdmp, ArchivoNuevo.msi, WixSharp.dll.5.dr, pdqconnectagent-setup.exe.6.dr, 54241c.msi.2.dr, MSI3861.tmp.2.dr, pdq-connect-updater.exe.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1327102244.000002D814761000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344451140.00000275426C2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364917927.0000023202102000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383536997.000001DFF7662000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398236340.0000028BA7201000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516673054.000001EF206AF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531254914.00000225689B0000.00000004.00000020.00020000.00000000.sdmp, ArchivoNuevo.msi, WixSharp.dll.5.dr, 54241c.msi.2.dr, MSI3861.tmp.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, ArchivoNuevo.msi, pdqconnectagent-setup.exe.6.dr, 54241c.msi.2.dr, pdq-connect-updater.exe.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA2562021CA1.crt0
Source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1327102244.000002D814761000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344451140.00000275426C2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364917927.0000023202102000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383536997.000001DFF7662000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398236340.0000028BA7201000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516673054.000001EF206AF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531254914.00000225689B0000.00000004.00000020.00020000.00000000.sdmp, ArchivoNuevo.msi, WixSharp.dll.5.dr, pdqconnectagent-setup.exe.6.dr, 54241c.msi.2.dr, MSI3861.tmp.2.dr, pdq-connect-updater.exe.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1327102244.000002D814761000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344451140.00000275426C2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364917927.0000023202102000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383536997.000001DFF7662000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398236340.0000028BA7201000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516673054.000001EF206AF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531254914.00000225689B0000.00000004.00000020.00020000.00000000.sdmp, ArchivoNuevo.msi, WixSharp.dll.5.dr, pdqconnectagent-setup.exe.6.dr, 54241c.msi.2.dr, MSI3861.tmp.2.dr, pdq-connect-updater.exe.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1327102244.000002D814761000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344451140.00000275426C2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364917927.0000023202102000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383536997.000001DFF7662000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398236340.0000028BA7201000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516673054.000001EF206AF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531254914.00000225689B0000.00000004.00000020.00020000.00000000.sdmp, ArchivoNuevo.msi, WixSharp.dll.5.dr, 54241c.msi.2.dr, MSI3861.tmp.2.dr String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: powershell.exe, 00000016.00000002.1716926658.000002831C845000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsoftL
Source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1327102244.000002D814761000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344451140.00000275426C2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364917927.0000023202102000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383536997.000001DFF7662000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398236340.0000028BA7201000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516673054.000001EF206AF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531254914.00000225689B0000.00000004.00000020.00020000.00000000.sdmp, ArchivoNuevo.msi, WixSharp.dll.5.dr, pdqconnectagent-setup.exe.6.dr, 54241c.msi.2.dr, MSI3861.tmp.2.dr, pdq-connect-updater.exe.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1327102244.000002D814761000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344451140.00000275426C2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364917927.0000023202102000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383536997.000001DFF7662000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398236340.0000028BA7201000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516673054.000001EF206AF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531254914.00000225689B0000.00000004.00000020.00020000.00000000.sdmp, ArchivoNuevo.msi, WixSharp.dll.5.dr, 54241c.msi.2.dr, MSI3861.tmp.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, ArchivoNuevo.msi, pdqconnectagent-setup.exe.6.dr, 54241c.msi.2.dr, pdq-connect-updater.exe.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA2562021CA1.crl0S
Source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1327102244.000002D814761000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344451140.00000275426C2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364917927.0000023202102000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383536997.000001DFF7662000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398236340.0000028BA7201000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516673054.000001EF206AF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531254914.00000225689B0000.00000004.00000020.00020000.00000000.sdmp, ArchivoNuevo.msi, WixSharp.dll.5.dr, pdqconnectagent-setup.exe.6.dr, 54241c.msi.2.dr, MSI3861.tmp.2.dr, pdq-connect-updater.exe.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: pdq-connect-updater.exe.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1327102244.000002D814761000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344451140.00000275426C2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364917927.0000023202102000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383536997.000001DFF7662000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398236340.0000028BA7201000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516673054.000001EF206AF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531254914.00000225689B0000.00000004.00000020.00020000.00000000.sdmp, ArchivoNuevo.msi, WixSharp.dll.5.dr, 54241c.msi.2.dr, MSI3861.tmp.2.dr String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, ArchivoNuevo.msi, pdqconnectagent-setup.exe.6.dr, 54241c.msi.2.dr, pdq-connect-updater.exe.2.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA2562021CA1.crl0
Source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1327102244.000002D814761000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344451140.00000275426C2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364917927.0000023202102000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383536997.000001DFF7662000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398236340.0000028BA7201000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516673054.000001EF206AF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531254914.00000225689B0000.00000004.00000020.00020000.00000000.sdmp, ArchivoNuevo.msi, WixSharp.dll.5.dr, 54241c.msi.2.dr, MSI3861.tmp.2.dr String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: powershell.exe, 00000014.00000002.1678795523.000001FB10B4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1694758051.000001FB1F2F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1770223477.000002832D319000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1718432674.000002831EB6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1804045655.000001C7066DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1893417516.000001C714D98000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2052470742.0000022AC6DE5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, ArchivoNuevo.msi, pdqconnectagent-setup.exe.6.dr, 54241c.msi.2.dr, pdq-connect-updater.exe.2.dr String found in binary or memory: http://ocsp.digicert.com0
Source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1327102244.000002D814761000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344451140.00000275426C2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364917927.0000023202102000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383536997.000001DFF7662000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398236340.0000028BA7201000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516673054.000001EF206AF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531254914.00000225689B0000.00000004.00000020.00020000.00000000.sdmp, ArchivoNuevo.msi, WixSharp.dll.5.dr, pdqconnectagent-setup.exe.6.dr, 54241c.msi.2.dr, MSI3861.tmp.2.dr, pdq-connect-updater.exe.2.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1327102244.000002D814761000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344451140.00000275426C2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364917927.0000023202102000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383536997.000001DFF7662000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398236340.0000028BA7201000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516673054.000001EF206AF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531254914.00000225689B0000.00000004.00000020.00020000.00000000.sdmp, ArchivoNuevo.msi, WixSharp.dll.5.dr, pdqconnectagent-setup.exe.6.dr, 54241c.msi.2.dr, MSI3861.tmp.2.dr, pdq-connect-updater.exe.2.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1327102244.000002D814761000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344451140.00000275426C2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364917927.0000023202102000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383536997.000001DFF7662000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398236340.0000028BA7201000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516673054.000001EF206AF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531254914.00000225689B0000.00000004.00000020.00020000.00000000.sdmp, ArchivoNuevo.msi, WixSharp.dll.5.dr, 54241c.msi.2.dr, MSI3861.tmp.2.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1327102244.000002D814761000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344451140.00000275426C2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364917927.0000023202102000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383536997.000001DFF7662000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398236340.0000028BA7201000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516673054.000001EF206AF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531254914.00000225689B0000.00000004.00000020.00020000.00000000.sdmp, ArchivoNuevo.msi, WixSharp.dll.5.dr, pdqconnectagent-setup.exe.6.dr, 54241c.msi.2.dr, MSI3861.tmp.2.dr, pdq-connect-updater.exe.2.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: powershell.exe, 0000001C.00000002.1938904776.0000022AB700F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000014.00000002.1678795523.000001FB0F281000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1718432674.000002831D2A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1804045655.000001C704D21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1938904776.0000022AB6D84000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WixSharp.dll.5.dr String found in binary or memory: http://wixtoolset.org/schemas/v4/wxs
