Windows Analysis Report
Portal.msi

Overview

General Information

Sample name: Portal.msi
Analysis ID: 1527957
MD5: 9b7151e351cfbfbf8276b9a2cd8dccc2
SHA1: c5f1808e63a6ba22f602bab3225d8821372b8e79
SHA256: 60b686750a697e5b2a1580e7b2932c269bf7e2231869769c2ad49546f2f8577c
Tags: msiMuddyWaterRustyStealerTA450user-smica83
Infos:

Detection

Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

AI detected suspicious sample
Bypasses PowerShell execution policy
Loading BitLocker PowerShell Module
Queries the IP of a very long domain name
Reads the Security eventlog
Reads the System eventlog
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 94.2% probability
Source: pdq-connect-agent.exe, 0000000C.00000002.3295758131.00007FF78CF92000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_5bea58ed-8
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\PDQ Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\PDQ\PDQConnectAgent Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\PDQ\PDQConnectAgent\LICENSE.html Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F03416B2-8C97-4CC4-8578-5F6A58F3EB84} Jump to behavior
Source: unknown HTTPS traffic detected: 104.16.77.47:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.140.238:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.77.47:443 -> 192.168.2.5:49979 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.77.47:443 -> 192.168.2.5:49980 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.77.47:443 -> 192.168.2.5:49981 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.77.47:443 -> 192.168.2.5:49982 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.128.163.126:443 -> 192.168.2.5:49983 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.77.47:443 -> 192.168.2.5:49984 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.128.163.126:443 -> 192.168.2.5:49985 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.77.47:443 -> 192.168.2.5:49986 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.128.163.126:443 -> 192.168.2.5:49987 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.77.47:443 -> 192.168.2.5:49988 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.128.163.126:443 -> 192.168.2.5:49989 version: TLS 1.2
Source: Binary string: D:\dev\wixsharp-wix4\Source\src\WixSharp\obj\Release\WixSharp.pdbt~ source: rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr
Source: Binary string: \??\C:\Windows\Installer\SFXCA363E23D38342B28859B2E30EB0910098\pdqconnectagent-setup.pdbm source: rundll32.exe, 00000007.00000002.2111161917.000001F0B0268000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Installer\SFXCABAC30776D64ECC5AFC62613A5E146B74\pdqconnectagent-setup.pdbll source: rundll32.exe, 00000009.00000002.2145984383.000001B2FB360000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: pdqconnectupdater-setup.pdb source: PDQConnectUpdater-0.3.0.msi.12.dr
Source: Binary string: WixToolset.Dtf.WindowsInstaller.pdbSHA256 source: rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, WixToolset.Dtf.WindowsInstaller.dll.4.dr
Source: Binary string: D:\dev\wixsharp-wix4\Source\src\WixSharp\obj\Release\WixSharp.pdb source: rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr
Source: Binary string: D:\a\wix\wix\build\dtf\Release\x64\SfxCA.pdb source: Portal.msi, PDQConnectUpdater-0.3.0.msi.12.dr, MSI1F2D.tmp.1.dr, MSI328E.tmp.1.dr
Source: Binary string: pdqconnectagent-setup.pdb source: Portal.msi, MSI1F2D.tmp.1.dr, MSI328E.tmp.1.dr
Source: Binary string: D:\a\wix4\wix4\build\api\Release\v143\x86\mbanative.pdb source: rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr
Source: Binary string: \??\C:\Windows\Installer\SFXCA87E78A4C484AC7BA8DC6E0B5627E7F20\pdqconnectagent-setup.pdblH source: rundll32.exe, 00000008.00000002.2125319285.0000024569AC0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\wix\wix\build\Util.wixext\Release\x64\utilca.pdb source: Portal.msi, PDQConnectUpdater-0.3.0.msi.12.dr, MSI1F2D.tmp.1.dr