Source: WixSharp.dll.5.dr String found in binary or memory: http://wixtoolset.org/schemas/v4/wxs/bal
Source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr String found in binary or memory: http://wixtoolset.org/schemas/v4/wxs/complus9WixToolset.Dependency.wixext
Source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr String found in binary or memory: http://wixtoolset.org/schemas/v4/wxs/dependency3WixToolset.DirectX.wixext
Source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr String found in binary or memory: http://wixtoolset.org/schemas/v4/wxs/dependencyXhttp://wixtoolset.org/schemas/v4/wxs/directx
Source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr String found in binary or memory: http://wixtoolset.org/schemas/v4/wxs/difxapp5WixToolset.Firewall.wixext
Source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr String found in binary or memory: http://wixtoolset.org/schemas/v4/wxs/difxappZhttp://wixtoolset.org/schemas/v4/wxs/firewallRhttp://wi
Source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr String found in binary or memory: http://wixtoolset.org/schemas/v4/wxs/directx
Source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr String found in binary or memory: http://wixtoolset.org/schemas/v4/wxs/firewall-WixToolset.Util.wixext
Source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr String found in binary or memory: http://wixtoolset.org/schemas/v4/wxs/http
Source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr String found in binary or memory: http://wixtoolset.org/schemas/v4/wxs/iis
Source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr String found in binary or memory: http://wixtoolset.org/schemas/v4/wxs/msmq3WixToolset.ComPlus.wixext
Source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr String found in binary or memory: http://wixtoolset.org/schemas/v4/wxs/netfx-WixToolset.Http.wixext
Source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr String found in binary or memory: http://wixtoolset.org/schemas/v4/wxs/powershell=WixToolset.VisualStudio.wixext
Source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr String found in binary or memory: http://wixtoolset.org/schemas/v4/wxs/powershellNhttp://wixtoolset.org/schemas/v4/wxs/vsRhttp://wixto
Source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr String found in binary or memory: http://wixtoolset.org/schemas/v4/wxs/sql/WixToolset.Netfx.wixext
Source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr String found in binary or memory: http://wixtoolset.org/schemas/v4/wxs/ui9WixToolset.PowerShell.wixext
Source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr String found in binary or memory: http://wixtoolset.org/schemas/v4/wxs/util
Source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr String found in binary or memory: http://wixtoolset.org/schemas/v4/wxs/vs-WixToolset.Msmq.wixext
Source: powershell.exe, 00000014.00000002.1678795523.000001FB1067E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1718432674.000002831E68B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1804045655.000001C70610E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000001C.00000002.1938904776.0000022AB700F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1327102244.000002D814761000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344451140.00000275426C2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364917927.0000023202102000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383536997.000001DFF7662000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398236340.0000028BA7201000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516673054.000001EF206AF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531254914.00000225689B0000.00000004.00000020.00020000.00000000.sdmp, ArchivoNuevo.msi, WixSharp.dll.5.dr, pdqconnectagent-setup.exe.6.dr, 54241c.msi.2.dr, MSI3861.tmp.2.dr, pdq-connect-updater.exe.2.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 0000001C.00000002.2067436463.0000022ACEF10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
Source: powershell.exe, 00000016.00000002.1781923810.000002833555D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.co
Source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr String found in binary or memory: http://www.test.com/xml/2015
Source: powershell.exe, 00000014.00000002.1678795523.000001FB0F281000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1718432674.000002831D2A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1804045655.000001C704D21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1938904776.0000022AB6D84000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: pdq-connect-agent.exe, 0000000D.00000002.2568861730.000002728D816000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://app.pdq.com/
Source: pdq-connect-agent.exe, 0000000D.00000003.2088980273.000002728D881000.00000004.00000020.00020000.00000000.sdmp, pdq-connect-agent.exe, 0000000D.00000002.2568861730.000002728D881000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://app.pdq.com/%pU
Source: pdq-connect-agent.exe, 0000000D.00000000.1403420378.00007FF64993A000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: https://app.pdq.com/Hardcoded
Source: pdq-connect-agent.exe, 0000000D.00000002.2569279743.000002728DC4F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://app.pdq.com/v1/devices/auth-challenge
Source: pdq-connect-agent.exe, 0000000D.00000003.2088980273.000002728D881000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://app.pdq.com/v1/devices/register
Source: pdq-connect-agent.exe, 0000000D.00000003.2088980273.000002728D881000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://app.pdq.com/v1/devices/register05
Source: pdq-connect-updater.exe, 00000013.00000002.2567357091.000001FD086EC000.00000004.00000020.00020000.00000000.sdmp, pdq-connect-updater.exe, 00000013.00000002.2567802888.000001FD08771000.00000004.00000020.00020000.00000000.sdmp, pdq-connect-updater.exe, 00000013.00000003.1561051303.000001FD08771000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://app.pdq.com/v1/devices/release-channels/emergency/manifest.json
Source: pdq-connect-updater.exe.2.dr String found in binary or memory: https://app.pdq.com/v1/devices/release-channels/emergency/manifest.jsonCouldn
Source: pdq-connect-updater.exe, 00000013.00000002.2567357091.000001FD086EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://app.pdq.com/v1/devices/release-channels/emergency/manifest.jsony
Source: pdq-connect-agent.exe, 0000000D.00000002.2568354819.000002728D336000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://app.pdq.com/v1/devices/release-channels/stable/manifest.json
Source: pdq-connect-agent.exe, 0000000D.00000003.1432524063.000002728D881000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://app.pdq.com/v1/devices/release-channels/stable/manifest.jsonD
Source: powershell.exe, 0000001C.00000002.2052470742.0000022AC6DE5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001C.00000002.2052470742.0000022AC6DE5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001C.00000002.2052470742.0000022AC6DE5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: pdq-connect-agent.exe, 0000000D.00000000.1403420378.00007FF64993A000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: powershell.exe, 0000001C.00000002.1938904776.0000022AB700F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: pdq-connect-updater.exe.2.dr String found in binary or memory: https://github.com/clap-rs/clap/issues
Source: pdq-connect-updater.exe.2.dr String found in binary or memory: https://github.com/clap-rs/clap/issuesC:
Source: pdq-connect-updater.exe, 00000013.00000002.2568518477.00007FF792557000.00000002.00000001.01000000.0000000D.sdmp, pdq-connect-updater.exe, 00000013.00000000.1542227813.00007FF792557000.00000002.00000001.01000000.0000000D.sdmp, pdq-connect-updater.exe.2.dr String found in binary or memory: https://github.com/clap-rs/clap/issuesP
Source: pdq-connect-agent.exe, 0000000D.00000002.2569856499.00007FF64993A000.00000002.00000001.01000000.0000000A.sdmp, pdq-connect-agent.exe, 0000000D.00000000.1403420378.00007FF64993A000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: https://github.com/clap-rs/clap/issuescannot
Source: pdq-connect-agent.exe, 0000000D.00000002.2569856499.00007FF64993A000.00000002.00000001.01000000.0000000A.sdmp, pdq-connect-agent.exe, 0000000D.00000000.1403420378.00007FF64993A000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: https://github.com/clap-rs/clap/issuesh~
Source: pdq-connect-updater.exe.2.dr String found in binary or memory: https://github.com/clap-rs/clap/issuesservice
Source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr String found in binary or memory: https://github.com/oleg-shilo/wixsharp/issues/1396#issuecomment-1849731522
Source: powershell.exe, 00000014.00000002.1678795523.000001FB105EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1678795523.000001FB1020C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1718432674.000002831E609000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1718432674.000002831E227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1804045655.000001C705CB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1938904776.0000022AB82DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1938904776.0000022AB80DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1938904776.0000022AB77DA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000014.00000002.1678795523.000001FB10B4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1694758051.000001FB1F2F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1770223477.000002832D319000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1718432674.000002831EB6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1804045655.000001C7066DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1893417516.000001C714D98000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2052470742.0000022AC6DE5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: pdq-connect-agent.exe, 0000000D.00000002.2568354819.000002728D2BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://o192192.ingest.sentry.io/api/6095569/envelope/
Source: powershell.exe, 00000014.00000002.1678795523.000001FB1067E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1718432674.000002831E68B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1804045655.000001C70610E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000014.00000002.1678795523.000001FB1067E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1718432674.000002831E68B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1804045655.000001C70610E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneget.orgX
Source: pdq-connect-updater.exe, 00000013.00000002.2567357091.000001FD0871D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pdqinstallers.e9d69694c3d8f7465fd531512c22bd0f.r2.cloudflarestorage.com/connect-agent/PDQCon