Source: Binary string: D:\a\rover\rover\wix\pdqconnectagent-setup\obj\Release\pdqconnectagent-setup.pdb source: rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, pdqconnectagent-setup.exe.7.dr
Source: Binary string: cscs.exe.pdb!Build_CA_DLL.cmd source: rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr
Source: Binary string: Yqw pdqconnectupdater-setup.pdbh source: PDQConnectUpdater-0.3.0.msi.12.dr
Source: Binary string: WixToolset.Dtf.WindowsInstaller.pdb source: rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, WixToolset.Dtf.WindowsInstaller.dll.4.dr
Source: Binary string: PDQCON~1.PDBpdqconnectagent-setup.pdbx source: rundll32.exe, 00000008.00000002.2125319285.0000024569B62000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d1YKt pdqconnectagent-setup.pdbh source: Portal.msi, MSI1F2D.tmp.1.dr, MSI328E.tmp.1.dr
Source: Binary string: pdq_connect_agent.pdb source: pdq-connect-agent.exe, 0000000C.00000002.3295758131.00007FF78CF92000.00000002.00000001.01000000.0000000A.sdmp, pdq-connect-agent.exe, 0000000C.00000000.2139822757.00007FF78CF92000.00000002.00000001.01000000.0000000A.sdmp, pdq-connect-agent.exe.1.dr
Source: Binary string: D:\a\rover\rover\wix\pdqconnectagent-setup\obj\Release\pdqconnectagent-setup.pdb=MWM IM_CorExeMainmscoree.dll source: rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, pdqconnectagent-setup.exe.7.dr
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: c:
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior

Networking
barindex
Queries the IP of a very long domain name
Source: unknown DNS traffic detected: query: pdqinstallers.e9d69694c3d8f7465fd531512c22bd0f.r2.cloudflarestorage.com
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /v1/devices/release-channels/stable/manifest.json HTTP/1.1x-pdq-key-ids: ask_b357915753b14d77946accept: */*host: app.pdq.com
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.128.163.126 34.128.163.126
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /v1/devices/release-channels/stable/manifest.json HTTP/1.1x-pdq-key-ids: ask_b357915753b14d77946accept: */*host: app.pdq.com
Source: global traffic HTTP traffic detected: GET /connect-agent/PDQConnectUpdater-0.3.0.msi?x-amz-acl=private&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=796077fae8f70edb91a7fc855e7e36ea%2F20241007%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241007T112315Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=f31523c676157dae877ac7e0885208001b440e0d5aa6f5aa61caec4e0e6d395b HTTP/1.1accept: */*user-agent: PDQ rover 5.5.1host: pdqinstallers.e9d69694c3d8f7465fd531512c22bd0f.r2.cloudflarestorage.com
Source: global traffic HTTP traffic detected: GET /v1/devices/auth-token HTTP/1.1x-auth-challenge-token: SFMyNTY.g2gDdAAAAAJtAAAACWNoYWxsZW5nZW0AAABAMzg5RjA4MjBGNjdFM0VBMTA5OUMzOTlBRDJEMTYyMTYyRkIzQkU5NTc2OTRDNTdCMTE1RTg5RDM4RUJBQTQzOW0AAAAJZGV2aWNlX2lkbQAAACRkdmNfY2YwM2Q3M2U2YzZiMzRhYmM4YmM4NDA5ZjhlZTEzYzFuBgAmELlmkgFiAAFRgA.0N7Tx4Q3ZMAtN3sW2qv5UDSW0FoEj2ZGZHcGWmb0grgx-auth-challenge-signature: e6a90cc078d79ed01b1fc84f362f845ee9f81a3ba45eb84ce770ba2116d302b212066e7a9f8d46e8584eb548b6664e3a8536dc5fa4b5498bde7ef482b7ac8b0ex-pdq-key-ids: ask_b357915753b14d77946user-agent: PDQ rover 5.5.1accept: */*host: app.pdq.com
Source: global traffic HTTP traffic detected: GET /v1/devices/socket/websocket?device_id=dvc_cf03d73e6c6b34abc8bc8409f8ee13c1 HTTP/1.1Host: websocket.app.pdq.com:443Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: Y51N629PzzcrK6X5pi/hjw==authorization: Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJ3ZWJzb2NrZXQtcHJveHkiLCJleHAiOjE3MjgzODY2NTcsImlhdCI6MTcyODMwMDI1NywiaXNzIjoiaG91c3RvbiIsImp0aSI6ImE5ZTFmOTk2LWJmNTctNDYyNS05ODFiLTMxZmY0MGJhYzNjMSIsIm5iZiI6MTcyODMwMDI1Niwib3JnYW5pemF0aW9uX2lkIjoib3JnXzNiZWMwOTAwN2MzYjQ0OThiYzYiLCJwdWJsaWNfa2V5IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVOdmQwSlJXVVJMTWxaM1FYbEZRVE53WkZsdWJ6TkRSWEZTYjBZNGNuY3ZZbVI0UlRWUVVFbEVTbUUwYm1KTFJWVlpiMmxPUVdSbFVsazlDaTB0TFMwdFJVNUVJRkJWUWt4SlF5QkxSVmt0TFMwdExRbyIsInN1YiI6ImR2Y19jZjAzZDczZTZjNmIzNGFiYzhiYzg0MDlmOGVlMTNjMSIsInR5cCI6ImFjY2VzcyJ9.9jIZgmMdtqhybhcDBSjUQj3MYa4u-ZX6HMfrB6_z69-3pRp96sUHLjF_yxTI8pdFPo7FG94zj_c_aI_MnC3d1guser-agent: PDQ rover 5.5.1x-release-channel: stablex-pdq-key-ids: ask_b357915753b14d77946x-auth-challenge-signature: ee49145b1d2b5e47bf857979fcf774a05e4a7e71b666967be326b4301b4e76cef36a3d23a6939399fd30da44a41d1f58b7318e8973c1ccef6904bb5970aeeb07x-auth-challenge-token: SFMyNTY.g2gDdAAAAAJtAAAACWNoYWxsZW5nZW0AAABAQzUyRUI0REY3OTU2MzRDMjBCRkEyQUQwOTU5RjRDNDNDMUQ4QjlFMTRBNkE3OEQ2OTlCNTQ0NDkxRjBGMkU5MW0AAAAJZGV2aWNlX2lkbQAAACRkdmNfY2YwM2Q3M2U2YzZiMzRhYmM4YmM4NDA5ZjhlZTEzYzFuBgDqDLlmkgFiAAFRgA.x2B6_ZNfIuTbwFxOAkYQI72pPlYOpgciPlJr_2WwsrM
Source: global traffic HTTP traffic detected: GET /v1/devices/socket/websocket?device_id=dvc_cf03d73e6c6b34abc8bc8409f8ee13c1 HTTP/1.1Host: websocket.app.pdq.com:443Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: WQSStiWAvRInix3U0Ars5w==authorization: Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJ3ZWJzb2NrZXQtcHJveHkiLCJleHAiOjE3MjgzODY2NTcsImlhdCI6MTcyODMwMDI1NywiaXNzIjoiaG91c3RvbiIsImp0aSI6ImE5ZTFmOTk2LWJmNTctNDYyNS05ODFiLTMxZmY0MGJhYzNjMSIsIm5iZiI6MTcyODMwMDI1Niwib3JnYW5pemF0aW9uX2lkIjoib3JnXzNiZWMwOTAwN2MzYjQ0OThiYzYiLCJwdWJsaWNfa2V5IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVOdmQwSlJXVVJMTWxaM1FYbEZRVE53WkZsdWJ6TkRSWEZTYjBZNGNuY3ZZbVI0UlRWUVVFbEVTbUUwYm1KTFJWVlpiMmxPUVdSbFVsazlDaTB0TFMwdFJVNUVJRkJWUWt4SlF5QkxSVmt0TFMwdExRbyIsInN1YiI6ImR2Y19jZjAzZDczZTZjNmIzNGFiYzhiYzg0MDlmOGVlMTNjMSIsInR5cCI6ImFjY2VzcyJ9.9jIZgmMdtqhybhcDBSjUQj3MYa4u-ZX6HMfrB6_z69-3pRp96sUHLjF_yxTI8pdFPo7FG94zj_c_aI_MnC3d1guser-agent: PDQ rover 5.5.1x-release-channel: stablex-pdq-key-ids: ask_b357915753b14d77946x-auth-challenge-signature: c5433f7a1d7c0b92e1608a9a5079b711cde242ba83c0900bd5182a7e782fc580cf9aa602cbed775140fe8572f130294a5909216fbb59016b86283d192b98a307x-auth-challenge-token: SFMyNTY.g2gDdAAAAAJtAAAACWNoYWxsZW5nZW0AAABANDJBQjQ3NTMyOTlDQTk3MzkzN0VERDlFNjFGN0VFODJBQTBEQURGMUE3MDZFMEYyQ0M3NTY4NEU1NTNCODlBNm0AAAAJZGV2aWNlX2lkbQAAACRkdmNfY2YwM2Q3M2U2YzZiMzRhYmM4YmM4NDA5ZjhlZTEzYzFuBgD4b7lmkgFiAAFRgA.DbY-vbpJIjwkCjvmwoTRamTeuIQOT-xB5uFNjDG0Yr8
Source: global traffic HTTP traffic detected: GET /v1/devices/socket/websocket?device_id=dvc_cf03d73e6c6b34abc8bc8409f8ee13c1 HTTP/1.1Host: websocket.app.pdq.com:443Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: WjfvLqi3SZVqZ6DHtBWwKA==authorization: Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJ3ZWJzb2NrZXQtcHJveHkiLCJleHAiOjE3MjgzODY2NTcsImlhdCI6MTcyODMwMDI1NywiaXNzIjoiaG91c3RvbiIsImp0aSI6ImE5ZTFmOTk2LWJmNTctNDYyNS05ODFiLTMxZmY0MGJhYzNjMSIsIm5iZiI6MTcyODMwMDI1Niwib3JnYW5pemF0aW9uX2lkIjoib3JnXzNiZWMwOTAwN2MzYjQ0OThiYzYiLCJwdWJsaWNfa2V5IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVOdmQwSlJXVVJMTWxaM1FYbEZRVE53WkZsdWJ6TkRSWEZTYjBZNGNuY3ZZbVI0UlRWUVVFbEVTbUUwYm1KTFJWVlpiMmxPUVdSbFVsazlDaTB0TFMwdFJVNUVJRkJWUWt4SlF5QkxSVmt0TFMwdExRbyIsInN1YiI6ImR2Y19jZjAzZDczZTZjNmIzNGFiYzhiYzg0MDlmOGVlMTNjMSIsInR5cCI6ImFjY2VzcyJ9.9jIZgmMdtqhybhcDBSjUQj3MYa4u-ZX6HMfrB6_z69-3pRp96sUHLjF_yxTI8pdFPo7FG94zj_c_aI_MnC3d1guser-agent: PDQ rover 5.5.1x-release-channel: stablex-pdq-key-ids: ask_b357915753b14d77946x-auth-challenge-signature: 1e0fdd3ef412c9592046f0516d35b922e4894713790dec894bad8823daef1083549c681334805ac0ea09423086c910526f098524bd24763adafa373211ff1002x-auth-challenge-token: SFMyNTY.g2gDdAAAAAJtAAAACWNoYWxsZW5nZW0AAABANTBFRThERUY4RjBCOEM3MjQ0Q0VFRkQzNzFGNTQyQzNBRjc5QjFBODgwRThDMzQ2NzZBRDY0MUYzNTk2QUI2RG0AAAAJZGV2aWNlX2lkbQAAACRkdmNfY2YwM2Q3M2U2YzZiMzRhYmM4YmM4NDA5ZjhlZTEzYzFuBgCskblmkgFiAAFRgA.FcvW4ooNiqZsJy5Pt2NyFNKMar8EzPcCeIkqRiTZDOU