Source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1327102244.000002D814761000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344451140.00000275426C2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364917927.0000023202102000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383536997.000001DFF7662000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398236340.0000028BA7201000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516673054.000001EF206AF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531254914.00000225689B0000.00000004.00000020.00020000.00000000.sdmp, ArchivoNuevo.msi, WixSharp.dll.5.dr, 54241c.msi.2.dr, MSI3861.tmp.2.dr String found in binary or memory: https://wixtoolset.org/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown Network traffic detected: HTTP traffic on port 49925 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49925
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49902
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49921
Source: unknown HTTPS traffic detected: 104.16.77.47:443 -> 192.168.2.7:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.140.238:443 -> 192.168.2.7:49728 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.77.47:443 -> 192.168.2.7:49755 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.77.47:443 -> 192.168.2.7:49880 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.77.47:443 -> 192.168.2.7:49884 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.77.47:443 -> 192.168.2.7:49890 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.77.47:443 -> 192.168.2.7:49896 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.128.163.126:443 -> 192.168.2.7:49902 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.77.47:443 -> 192.168.2.7:49921 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.128.163.126:443 -> 192.168.2.7:49925 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.77.47:443 -> 192.168.2.7:49976 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.128.163.126:443 -> 192.168.2.7:49981 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands
barindex
Reads the Security eventlog
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PDQConnectAgent Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PDQConnectUpdater
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Reads the System eventlog
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PDQConnectAgent Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PDQ.com Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Contains functionality to call native functions
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF79251CBC0 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,GetConsoleMode,GetFileType,GetFileInformationByHandleEx, 19_2_00007FF79251CBC0
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF79251CAA0 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError, 19_2_00007FF79251CAA0
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\542419.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI25AF.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{F03416B2-8C97-4CC4-8578-5F6A58033B84} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI307E.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI308F.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI30BF.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3861.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3891.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI392E.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3EBD.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI45D2.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI4D55.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI4D85.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\54241b.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\54241b.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{F03416B2-8C97-4CC4-8578-5F6A58033B84} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{F03416B2-8C97-4CC4-8578-5F6A58033B84}\app_icon.ico Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\54241c.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI73EA.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{0EC05CD8-8D17-472C-86DA-AF1E5356256F} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7979.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI798A.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7A36.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7EDB.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\54241f.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\54241f.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{0EC05CD8-8D17-472C-86DA-AF1E5356256F} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{0EC05CD8-8D17-472C-86DA-AF1E5356256F}\app_icon.ico Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA0ED2EC38E74DD8E8B1AFF51FA0AC9210 Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA0ED2EC38E74DD8E8B1AFF51FA0AC9210\WixSharp.dll Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA0ED2EC38E74DD8E8B1AFF51FA0AC9210\CustomAction.config Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA0ED2EC38E74DD8E8B1AFF51FA0AC9210\pdqconnectagent-setup.exe Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA0ED2EC38E74DD8E8B1AFF51FA0AC9210\WixToolset.Dtf.WindowsInstaller.dll Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA0AFEF201D34F9FEB9B68C29FF1DEA299 Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA0AFEF201D34F9FEB9B68C29FF1DEA299\WixSharp.dll Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA0AFEF201D34F9FEB9B68C29FF1DEA299\CustomAction.config Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA0AFEF201D34F9FEB9B68C29FF1DEA299\pdqconnectagent-setup.exe Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA0AFEF201D34F9FEB9B68C29FF1DEA299\WixToolset.Dtf.WindowsInstaller.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\wix{F03416B2-8C97-4CC4-8578-5F6A58033B84}.SchedServiceConfig.rmi Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCAC25C26A72E4A6B69ED3BA12DF4525456 Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCAC25C26A72E4A6B69ED3BA12DF4525456\pdqconnectagent-setup.exe Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCAC25C26A72E4A6B69ED3BA12DF4525456\CustomAction.config Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCAC25C26A72E4A6B69ED3BA12DF4525456\pdqconnectagent-setup.pdb Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCAC25C26A72E4A6B69ED3BA12DF4525456\WixSharp.dll Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCAC25C26A72E4A6B69ED3BA12DF4525456\WixToolset.Dtf.WindowsInstaller.dll Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA346E64854645062B71D18DA79DA4EE43 Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA346E64854645062B71D18DA79DA4EE43\pdqconnectagent-setup.exe Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA346E64854645062B71D18DA79DA4EE43\CustomAction.config Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA346E64854645062B71D18DA79DA4EE43\pdqconnectagent-setup.pdb Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA346E64854645062B71D18DA79DA4EE43\WixSharp.dll Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA346E64854645062B71D18DA79DA4EE43\WixToolset.Dtf.WindowsInstaller.dll Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCABB31053B1D4845A965C92D7ACB4427E9 Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCABB31053B1D4845A965C92D7ACB4427E9\pdqconnectagent-setup.exe Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCABB31053B1D4845A965C92D7ACB4427E9\CustomAction.config Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCABB31053B1D4845A965C92D7ACB4427E9\pdqconnectagent-setup.pdb Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCABB31053B1D4845A965C92D7ACB4427E9\WixSharp.dll Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCABB31053B1D4845A965C92D7ACB4427E9\WixToolset.Dtf.WindowsInstaller.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\wix{0EC05CD8-8D17-472C-86DA-AF1E5356256F}.SchedServiceConfig.rmi
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCAD45AA528324E95A938548E4BDEFAECCD
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCAD45AA528324E95A938548E4BDEFAECCD\WixSharp.dll
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCAD45AA528324E95A938548E4BDEFAECCD\CustomAction.config
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCAD45AA528324E95A938548E4BDEFAECCD\WixToolset.Dtf.WindowsInstaller.dll
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rundll32.exe.log
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA2D62C371EC4462894F00FB8E155458C3
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA2D62C371EC4462894F00FB8E155458C3\pdqconnectupdater-setup.exe
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA2D62C371EC4462894F00FB8E155458C3\CustomAction.config
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA2D62C371EC4462894F00FB8E155458C3\pdqconnectupdater-setup.pdb
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA2D62C371EC4462894F00FB8E155458C3\WixSharp.dll
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA2D62C371EC4462894F00FB8E155458C3\WixToolset.Dtf.WindowsInstaller.dll
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSI25AF.tmp Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\rundll32.exe Code function: 5_3_00007FFAAB527E01 5_3_00007FFAAB527E01
Source: C:\Windows\System32\rundll32.exe Code function: 5_3_00007FFAAB5212D0 5_3_00007FFAAB5212D0
Source: C:\Windows\System32\rundll32.exe Code function: 5_3_00007FFAAB526D65 5_3_00007FFAAB526D65
Source: C:\Windows\System32\rundll32.exe Code function: 5_3_00007FFAAB523741 5_3_00007FFAAB523741
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_00007FFAAB5112D0 6_3_00007FFAAB5112D0
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_00007FFAAB513741 6_3_00007FFAAB513741
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_00007FFAAB501610 8_3_00007FFAAB501610
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_00007FFAAB5020FA 8_3_00007FFAAB5020FA
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_00007FFAAB504D52 8_3_00007FFAAB504D52
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_00007FFAAB5012D0 8_3_00007FFAAB5012D0
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_00007FFAAB5012F0 8_3_00007FFAAB5012F0
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_00007FFAAB505155 8_3_00007FFAAB505155
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_00007FFAAB503741 8_3_00007FFAAB503741
Source: C:\Windows\System32\rundll32.exe Code function: 9_3_00007FFAAB4F12D0 9_3_00007FFAAB4F12D0
Source: C:\Windows\System32\rundll32.exe Code function: 9_3_00007FFAAB4F51C5 9_3_00007FFAAB4F51C5
Source: C:\Windows\System32\rundll32.exe Code function: 9_3_00007FFAAB4F3741 9_3_00007FFAAB4F3741
Source: C:\Windows\System32\rundll32.exe Code function: 10_3_00007FFAAB4F52B5 10_3_00007FFAAB4F52B5
Source: C:\Windows\System32\rundll32.exe Code function: 10_3_00007FFAAB4F12D0 10_3_00007FFAAB4F12D0
Source: C:\Windows\System32\rundll32.exe Code function: 10_3_00007FFAAB4F3741 10_3_00007FFAAB4F3741
Source: C:\Windows\System32\rundll32.exe Code function: 17_3_00007FFAAB501610 17_3_00007FFAAB501610
Source: C:\Windows\System32\rundll32.exe Code function: 17_3_00007FFAAB506D65 17_3_00007FFAAB506D65
Source: C:\Windows\System32\rundll32.exe Code function: 17_3_00007FFAAB5012D0 17_3_00007FFAAB5012D0
Source: C:\Windows\System32\rundll32.exe Code function: 17_3_00007FFAAB5012F0 17_3_00007FFAAB5012F0
Source: C:\Windows\System32\rundll32.exe Code function: 17_3_00007FFAAB503741 17_3_00007FFAAB503741