Source: global traffic HTTP traffic detected: GET /v1/devices/socket/websocket?device_id=dvc_cf03d73e6c6b34abc8bc8409f8ee13c1 HTTP/1.1Host: websocket.app.pdq.com:443Connection: UpgradeUpgrade: websocketSec-WebSocket-Version: 13Sec-WebSocket-Key: B3FXw8Dap40WbDRx5ILaZA==authorization: Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJ3ZWJzb2NrZXQtcHJveHkiLCJleHAiOjE3MjgzODY2NTcsImlhdCI6MTcyODMwMDI1NywiaXNzIjoiaG91c3RvbiIsImp0aSI6ImE5ZTFmOTk2LWJmNTctNDYyNS05ODFiLTMxZmY0MGJhYzNjMSIsIm5iZiI6MTcyODMwMDI1Niwib3JnYW5pemF0aW9uX2lkIjoib3JnXzNiZWMwOTAwN2MzYjQ0OThiYzYiLCJwdWJsaWNfa2V5IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVOdmQwSlJXVVJMTWxaM1FYbEZRVE53WkZsdWJ6TkRSWEZTYjBZNGNuY3ZZbVI0UlRWUVVFbEVTbUUwYm1KTFJWVlpiMmxPUVdSbFVsazlDaTB0TFMwdFJVNUVJRkJWUWt4SlF5QkxSVmt0TFMwdExRbyIsInN1YiI6ImR2Y19jZjAzZDczZTZjNmIzNGFiYzhiYzg0MDlmOGVlMTNjMSIsInR5cCI6ImFjY2VzcyJ9.9jIZgmMdtqhybhcDBSjUQj3MYa4u-ZX6HMfrB6_z69-3pRp96sUHLjF_yxTI8pdFPo7FG94zj_c_aI_MnC3d1guser-agent: PDQ rover 5.5.1x-release-channel: stablex-pdq-key-ids: ask_b357915753b14d77946x-auth-challenge-signature: 18b3927a0fcda9263a79513afda2644664dee855d4412f98bda32f73d26351b04e6e537183ecc2b53992c663dd8d2fe907cab300246f958beea8478cc4d5510fx-auth-challenge-token: SFMyNTY.g2gDdAAAAAJtAAAACWNoYWxsZW5nZW0AAABAMUNGMDIzODI5OEQ5RjE0ODU0RjkzQjQyRDQ2QUMyMUE2QzcyQkU2QTkxMkM0NjI4MTg2NDRGNDU3MTEyQjcwMW0AAAAJZGV2aWNlX2lkbQAAACRkdmNfY2YwM2Q3M2U2YzZiMzRhYmM4YmM4NDA5ZjhlZTEzYzFuBgDc2rlmkgFiAAFRgA.Pv8qOVmhQgehVWR2BeHfaInVq9xkEGeTWoD0s36HirQ
Source: global traffic DNS traffic detected: DNS query: app.pdq.com
Source: global traffic DNS traffic detected: DNS query: pdqinstallers.e9d69694c3d8f7465fd531512c22bd0f.r2.cloudflarestorage.com
Source: global traffic DNS traffic detected: DNS query: websocket.app.pdq.com
Source: unknown HTTP traffic detected: POST /v1/devices/register HTTP/1.1content-type: application/x-www-form-urlencodedaccept: */*user-agent: PDQ rover 5.5.1host: app.pdq.comcontent-length: 506
Source: rundll32.exe, 00000004.00000003.2060074603.000001F96F002000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082240245.000001B489421000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2101046515.000001F0B0292000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2115010899.0000024569AF1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132284855.000001B2FB391000.00000004.00000020.00020000.00000000.sdmp, pdq-connect-agent.exe, 0000000C.00000003.2745757092.000001E3414D6000.00000004.00000020.00020000.00000000.sdmp, pdq-connect-agent.exe, 0000000C.00000003.2752781027.000001E3414E1000.00000004.00000020.00020000.00000000.sdmp, Portal.msi, WixSharp.dll.5.dr, PDQConnectUpdater-0.3.0.msi.12.dr, MSI1F2D.tmp.1.dr, pdqconnectagent-setup.exe.7.dr, WixToolset.Dtf.WindowsInstaller.dll.4.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: rundll32.exe, 00000004.00000003.2060074603.000001F96F002000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082240245.000001B489421000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2101046515.000001F0B0292000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2115010899.0000024569AF1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132284855.000001B2FB391000.00000004.00000020.00020000.00000000.sdmp, Portal.msi, WixSharp.dll.5.dr, PDQConnectUpdater-0.3.0.msi.12.dr, MSI1F2D.tmp.1.dr, WixToolset.Dtf.WindowsInstaller.dll.4.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, Portal.msi, PDQConnectUpdater-0.3.0.msi.12.dr, pdqconnectagent-setup.exe.7.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA2562021CA1.crt0
Source: rundll32.exe, 00000004.00000003.2060074603.000001F96F002000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082240245.000001B489421000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2101046515.000001F0B0292000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2115010899.0000024569AF1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132284855.000001B2FB391000.00000004.00000020.00020000.00000000.sdmp, Portal.msi, WixSharp.dll.5.dr, PDQConnectUpdater-0.3.0.msi.12.dr, MSI1F2D.tmp.1.dr, pdqconnectagent-setup.exe.7.dr, WixToolset.Dtf.WindowsInstaller.dll.4.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: rundll32.exe, 00000004.00000003.2060074603.000001F96F002000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082240245.000001B489421000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2101046515.000001F0B0292000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2115010899.0000024569AF1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132284855.000001B2FB391000.00000004.00000020.00020000.00000000.sdmp, pdq-connect-agent.exe, 0000000C.00000003.2745757092.000001E3414D6000.00000004.00000020.00020000.00000000.sdmp, pdq-connect-agent.exe, 0000000C.00000003.2752781027.000001E3414E1000.00000004.00000020.00020000.00000000.sdmp, Portal.msi, WixSharp.dll.5.dr, PDQConnectUpdater-0.3.0.msi.12.dr, MSI1F2D.tmp.1.dr, pdqconnectagent-setup.exe.7.dr, WixToolset.Dtf.WindowsInstaller.dll.4.