Source: C:\Windows\System32\rundll32.exe Code function: 18_3_00007FFAAB5212D0 18_3_00007FFAAB5212D0
Source: C:\Windows\System32\rundll32.exe Code function: 18_3_00007FFAAB523741 18_3_00007FFAAB523741
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF792525490 19_2_00007FF792525490
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF792487514 19_2_00007FF792487514
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF792551145 19_2_00007FF792551145
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF7923F311A 19_2_00007FF7923F311A
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF7925311A0 19_2_00007FF7925311A0
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF7923F92EF 19_2_00007FF7923F92EF
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF79251F860 19_2_00007FF79251F860
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF7923CB8FA 19_2_00007FF7923CB8FA
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF7924F58B7 19_2_00007FF7924F58B7
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF7923A7588 19_2_00007FF7923A7588
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF7923D1613 19_2_00007FF7923D1613
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF7923CB67E 19_2_00007FF7923CB67E
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF7923CBB76 19_2_00007FF7923CBB76
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF7923FDCD9 19_2_00007FF7923FDCD9
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF7925079F0 19_2_00007FF7925079F0
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF792531A10 19_2_00007FF792531A10
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF7923F9A92 19_2_00007FF7923F9A92
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF792405D69 19_2_00007FF792405D69
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF79253BD40 19_2_00007FF79253BD40
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF792527D50 19_2_00007FF792527D50
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF7923CBDED 19_2_00007FF7923CBDED
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF792535EA0 19_2_00007FF792535EA0
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF7923E844D 19_2_00007FF7923E844D
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF7923E826F 19_2_00007FF7923E826F
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF7925182F0 19_2_00007FF7925182F0
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF7923BC80A 19_2_00007FF7923BC80A
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF792552853 19_2_00007FF792552853
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF7923FC8BA 19_2_00007FF7923FC8BA
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF7923A254F 19_2_00007FF7923A254F
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF792512600 19_2_00007FF792512600
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF7923D0B22 19_2_00007FF7923D0B22
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF79251CBC0 19_2_00007FF79251CBC0
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF7924ACB99 19_2_00007FF7924ACB99
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF792516CE0 19_2_00007FF792516CE0
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF79251A9F0 19_2_00007FF79251A9F0
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF792554F90 19_2_00007FF792554F90
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF792516F60 19_2_00007FF792516F60
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF7923E8F8F 19_2_00007FF7923E8F8F
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF792516F60 19_2_00007FF792516F60
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF7923F3023 19_2_00007FF7923F3023
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF7923B6DEC 19_2_00007FF7923B6DEC
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF7923E2E65 19_2_00007FF7923E2E65
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_00007FFAAB4447FA 20_2_00007FFAAB4447FA
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe 56186E8C33AD8DA8621134794F3A8DEE38F9B0462E2DD679908C1374938DDB36
Enables security privileges
Source: C:\Windows\System32\rundll32.exe Process token adjusted: Security Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: String function: 00007FF792555870 appears 35 times
PE file contains executable resources (Code or Archives)
Source: pdq-connect-updater.exe.2.dr Static PE information: Resource name: RT_VERSION type: Intel ia64 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Sample file is different than original file name gathered from version info
Source: ArchivoNuevo.msi Binary or memory string: OriginalFilenameutilca.dll8 vs ArchivoNuevo.msi
Source: ArchivoNuevo.msi Binary or memory string: OriginalFilenamepdqconnectagent-setup.exeL vs ArchivoNuevo.msi
Source: ArchivoNuevo.msi Binary or memory string: OriginalFilenameSfxCA.dll8 vs ArchivoNuevo.msi
Source: ArchivoNuevo.msi Binary or memory string: OriginalFilenameWixSharp.dll2 vs ArchivoNuevo.msi
Source: pdq-connect-updater.exe.2.dr Binary string: poisonedAfdPollInfo\Device\Afd\Mio
Source: pdq-connect-updater.exe.2.dr Binary string: Failed to open \Device\Afd\Mio:
Source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr Binary or memory string: publish!wix.tools.csproj
Source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.1413352225.0000028BA8DD1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr Binary or memory string: .csproj
Source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr Binary or memory string: *.csprojwix\.wxi?Error: Cannot find UI project `
Source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr Binary or memory string: .aot.csproj
Source: classification engine Classification label: mal68.troj.evad.winMSI@42/110@4/3
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF792389AAF StartServiceCtrlDispatcherW, 19_2_00007FF792389AAF
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF792389AAF StartServiceCtrlDispatcherW, 19_2_00007FF792389AAF
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\PDQ Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rundll32.exe.log Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\netfxeventlog.1.0
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7380:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:8088:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7460:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7248:120:WilError_03
Source: C:\Windows\System32\rundll32.exe Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:1424:120:WilError_03
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\TEMP\~DF799661E2806E9310.TMP Jump to behavior
Source: C:\Windows\System32\msiexec.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI25AF.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5515890 2 WixSharp!WixSharp.ManagedProjectActions.WixSharp_InitRuntime_Action
Source: pdq-connect-agent.exe, 0000000D.00000002.2569856499.00007FF64993A000.00000002.00000001.01000000.0000000A.sdmp, pdq-connect-agent.exe, 0000000D.00000000.1403420378.00007FF64993A000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: SELECT step FROM WHERE id = ?;p
Source: pdq-connect-agent.exe, 0000000D.00000002.2569856499.00007FF64993A000.00000002.00000001.01000000.0000000A.sdmp, pdq-connect-agent.exe, 0000000D.00000000.1403420378.00007FF64993A000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: pdq-connect-agent.exe, 0000000D.00000002.2569856499.00007FF64993A000.00000002.00000001.01000000.0000000A.sdmp, pdq-connect-agent.exe, 0000000D.00000000.1403420378.00007FF64993A000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: pdq-connect-agent.exe, 0000000D.00000002.2569856499.00007FF64993A000.00000002.00000001.01000000.0000000A.sdmp, pdq-connect-agent.exe, 0000000D.00000000.1403420378.00007FF64993A000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: pdq-connect-agent.exe, 0000000D.00000002.2569856499.00007FF64993A000.00000002.00000001.01000000.0000000A.sdmp, pdq-connect-agent.exe, 0000000D.00000000.1403420378.00007FF64993A000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: pdq-connect-agent.exe, 0000000D.00000002.2569856499.00007FF64993A000.00000002.00000001.01000000.0000000A.sdmp, pdq-connect-agent.exe, 0000000D.00000000.1403420378.00007FF64993A000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: INSERT OR REPLACE INTO updates (product, version, last_try) VALUES (?, ?, CURRENT_TIMESTAMP);task_ids[]Error setting :
Source: pdq-connect-agent.exe, 0000000D.00000002.2569856499.00007FF64993A000.00000002.00000001.01000000.0000000A.sdmp, pdq-connect-agent.exe, 0000000D.00000000.1403420378.00007FF64993A000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: pdq-connect-agent.exe, 0000000D.00000002.2569856499.00007FF64993A000.00000002.00000001.01000000.0000000A.sdmp, pdq-connect-agent.exe, 0000000D.00000000.1403420378.00007FF64993A000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: pdq-connect-agent.exe, 0000000D.00000002.2569856499.00007FF64993A000.00000002.00000001.01000000.0000000A.sdmp, pdq-connect-agent.exe, 0000000D.00000000.1403420378.00007FF64993A000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: pdq-connect-agent.exe, 0000000D.00000002.2569856499.00007FF64993A000.00000002.00000001.01000000.0000000A.sdmp, pdq-connect-agent.exe, 0000000D.00000000.1403420378.00007FF64993A000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: SELECT step FROM WHERE id = ?;
Source: ArchivoNuevo.msi Static file information: TRID: Microsoft Windows Installer (60509/1) 57.88%
Source: pdq-connect-updater.exe String found in binary or memory: {before-help}{about-with-newline} {usage-heading} {usage}{after-help}{before-help}{about-with-newline} {usage-heading} {usage} {all-args}{after-help}namebinversionauthorauthor-with-newlineauthor-sectionaboutabout-with-newlineabout-sectionusage-headingusageall
Source: pdq-connect-updater.exe String found in binary or memory: were provided --helphelp--
Source: pdq-connect-updater.exe String found in binary or memory: were provided --helphelp--
Source: pdq-connect-updater.exe String found in binary or memory: --helphelp--
Source: pdq-connect-updater.exe String found in binary or memory: --helphelp--
Source: pdq-connect-updater.exe String found in binary or memory: --helphelp--
Source: pdq-connect-updater.exe String found in binary or memory: --helphelp--
Source: pdq-connect-updater.exe String found in binary or memory: binversionauthorauthor-with-newlineauthor-sectionaboutabout-with-newlineabout-sectionusage-headingusageall-argsoptionspositionalssubcommandstabafter-helpbefore-help{}
Source: pdq-connect-updater.exe String found in binary or memory: namebinversionauthorauthor-with-newlineauthor-sectionaboutabout-with-newlineabout-sectionusage-headingusageall-argsoptionspositionalssubcommandstabafter-helpbefore-help{}
Source: pdq-connect-updater.exe String found in binary or memory: authorauthor-with-newlineauthor-sectionaboutabout-with-newlineabout-sectionusage-headingusageall-argsoptionspositionalssubcommandstabafter-helpbefore-help{}
Source: pdq-connect-updater.exe String found in binary or memory: versionauthorauthor-with-newlineauthor-sectionaboutabout-with-newlineabout-sectionusage-headingusageall-argsoptionspositionalssubcommandstabafter-helpbefore-help{}