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: rundll32.exe, 00000004.00000003.2060074603.000001F96F002000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082240245.000001B489421000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2101046515.000001F0B0292000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2115010899.0000024569AF1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132284855.000001B2FB391000.00000004.00000020.00020000.00000000.sdmp, Portal.msi, WixSharp.dll.5.dr, PDQConnectUpdater-0.3.0.msi.12.dr, MSI1F2D.tmp.1.dr, WixToolset.Dtf.WindowsInstaller.dll.4.dr String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: rundll32.exe, 00000004.00000003.2060074603.000001F96F002000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082240245.000001B489421000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2101046515.000001F0B0292000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2115010899.0000024569AF1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132284855.000001B2FB391000.00000004.00000020.00020000.00000000.sdmp, pdq-connect-agent.exe, 0000000C.00000003.2745757092.000001E3414D6000.00000004.00000020.00020000.00000000.sdmp, pdq-connect-agent.exe, 0000000C.00000003.2752781027.000001E3414E1000.00000004.00000020.00020000.00000000.sdmp, Portal.msi, WixSharp.dll.5.dr, PDQConnectUpdater-0.3.0.msi.12.dr, MSI1F2D.tmp.1.dr, pdqconnectagent-setup.exe.7.dr, WixToolset.Dtf.WindowsInstaller.dll.4.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: rundll32.exe, 00000004.00000003.2060074603.000001F96F002000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082240245.000001B489421000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2101046515.000001F0B0292000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2115010899.0000024569AF1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132284855.000001B2FB391000.00000004.00000020.00020000.00000000.sdmp, Portal.msi, WixSharp.dll.5.dr, PDQConnectUpdater-0.3.0.msi.12.dr, MSI1F2D.tmp.1.dr, WixToolset.Dtf.WindowsInstaller.dll.4.dr String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, Portal.msi, PDQConnectUpdater-0.3.0.msi.12.dr, pdqconnectagent-setup.exe.7.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA2562021CA1.crl0S
Source: rundll32.exe, 00000004.00000003.2060074603.000001F96F002000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082240245.000001B489421000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2101046515.000001F0B0292000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2115010899.0000024569AF1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132284855.000001B2FB391000.00000004.00000020.00020000.00000000.sdmp, Portal.msi, WixSharp.dll.5.dr, PDQConnectUpdater-0.3.0.msi.12.dr, MSI1F2D.tmp.1.dr, pdqconnectagent-setup.exe.7.dr, WixToolset.Dtf.WindowsInstaller.dll.4.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: pdqconnectagent-setup.exe.7.dr, WixToolset.Dtf.WindowsInstaller.dll.4.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: rundll32.exe, 00000004.00000003.2060074603.000001F96F002000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082240245.000001B489421000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2101046515.000001F0B0292000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2115010899.0000024569AF1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132284855.000001B2FB391000.00000004.00000020.00020000.00000000.sdmp, Portal.msi, WixSharp.dll.5.dr, PDQConnectUpdater-0.3.0.msi.12.dr, MSI1F2D.tmp.1.dr, WixToolset.Dtf.WindowsInstaller.dll.4.dr String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, Portal.msi, PDQConnectUpdater-0.3.0.msi.12.dr, pdqconnectagent-setup.exe.7.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA2562021CA1.crl0