Source: pdq-connect-updater.exe String found in binary or memory: {before-help}{about-with-newline} {usage-heading} {usage} {all-args}{after-help}namebinversionauthorauthor-with-newlineauthor-sectionaboutabout-with-newlineabout-sectionusage-headingusageall-argsoptionspositionalssubcommandstabafter-helpbefore-help{}
Source: pdq-connect-updater.exe String found in binary or memory: optionspositionalssubcommandstabafter-helpbefore-help{}
Source: pdq-connect-updater.exe String found in binary or memory: positionalssubcommandstabafter-helpbefore-help{}
Source: pdq-connect-updater.exe String found in binary or memory: subcommandstabafter-helpbefore-help{}
Source: pdq-connect-updater.exe String found in binary or memory: usage-headingusageall-argsoptionspositionalssubcommandstabafter-helpbefore-help{}
Source: pdq-connect-updater.exe String found in binary or memory: usageall-argsoptionspositionalssubcommandstabafter-helpbefore-help{}
Source: pdq-connect-updater.exe String found in binary or memory: all-argsoptionspositionalssubcommandstabafter-helpbefore-help{}
Source: pdq-connect-updater.exe String found in binary or memory: aboutabout-with-newlineabout-sectionusage-headingusageall-argsoptionspositionalssubcommandstabafter-helpbefore-help{}
Source: pdq-connect-updater.exe String found in binary or memory: about-with-newlineabout-sectionusage-headingusageall-argsoptionspositionalssubcommandstabafter-helpbefore-help{}
Source: pdq-connect-updater.exe String found in binary or memory: about-sectionusage-headingusageall-argsoptionspositionalssubcommandstabafter-helpbefore-help{}
Source: pdq-connect-updater.exe String found in binary or memory: author-with-newlineauthor-sectionaboutabout-with-newlineabout-sectionusage-headingusageall-argsoptionspositionalssubcommandstabafter-helpbefore-help{}
Source: pdq-connect-updater.exe String found in binary or memory: author-sectionaboutabout-with-newlineabout-sectionusage-headingusageall-argsoptionspositionalssubcommandstabafter-helpbefore-help{}
Source: pdq-connect-updater.exe String found in binary or memory: after-helpbefore-help{}
Source: pdq-connect-updater.exe String found in binary or memory: tabafter-helpbefore-help{}
Source: pdq-connect-updater.exe String found in binary or memory: before-help{}
Source: pdq-connect-updater.exe String found in binary or memory: was provided were provided --helphelp--
Source: pdq-connect-updater.exe String found in binary or memory: was provided were provided --helphelp--
Source: pdq-connect-updater.exe String found in binary or memory: was provided were provided--helphelp--
Source: pdq-connect-updater.exe String found in binary or memory: was provided were provided--helphelp--
Source: pdq-connect-updater.exe String found in binary or memory: {before-help}{about-with-newline}{usage-heading} {usage}{all-args}{after-help}namebinversionauthorauthor-with-newlineauthor-sectionaboutabout-with-newlineabout-sectionusage-headingusageall-argsoptionspositionalssubcommandstabafter-helpbefore-help{}
Source: pdq-connect-updater.exe String found in binary or memory: {before-help}{about-with-newline}{usage-heading} {usage}{after-help}{before-help}{about-with-newline}{usage-heading} {usage}{all-args}{after-help}namebinversionauthorauthor-with-newlineauthor-sectionaboutabout-with-newlineabout-sectionusage-headingusageall
Source: unknown Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\ArchivoNuevo.msi"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -s W32Time
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding D76B6F71B87802B3ACFEEA578FA9D516
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI25AF.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5515890 2 WixSharp!WixSharp.ManagedProjectActions.WixSharp_InitRuntime_Action
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI30BF.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5517562 16 WixSharp!WixSharp.ManagedProjectActions.WixSharp_BeforeInstall_Action
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 7A304B5B3B95AEB5D3F9D9F785650ADA E Global\MSI0000
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI392E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5519718 38 pdqconnectagent-setup!pdqconnectagent_setup.CustomActions.CreateEventSource
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI3EBD.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5521109 44 pdqconnectagent-setup!pdqconnectagent_setup.CustomActions.WriteToken
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI45D2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5522921 50 pdqconnectagent-setup!pdqconnectagent_setup.CustomActions.StartService
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start "PDQConnectAgent"
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe "C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe" --service
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Process created: C:\Windows\System32\msiexec.exe "msiexec" /i C:\ProgramData\PDQ\PDQConnectAgent\Updates\PDQConnectUpdater-0.3.0.msi /quiet /qn /norestart /L*V C:\ProgramData\PDQ\PDQConnectAgent\Updates\updater_install.log
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 20DA56B5F1114D07CD140C2FB8662C4F E Global\MSI0000
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI73EA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5534781 61 WixSharp!WixSharp.ManagedProjectActions.WixSharp_InitRuntime_Action
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI7A36.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5536343 77 pdqconnectupdater-setup!pdqconnectupdater_setup.CustomActions.CreateEventSource
Source: unknown Process created: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe "C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe" --service
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding D76B6F71B87802B3ACFEEA578FA9D516 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 7A304B5B3B95AEB5D3F9D9F785650ADA E Global\MSI0000 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 20DA56B5F1114D07CD140C2FB8662C4F E Global\MSI0000 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI25AF.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5515890 2 WixSharp!WixSharp.ManagedProjectActions.WixSharp_InitRuntime_Action Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI30BF.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5517562 16 WixSharp!WixSharp.ManagedProjectActions.WixSharp_BeforeInstall_Action Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI392E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5519718 38 pdqconnectagent-setup!pdqconnectagent_setup.CustomActions.CreateEventSource Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI3EBD.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5521109 44 pdqconnectagent-setup!pdqconnectagent_setup.CustomActions.WriteToken Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI45D2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5522921 50 pdqconnectagent-setup!pdqconnectagent_setup.CustomActions.StartService Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start "PDQConnectAgent" Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Process created: C:\Windows\System32\msiexec.exe "msiexec" /i C:\ProgramData\PDQ\PDQConnectAgent\Updates\PDQConnectUpdater-0.3.0.msi /quiet /qn /norestart /L*V C:\ProgramData\PDQ\PDQConnectAgent\Updates\updater_install.log Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command - Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command - Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command - Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command - Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI73EA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5534781 61 WixSharp!WixSharp.ManagedProjectActions.WixSharp_InitRuntime_Action
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI7A36.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5536343 77 pdqconnectupdater-setup!pdqconnectupdater_setup.CustomActions.CreateEventSource
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msihnd.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: spp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: w32time.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vmictimeprovider.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: activeds.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: activeds.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: activeds.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: activeds.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: activeds.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: windows.globalization.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: icu.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll
Source: C:\Windows\System32\msiexec.exe Section loaded: srpapi.dll
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll
Source: C:\Windows\System32\msiexec.exe Section loaded: activeds.dll
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe Section loaded: adsldpc.dll
Source: C:\Windows\System32\msiexec.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\msiexec.exe Section loaded: samcli.dll
Source: C:\Windows\System32\msiexec.exe Section loaded: logoncli.dll
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll
Source: C:\Windows\System32\msiexec.exe Section loaded: activeds.dll
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe Section loaded: adsldpc.dll
Source: C:\Windows\System32\msiexec.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\msiexec.exe Section loaded: samcli.dll
Source: C:\Windows\System32\msiexec.exe Section loaded: logoncli.dll
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Section loaded: apphelp.dll
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Section loaded: version.dll
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Section loaded: secur32.dll
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Section loaded: sspicli.dll
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Section loaded: mswsock.dll
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Section loaded: dnsapi.dll
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Section loaded: iphlpapi.dll
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Section loaded: rasadhlp.dll
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Section loaded: fwpuclnt.dll
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Section loaded: schannel.dll
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Section loaded: mskeyprotect.dll
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Section loaded: ntasn1.dll
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Section loaded: ncrypt.dll
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Section loaded: ncryptsslp.dll
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Section loaded: msasn1.dll
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Section loaded: cryptsp.dll
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Section loaded: rsaenh.dll
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Section loaded: cryptbase.dll
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Section loaded: gpapi.dll
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Section loaded: cryptnet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\PDQ Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\PDQ\PDQConnectAgent Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\PDQ\PDQConnectAgent\LICENSE.html Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\PDQ\PDQConnectUpdater Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F03416B2-8C97-4CC4-8578-5F6A58033B84} Jump to behavior
Source: ArchivoNuevo.msi Static file information: File size 4960768 > 1048576
Source: Binary string: D:\dev\wixsharp-wix4\Source\src\WixSharp\obj\Release\WixSharp.pdbt~ source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr
Source: Binary string: pdqconnectagent-setup.pdbh source: ArchivoNuevo.msi, MSI3EBD.tmp.2.dr
Source: Binary string: pdq_connect_updater.pdb source: pdq-connect-updater.exe, 00000013.00000002.2568518477.00007FF792557000.00000002.00000001.01000000.0000000D.sdmp, pdq-connect-updater.exe, 00000013.00000000.1542227813.00007FF792557000.00000002.00000001.01000000.0000000D.sdmp, pdq-connect-updater.exe.2.dr
Source: Binary string: \??\C:\Windows\Installer\SFXCABB31053B1D4845A965C92D7ACB4427E9\pdqconnectagent-setup.pdbll source: rundll32.exe, 0000000A.00000002.1412721298.0000028BA71D8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: pdqconnectupdater-setup.pdb source: 54241c.msi.2.dr
Source: Binary string: WixToolset.Dtf.WindowsInstaller.pdbSHA256 source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\rover\rover\wix\pdqconnectupdater-setup\obj\Release\pdqconnectupdater-setup.pdb%??? 1?_CorExeMainmscoree.dll source: rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\dev\wixsharp-wix4\Source\src\WixSharp\obj\Release\WixSharp.pdb source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr
Source: Binary string: D:\a\rover\rover\wix\pdqconnectupdater-setup\obj\Release\pdqconnectupdater-setup.pdb source: rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\wix\wix\build\dtf\Release\x64\SfxCA.pdb source: ArchivoNuevo.msi, 54241c.msi.2.dr, MSI30BF.tmp.2.dr, MSI3EBD.tmp.2.dr
Source: Binary string: pdqconnectagent-setup.pdb source: ArchivoNuevo.msi, MSI3EBD.tmp.2.dr
Source: Binary string: VJYj| pdqconnectupdater-setup.pdbh source: 54241c.msi.2.dr
Source: Binary string: \??\C:\Windows\Installer\SFXCA2D62C371EC4462894F00FB8E155458C3\pdqconnectupdater-setup.pdbk source: rundll32.exe, 00000012.00000002.1538358999.000002256898B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\wix4\wix4\build\api\Release\v143\x86\mbanative.pdb source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr
Source: Binary string: \??\C:\Windows\Installer\SFXCA346E64854645062B71D18DA79DA4EE43\pdqconnectagent-setup.pdb source: rundll32.exe, 00000009.00000002.1390144164.000001DFF7638000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\wix\wix\build\Util.wixext\Release\x64\utilca.pdb source: ArchivoNuevo.msi, 54241c.msi.2.dr, MSI3861.tmp.2.dr
Source: Binary string: D:\a\rover\rover\wix\pdqconnectagent-setup\obj\Release\pdqconnectagent-setup.pdb source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, pdqconnectagent-setup.exe.6.dr
Source: Binary string: \??\C:\Windows\Installer\SFXCAC25C26A72E4A6B69ED3BA12DF4525456\pdqconnectagent-setup.pdbll source: rundll32.exe, 00000008.00000002.1375031231.00000232020D8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: cscs.exe.pdb!Build_CA_DLL.cmd source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr
Source: Binary string: WixToolset.Dtf.WindowsInstaller.pdb source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1516477342.000001EF2206B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000012.00000003.1531073498.000002256A246000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: pdq_connect_agent.pdb source: pdq-connect-agent.exe, 0000000D.00000002.2569856499.00007FF64993A000.00000002.00000001.01000000.0000000A.sdmp, pdq-connect-agent.exe, 0000000D.00000000.1403420378.00007FF64993A000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: D:\a\rover\rover\wix\pdqconnectagent-setup\obj\Release\pdqconnectagent-setup.pdb=MWM IM_CorExeMainmscoree.dll source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, pdqconnectagent-setup.exe.6.dr
Binary contains a suspicious time stamp
Source: pdqconnectagent-setup.exe.5.dr Static PE information: 0xD9CA72A2 [Sun Oct 14 18:44:50 2085 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_00007FFAAB517DC2 pushad ; ret 6_3_00007FFAAB517DD1
Source: C:\Windows\System32\rundll32.exe Code function: 6_3_00007FFAAB513D95 push FFFFFFE8h; ret 6_3_00007FFAAB513DF9

Persistence and Installation Behavior
barindex
Creates files in the system32 config directory
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rundll32.exe.log
Drops PE files
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCAC25C26A72E4A6B69ED3BA12DF4525456\WixSharp.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCABB31053B1D4845A965C92D7ACB4427E9\WixToolset.Dtf.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCAC25C26A72E4A6B69ED3BA12DF4525456\pdqconnectagent-setup.exe Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA346E64854645062B71D18DA79DA4EE43\WixSharp.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI30BF.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA0ED2EC38E74DD8E8B1AFF51FA0AC9210\WixToolset.Dtf.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7EDB.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI73EA.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCAC25C26A72E4A6B69ED3BA12DF4525456\WixToolset.Dtf.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA346E64854645062B71D18DA79DA4EE43\pdqconnectagent-setup.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI25AF.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCABB31053B1D4845A965C92D7ACB4427E9\WixSharp.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA0AFEF201D34F9FEB9B68C29FF1DEA299\WixSharp.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCAD45AA528324E95A938548E4BDEFAECCD\WixToolset.Dtf.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI392E.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCABB31053B1D4845A965C92D7ACB4427E9\pdqconnectagent-setup.exe Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA2D62C371EC4462894F00FB8E155458C3\pdqconnectupdater-setup.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI308F.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA0ED2EC38E74DD8E8B1AFF51FA0AC9210\pdqconnectagent-setup.exe Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCAD45AA528324E95A938548E4BDEFAECCD\WixSharp.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA2D62C371EC4462894F00FB8E155458C3\WixToolset.Dtf.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA0AFEF201D34F9FEB9B68C29FF1DEA299\WixToolset.Dtf.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA346E64854645062B71D18DA79DA4EE43\WixToolset.Dtf.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI45D2.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7A36.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA2D62C371EC4462894F00FB8E155458C3\WixSharp.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3EBD.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3891.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI4D85.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3861.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI4D55.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA0ED2EC38E74DD8E8B1AFF51FA0AC9210\WixSharp.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA0AFEF201D34F9FEB9B68C29FF1DEA299\pdqconnectagent-setup.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI798A.tmp Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCAC25C26A72E4A6B69ED3BA12DF4525456\WixSharp.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCABB31053B1D4845A965C92D7ACB4427E9\WixToolset.Dtf.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCAC25C26A72E4A6B69ED3BA12DF4525456\pdqconnectagent-setup.exe Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA346E64854645062B71D18DA79DA4EE43\WixSharp.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI30BF.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA0ED2EC38E74DD8E8B1AFF51FA0AC9210\WixToolset.Dtf.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7EDB.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI73EA.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCAC25C26A72E4A6B69ED3BA12DF4525456\WixToolset.Dtf.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA346E64854645062B71D18DA79DA4EE43\pdqconnectagent-setup.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI25AF.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCABB31053B1D4845A965C92D7ACB4427E9\WixSharp.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA0AFEF201D34F9FEB9B68C29FF1DEA299\WixSharp.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCAD45AA528324E95A938548E4BDEFAECCD\WixToolset.Dtf.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI392E.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCABB31053B1D4845A965C92D7ACB4427E9\pdqconnectagent-setup.exe Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA2D62C371EC4462894F00FB8E155458C3\pdqconnectupdater-setup.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI308F.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA0ED2EC38E74DD8E8B1AFF51FA0AC9210\pdqconnectagent-setup.exe Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCAD45AA528324E95A938548E4BDEFAECCD\WixSharp.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA2D62C371EC4462894F00FB8E155458C3\WixToolset.Dtf.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA0AFEF201D34F9FEB9B68C29FF1DEA299\WixToolset.Dtf.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA346E64854645062B71D18DA79DA4EE43\WixToolset.Dtf.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI45D2.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7A36.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA2D62C371EC4462894F00FB8E155458C3\WixSharp.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3EBD.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3891.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI4D85.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3861.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI4D55.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA0ED2EC38E74DD8E8B1AFF51FA0AC9210\WixSharp.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA0AFEF201D34F9FEB9B68C29FF1DEA299\pdqconnectagent-setup.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI798A.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\ProgramData\PDQ\PDQConnectAgent\Updates\updater_install.log
Creates or modifies windows services
Source: C:\Windows\System32\rundll32.exe Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\PDQ.com Jump to behavior
Modifies existing windows services
Source: C:\Windows\System32\svchost.exe Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\Config Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF792389AAF StartServiceCtrlDispatcherW, 19_2_00007FF792389AAF
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start "PDQConnectAgent"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4190
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5650
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6340
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3124
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6072