Source: rundll32.exe, 00000004.00000003.2060074603.000001F96F002000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082240245.000001B489421000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2101046515.000001F0B0292000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2115010899.0000024569AF1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132284855.000001B2FB391000.00000004.00000020.00020000.00000000.sdmp, Portal.msi, WixSharp.dll.5.dr, PDQConnectUpdater-0.3.0.msi.12.dr, MSI1F2D.tmp.1.dr, WixToolset.Dtf.WindowsInstaller.dll.4.dr String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: powershell.exe, 00000012.00000002.2441964548.0000027C49D58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://go.microsoft.c
Source: powershell.exe, 00000012.00000002.2441964548.0000027C49D58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://go.microsoft.ctain
Source: powershell.exe, 0000000E.00000002.2321295734.00000236BC14F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2336776852.00000236CA8FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2361843090.00000241818CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2406930107.000002419007D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2531039874.0000027C5A97D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2446101439.0000027C4C1CB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2705252077.000002191007C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2572142905.00000219018C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, Portal.msi, PDQConnectUpdater-0.3.0.msi.12.dr, pdqconnectagent-setup.exe.7.dr String found in binary or memory: http://ocsp.digicert.com0
Source: rundll32.exe, 00000004.00000003.2060074603.000001F96F002000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082240245.000001B489421000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2101046515.000001F0B0292000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2115010899.0000024569AF1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132284855.000001B2FB391000.00000004.00000020.00020000.00000000.sdmp, pdq-connect-agent.exe, 0000000C.00000003.2745757092.000001E3414D6000.00000004.00000020.00020000.00000000.sdmp, pdq-connect-agent.exe, 0000000C.00000003.2752781027.000001E3414E1000.00000004.00000020.00020000.00000000.sdmp, Portal.msi, WixSharp.dll.5.dr, PDQConnectUpdater-0.3.0.msi.12.dr, MSI1F2D.tmp.1.dr, pdqconnectagent-setup.exe.7.dr, WixToolset.Dtf.WindowsInstaller.dll.4.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: rundll32.exe, 00000004.00000003.2060074603.000001F96F002000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082240245.000001B489421000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2101046515.000001F0B0292000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2115010899.0000024569AF1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132284855.000001B2FB391000.00000004.00000020.00020000.00000000.sdmp, pdq-connect-agent.exe, 0000000C.00000003.2745757092.000001E3414D6000.00000004.00000020.00020000.00000000.sdmp, pdq-connect-agent.exe, 0000000C.00000003.2752781027.000001E3414E1000.00000004.00000020.00020000.00000000.sdmp, Portal.msi, WixSharp.dll.5.dr, PDQConnectUpdater-0.3.0.msi.12.dr, MSI1F2D.tmp.1.dr, pdqconnectagent-setup.exe.7.dr, WixToolset.Dtf.WindowsInstaller.dll.4.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: rundll32.exe, 00000004.00000003.2060074603.000001F96F002000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082240245.000001B489421000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2101046515.000001F0B0292000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2115010899.0000024569AF1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132284855.000001B2FB391000.00000004.00000020.00020000.00000000.sdmp, Portal.msi, WixSharp.dll.5.dr, PDQConnectUpdater-0.3.0.msi.12.dr, MSI1F2D.tmp.1.dr, WixToolset.Dtf.WindowsInstaller.dll.4.