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3743
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8935
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 607
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\SFXCAC25C26A72E4A6B69ED3BA12DF4525456\WixSharp.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\SFXCABB31053B1D4845A965C92D7ACB4427E9\WixToolset.Dtf.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\SFXCA346E64854645062B71D18DA79DA4EE43\WixSharp.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\SFXCAC25C26A72E4A6B69ED3BA12DF4525456\pdqconnectagent-setup.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI30BF.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI7EDB.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\SFXCA0ED2EC38E74DD8E8B1AFF51FA0AC9210\WixToolset.Dtf.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI73EA.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\SFXCAC25C26A72E4A6B69ED3BA12DF4525456\WixToolset.Dtf.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\SFXCA346E64854645062B71D18DA79DA4EE43\pdqconnectagent-setup.exe Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\SFXCABB31053B1D4845A965C92D7ACB4427E9\WixSharp.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI25AF.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\SFXCA0AFEF201D34F9FEB9B68C29FF1DEA299\WixSharp.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\SFXCAD45AA528324E95A938548E4BDEFAECCD\WixToolset.Dtf.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI392E.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\SFXCABB31053B1D4845A965C92D7ACB4427E9\pdqconnectagent-setup.exe Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\SFXCA2D62C371EC4462894F00FB8E155458C3\pdqconnectupdater-setup.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI308F.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\SFXCA0ED2EC38E74DD8E8B1AFF51FA0AC9210\pdqconnectagent-setup.exe Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\SFXCAD45AA528324E95A938548E4BDEFAECCD\WixSharp.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\SFXCA2D62C371EC4462894F00FB8E155458C3\WixToolset.Dtf.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\SFXCA0AFEF201D34F9FEB9B68C29FF1DEA299\WixToolset.Dtf.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\SFXCA346E64854645062B71D18DA79DA4EE43\WixToolset.Dtf.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI45D2.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI7A36.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\SFXCA2D62C371EC4462894F00FB8E155458C3\WixSharp.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI3EBD.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI3891.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI4D85.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI3861.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\SFXCA0ED2EC38E74DD8E8B1AFF51FA0AC9210\WixSharp.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI4D55.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\SFXCA0AFEF201D34F9FEB9B68C29FF1DEA299\pdqconnectagent-setup.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI798A.tmp Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe API coverage: 8.2 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8164 Thread sleep count: 4190 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8164 Thread sleep count: 5650 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6680 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1484 Thread sleep count: 6340 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1484 Thread sleep count: 3124 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 336 Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7280 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 368 Thread sleep count: 6072 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6828 Thread sleep count: 3743 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1168 Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5872 Thread sleep count: 8935 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4260 Thread sleep count: 607 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2908 Thread sleep time: -1844674407370954s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF79251B840 FindFirstFileW,GetLastError, 19_2_00007FF79251B840
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: rundll32.exe, 00000009.00000002.1389992379.000001DF80001000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: V-lks3x8iprf4zffef-d4i2burpakmdvx_1aavv2nzh4kedwdln8valhnln50dmimhyeqemu1xqc_vc
Source: rundll32.exe, 00000009.00000002.1389992379.000001DF80001000.00000004.00000800.00020000.00000000.sdmp, pdq-connect-agent.exe, 0000000D.00000003.2088980273.000002728D881000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -lks3x8iprf4zffef-d4i2burpakmdvx_1aavv2nzh4kedwdln8valhnln50dmimhyeqemu1xqc_vcdobklvgw
Source: rundll32.exe, 00000009.00000002.1389992379.000001DF80001000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: TOKEN=-lks3x8iprf4zffef-d4i2burpakmdvx_1aavv2nzh4kedwdln8valhnln50dmimhyeqemu1xqc_vcdobklvgw;CURRENTDIRECTORY=C:\Users\user\Desktop;Installed=;REMOVE=;FOUNDPREVIOUSVERSION=;REINSTALL=;INSTALLDIR=C:\Program Files\PDQ\PDQConnectAgent\;UILevel=5;ProductCode={F03416B2-8C97-4CC4-8578-5F6A58033B84};ADDLOCAL=Complete;ADDFEATURES=
Source: pdq-connect-agent.exe, 0000000D.00000002.2568861730.000002728D881000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: f4zffef-d4i2burpakmdvx_1aavv2nzh4kedwdln8valhnln50dmimhyeqemu1xq
Source: svchost.exe, 00000003.00000002.2567674046.0000022D0EE2B000.00000004.00000020.00020000.00000000.sdmp, pdq-connect-agent.exe, 0000000D.00000003.2089358226.000002728D837000.00000004.00000020.00020000.00000000.sdmp, pdq-connect-agent.exe, 0000000D.00000003.1432524063.000002728D836000.00000004.00000020.00020000.00000000.sdmp, pdq-connect-agent.exe, 0000000D.00000003.2088594824.000002728D831000.00000004.00000020.00020000.00000000.sdmp, pdq-connect-agent.exe, 0000000D.00000002.2568861730.000002728D816000.00000004.00000020.00020000.00000000.sdmp, pdq-connect-updater.exe, 00000013.00000003.1561217096.000001FD0871D000.00000004.00000020.00020000.00000000.sdmp, pdq-connect-updater.exe, 00000013.00000002.2567357091.000001FD0871D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: rundll32.exe, 00000009.00000002.1389992379.000001DF80001000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: f4zffef-d4i2burpakmdvx_1aavv2nzh4kedwdln8valhnln50dmimhyeqemu1xqc_vcdobklvgw;CURRENTDIRECTORY=C:\Users\user\Desktop;Installed=;REMOVE=;FOUNDPREVIOUSVERSION=;REINSTALL=;INSTALLDIR=C:\Program Files\PDQ\PDQConnectAgent\;UILevel=5;ProductCode={F03416B2-8C97-4CC4-8578-5F6A58033B84};ADDLOCAL=Complete;ADDFEATURES=
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF7923EEC12 GetProcessHeap,HeapAlloc, 19_2_00007FF7923EEC12
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\rundll32.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Bypasses PowerShell execution policy
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start "PDQConnectAgent" Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Process created: C:\Windows\System32\msiexec.exe "msiexec" /i C:\ProgramData\PDQ\PDQConnectAgent\Updates\PDQConnectUpdater-0.3.0.msi /quiet /qn /norestart /L*V C:\ProgramData\PDQ\PDQConnectAgent\Updates\updater_install.log Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command - Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command - Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command - Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command - Jump to behavior
Source: rundll32.exe, 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Windows\Installer\SFXCA0ED2EC38E74DD8E8B1AFF51FA0AC9210\WixToolset.Dtf.WindowsInstaller.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Windows\Installer\SFXCA0ED2EC38E74DD8E8B1AFF51FA0AC9210\WixSharp.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Windows\Installer\SFXCA0AFEF201D34F9FEB9B68C29FF1DEA299\WixToolset.Dtf.WindowsInstaller.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Windows\Installer\SFXCA0AFEF201D34F9FEB9B68C29FF1DEA299\WixSharp.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Windows\Installer\SFXCA0AFEF201D34F9FEB9B68C29FF1DEA299\pdqconnectagent-setup.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Windows\Installer\SFXCAC25C26A72E4A6B69ED3BA12DF4525456\WixToolset.Dtf.WindowsInstaller.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Windows\Installer\SFXCAC25C26A72E4A6B69ED3BA12DF4525456\pdqconnectagent-setup.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Windows\Installer\SFXCAC25C26A72E4A6B69ED3BA12DF4525456\WixSharp.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Windows\Installer\SFXCA346E64854645062B71D18DA79DA4EE43\WixToolset.Dtf.WindowsInstaller.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Windows\Installer\SFXCA346E64854645062B71D18DA79DA4EE43\pdqconnectagent-setup.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Windows\Installer\SFXCA346E64854645062B71D18DA79DA4EE43\WixSharp.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Windows\Installer\SFXCABB31053B1D4845A965C92D7ACB4427E9\WixToolset.Dtf.WindowsInstaller.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Windows\Installer\SFXCABB31053B1D4845A965C92D7ACB4427E9\pdqconnectagent-setup.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Windows\Installer\SFXCABB31053B1D4845A965C92D7ACB4427E9\WixSharp.dll VolumeInformation Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Queries volume information: C:\ProgramData\PDQ\PDQConnectAgent\token VolumeInformation Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Queries volume information: C:\ProgramData\PDQ\PDQConnectAgent\token VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Windows\Installer\SFXCAD45AA528324E95A938548E4BDEFAECCD\WixToolset.Dtf.WindowsInstaller.dll VolumeInformation
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Windows\Installer\SFXCAD45AA528324E95A938548E4BDEFAECCD\WixSharp.dll VolumeInformation
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Windows\Installer\SFXCA2D62C371EC4462894F00FB8E155458C3\WixToolset.Dtf.WindowsInstaller.dll VolumeInformation
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Windows\Installer\SFXCA2D62C371EC4462894F00FB8E155458C3\pdqconnectupdater-setup.exe VolumeInformation
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Windows\Installer\SFXCA2D62C371EC4462894F00FB8E155458C3\WixSharp.dll VolumeInformation
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Queries volume information: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Code function: 13_2_00007FF649919EE8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 13_2_00007FF649919EE8
Source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe Code function: 19_2_00007FF79240775F GetTimeZoneInformationForYear, 19_2_00007FF79240775F
Source: C:\Windows\System32\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Yara detected PDQ RMM Tool
Source: Yara match File source: ArchivoNuevo.msi, type: SAMPLE