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: rundll32.exe, 00000004.00000003.2060074603.000001F96F002000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082240245.000001B489421000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2101046515.000001F0B0292000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2115010899.0000024569AF1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132284855.000001B2FB391000.00000004.00000020.00020000.00000000.sdmp, Portal.msi, WixSharp.dll.5.dr, PDQConnectUpdater-0.3.0.msi.12.dr, MSI1F2D.tmp.1.dr, pdqconnectagent-setup.exe.7.dr, WixToolset.Dtf.WindowsInstaller.dll.4.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: powershell.exe, 00000015.00000002.2572142905.0000021901840000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2572142905.0000021900F8A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000E.00000002.2321295734.00000236BA881000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2361843090.0000024180001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2446101439.0000027C4A901000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2572142905.0000021900001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WixSharp.dll.5.dr String found in binary or memory: http://wixtoolset.org/schemas/v4/wxs
Source: WixSharp.dll.5.dr String found in binary or memory: http://wixtoolset.org/schemas/v4/wxs/bal
Source: rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr String found in binary or memory: http://wixtoolset.org/schemas/v4/wxs/complus9WixToolset.Dependency.wixext
Source: rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr String found in binary or memory: http://wixtoolset.org/schemas/v4/wxs/dependency3WixToolset.DirectX.wixext
Source: rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr String found in binary or memory: http://wixtoolset.org/schemas/v4/wxs/dependencyXhttp://wixtoolset.org/schemas/v4/wxs/directx
Source: rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr String found in binary or memory: http://wixtoolset.org/schemas/v4/wxs/difxapp5WixToolset.Firewall.wixext
Source: rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr String found in binary or memory: http://wixtoolset.org/schemas/v4/wxs/difxappZhttp://wixtoolset.org/schemas/v4/wxs/firewallRhttp://wi
Source: rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr String found in binary or memory: http://wixtoolset.org/schemas/v4/wxs/directx
Source: rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr String found in binary or memory: http://wixtoolset.org/schemas/v4/wxs/firewall-WixToolset.Util.wixext
Source: rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr String found in binary or memory: http://wixtoolset.org/schemas/v4/wxs/http
Source: rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr String found in binary or memory: http://wixtoolset.org/schemas/v4/wxs/iis
Source: rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr String found in binary or memory: http://wixtoolset.org/schemas/v4/wxs/msmq3WixToolset.ComPlus.wixext
Source: rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr String found in binary or memory: http://wixtoolset.org/schemas/v4/wxs/netfx-WixToolset.Http.wixext
Source: rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr String found in binary or memory: http://wixtoolset.org/schemas/v4/wxs/powershell=WixToolset.VisualStudio.wixext
Source: rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr String found in binary or memory: http://wixtoolset.org/schemas/v4/wxs/powershellNhttp://wixtoolset.org/schemas/v4/wxs/vsRhttp://wixto
Source: rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr String found in binary or memory: http://wixtoolset.org/schemas/v4/wxs/sql/WixToolset.Netfx.wixext
Source: rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr String found in binary or memory: http://wixtoolset.org/schemas/v4/wxs/ui9WixToolset.PowerShell.wixext
Source: rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr String found in binary or memory: http://wixtoolset.org/schemas/v4/wxs/util