Source: Yara match File source: 6.3.rundll32.exe.275442c9c14.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.275442a69c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.2d816346c14.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.2d816346c14.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.275442c9c14.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.2d8163239c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.pdq-connect-updater.exe.7ff792380000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.pdq-connect-updater.exe.7ff792380000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.pdq-connect-agent.exe.7ff649390000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.pdq-connect-agent.exe.7ff649390000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000003.2088980273.000002728D881000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2568354819.000002728D28C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.2088594824.000002728D881000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.2089358226.000002728D837000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2570147225.00007FF649BD4000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2568518477.00007FF792557000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2568861730.000002728D881000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2569856499.00007FF64993A000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.1403420378.00007FF64993A000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.1432524063.000002728D836000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.1561217096.000001FD0871D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.2088594824.000002728D831000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2568354819.000002728D2F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2568354819.000002728D336000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2568861730.000002728D816000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2569279743.000002728DC4F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2567357091.000001FD0871D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.1403664181.00007FF649BD4000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.1542227813.00007FF792557000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 1424, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 1792, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7236, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7328, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7416, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: pdq-connect-agent.exe PID: 7500, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: pdq-connect-updater.exe PID: 7988, type: MEMORYSTR
Source: Yara match File source: C:\Windows\Installer\SFXCA0AFEF201D34F9FEB9B68C29FF1DEA299\pdqconnectagent-setup.exe, type: DROPPED
Source: Yara match File source: C:\Windows\Installer\SFXCAC25C26A72E4A6B69ED3BA12DF4525456\pdqconnectagent-setup.exe, type: DROPPED
Source: Yara match File source: C:\Windows\Installer\SFXCA0ED2EC38E74DD8E8B1AFF51FA0AC9210\pdqconnectagent-setup.exe, type: DROPPED
Source: Yara match File source: C:\Windows\Installer\SFXCABB31053B1D4845A965C92D7ACB4427E9\pdqconnectagent-setup.exe, type: DROPPED
Source: Yara match File source: C:\Windows\Installer\SFXCA346E64854645062B71D18DA79DA4EE43\pdqconnectagent-setup.exe, type: DROPPED
Source: Yara match File source: C:\Windows\Installer\542419.msi, type: DROPPED
Source: Yara match File source: C:\Windows\Installer\54241b.msi, type: DROPPED
Source: Yara match File source: C:\Windows\Installer\MSI307E.tmp, type: DROPPED
Source: Yara match File source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe, type: DROPPED
Source: Yara match File source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe, type: DROPPED
Yara detected PDQ RMM Tool
Source: Yara match File source: ArchivoNuevo.msi, type: SAMPLE
Source: Yara match File source: 6.3.rundll32.exe.275442c9c14.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.275442a69c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.2d816346c14.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.2d816346c14.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.275442c9c14.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.2d8163239c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.pdq-connect-updater.exe.7ff792380000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.pdq-connect-updater.exe.7ff792380000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.pdq-connect-agent.exe.7ff649390000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.pdq-connect-agent.exe.7ff649390000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000003.2088980273.000002728D881000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2568354819.000002728D28C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.1326994317.000002D8162B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.2088594824.000002728D881000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.1383397932.000001DFF90CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.1364792814.0000023203B52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.2089358226.000002728D837000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2570147225.00007FF649BD4000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2568518477.00007FF792557000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.1344096279.0000027544233000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2568861730.000002728D881000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.1398082246.0000028BA8CFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2569856499.00007FF64993A000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.1403420378.00007FF64993A000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.1432524063.000002728D836000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.1561217096.000001FD0871D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.2088594824.000002728D831000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2568354819.000002728D2F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2568354819.000002728D336000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2568861730.000002728D816000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2569279743.000002728DC4F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2567357091.000001FD0871D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.1403664181.00007FF649BD4000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.1542227813.00007FF792557000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 1424, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 1792, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7236, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7328, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7416, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: pdq-connect-agent.exe PID: 7500, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: pdq-connect-updater.exe PID: 7988, type: MEMORYSTR
Source: Yara match File source: C:\Windows\Installer\SFXCA0AFEF201D34F9FEB9B68C29FF1DEA299\pdqconnectagent-setup.exe, type: DROPPED
Source: Yara match File source: C:\Windows\Installer\SFXCAC25C26A72E4A6B69ED3BA12DF4525456\pdqconnectagent-setup.exe, type: DROPPED
Source: Yara match File source: C:\Windows\Installer\SFXCA0ED2EC38E74DD8E8B1AFF51FA0AC9210\pdqconnectagent-setup.exe, type: DROPPED
Source: Yara match File source: C:\Windows\Installer\SFXCABB31053B1D4845A965C92D7ACB4427E9\pdqconnectagent-setup.exe, type: DROPPED
Source: Yara match File source: C:\Windows\Installer\SFXCA346E64854645062B71D18DA79DA4EE43\pdqconnectagent-setup.exe, type: DROPPED
Source: Yara match File source: C:\Windows\Installer\542419.msi, type: DROPPED
Source: Yara match File source: C:\Windows\Installer\54241b.msi, type: DROPPED
Source: Yara match File source: C:\Windows\Installer\MSI307E.tmp, type: DROPPED
Source: Yara match File source: C:\Program Files\PDQ\PDQConnectUpdater\pdq-connect-updater.exe, type: DROPPED
Source: Yara match File source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1559920 Sample: ArchivoNuevo.msi Startdate: 21/11/2024 Architecture: WINDOWS Score: 68 85 pdqinstallers.e9d69694c3d8f7465fd531512c22bd0f.r2.cloudflarestorage.com 2->85 87 websocket.app.pdq.com 2->87 89 2 other IPs or domains 2->89 97 Bypasses PowerShell execution policy 2->97 99 AI detected suspicious sample 2->99 10 msiexec.exe 158 80 2->10         started        13 pdq-connect-agent.exe 8 7 2->13         started        16 svchost.exe 2->16         started        18 2 other processes 2->18 signatures3 101 Queries the IP of a very long domain name 85->101 process4 dnsIp5 77 C:\Program Files\...\pdq-connect-agent.exe, PE32+ 10->77 dropped 79 C:\Windows\Installer\MSI7EDB.tmp, PE32+ 10->79 dropped 81 C:\Windows\Installer\MSI7A36.tmp, PE32+ 10->81 dropped 83 13 other files (none is malicious) 10->83 dropped 20 msiexec.exe 10->20         started        22 msiexec.exe 1 10->22         started        24 msiexec.exe 10->24         started        91 app.pdq.com 104.16.77.47, 443, 49722, 49755 CLOUDFLARENETUS United States 13->91 93 pdqinstallers.e9d69694c3d8f7465fd531512c22bd0f.r2.cloudflarestorage.com 162.159.140.238, 443, 49728 CLOUDFLARENETUS United States 13->93 95 websocket.app.pdq.com 34.128.163.126, 443, 49902, 49925 ATGS-MMD-ASUS United States 13->95 26 powershell.exe 13->26         started        29 powershell.exe 13->29         started        31 powershell.exe 13->31         started        33 2 other processes 13->33 file6 process7 signatures8 35 rundll32.exe 20->35         started        39 rundll32.exe 20->39         started        41 rundll32.exe 4 7 22->41         started        51 2 other processes 22->51 53 2 other processes 24->53 109 Loading BitLocker PowerShell Module 26->109 43 conhost.exe 26->43         started        45 conhost.exe 29->45         started        47 conhost.exe 31->47         started        49 conhost.exe 33->49         started        process9 file10 71 3 other files (none is malicious) 35->71 dropped 59 C:\...\WixToolset.Dtf.WindowsInstaller.dll, PE32 39->59 dropped 61 C:\Windows\Installer\...\WixSharp.dll, PE32 39->61 dropped 103 Creates files in the system32 config directory 39->103 63 C:\Windows\...\pdqconnectagent-setup.exe, PE32 41->63 dropped 65 C:\...\WixToolset.Dtf.WindowsInstaller.dll, PE32 41->65 dropped 67 C:\Windows\Installer\...\WixSharp.dll, PE32 41->67 dropped 105 Reads the Security eventlog 41->105 107 Reads the System eventlog 41->107 69 C:\Windows\...\pdqconnectagent-setup.exe, PE32 51->69 dropped 73 5 other files (none is malicious) 51->73 dropped 55 sc.exe 1 51->55         started        75 6 other files (none is malicious) 53->75 dropped signatures11 process12 process13 57 conhost.exe 55->57         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.128.163.126
 websocket.app.pdq.com United States
2686 ATGS-MMD-ASUS false
104.16.77.47
 app.pdq.com United States
13335 CLOUDFLARENETUS false
162.159.140.238
 pdqinstallers.e9d69694c3d8f7465fd531512c22bd0f.r2.cloudflarestorage.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
pdqinstallers.e9d69694c3d8f7465fd531512c22bd0f.r2.cloudflarestorage.com 162.159.140.238 true
app.pdq.com 104.16.77.47 true
websocket.app.pdq.com 34.128.163.126 true
time.windows.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://websocket.app.pdq.com:443/v1/devices/socket/websocket?device_id=dvc_63f55ebc1302b93d178c5d51bd3d0717 false
    		high