Source: rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr String found in binary or memory: http://wixtoolset.org/schemas/v4/wxs/vs-WixToolset.Msmq.wixext
Source: powershell.exe, 0000000E.00000002.2321295734.00000236BBC7E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2361843090.00000241813F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2446101439.0000027C4BDE2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2572142905.0000021900F8A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000015.00000002.2572142905.0000021901840000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2572142905.0000021900F8A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: rundll32.exe, 00000004.00000003.2060074603.000001F96F002000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082240245.000001B489421000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2101046515.000001F0B0292000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2115010899.0000024569AF1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132284855.000001B2FB391000.00000004.00000020.00020000.00000000.sdmp, Portal.msi, WixSharp.dll.5.dr, PDQConnectUpdater-0.3.0.msi.12.dr, MSI1F2D.tmp.1.dr, pdqconnectagent-setup.exe.7.dr, WixToolset.Dtf.WindowsInstaller.dll.4.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr String found in binary or memory: http://www.test.com/xml/2015
Source: powershell.exe, 0000000E.00000002.2321295734.00000236BA881000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2361843090.0000024180001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2446101439.0000027C4A901000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2572142905.0000021900001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: pdq-connect-agent.exe, 0000000C.00000002.3294770461.000001E341465000.00000004.00000020.00020000.00000000.sdmp, pdq-connect-agent.exe, 0000000C.00000003.2745757092.000001E341465000.00000004.00000020.00020000.00000000.sdmp, pdq-connect-agent.exe, 0000000C.00000003.2153265378.000001E341465000.00000004.00000020.00020000.00000000.sdmp, pdq-connect-agent.exe, 0000000C.00000002.3295315075.000001E341975000.00000004.00000020.00020000.00000000.sdmp, pdq-connect-agent.exe, 0000000C.00000002.3294770461.000001E3414B8000.00000004.00000020.00020000.00000000.sdmp, pdq-connect-agent.exe, 0000000C.00000003.2745757092.000001E3414B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://app.pdq.com/
Source: PDQConnectAgent.db-journal.12.dr String found in binary or memory: https://app.pdq.com/D
Source: pdq-connect-agent.exe.1.dr String found in binary or memory: https://app.pdq.com/Hardcoded
Source: pdq-connect-agent.exe, 0000000C.00000002.3295315075.000001E341975000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://app.pdq.com/ul
Source: pdq-connect-agent.exe, 0000000C.00000002.3295182287.000001E3418E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://app.pdq.com/v1/devices/auth-challenge
Source: pdq-connect-agent.exe, 0000000C.00000002.3295182287.000001E3418E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://app.pdq.com/v1/devices/auth-challenge$
Source: pdq-connect-agent.exe, 0000000C.00000002.3295182287.000001E3418E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://app.pdq.com/v1/devices/auth-challenge0
Source: pdq-connect-agent.exe, 0000000C.00000002.3295182287.000001E3418E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://app.pdq.com/v1/devices/auth-challengel~
Source: pdq-connect-agent.exe, 0000000C.00000003.2753204165.000001E3414B9000.00000004.00000020.00020000.00000000.sdmp, pdq-connect-agent.exe, 0000000C.00000003.2753013298.000001E341972000.00000004.00000020.00020000.00000000.sdmp, pdq-connect-agent.exe, 0000000C.00000002.3294770461.000001E3414B8000.00000004.00000020.00020000.00000000.sdmp, pdq-connect-agent.exe, 0000000C.00000003.2745757092.000001E3414B8000.00000004.00000020.00020000.00000000.sdmp, pdq-connect-agent.exe, 0000000C.00000003.2752683448.000001E34196B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://app.pdq.com/v1/devices/register
Source: pdq-connect-agent.exe, 0000000C.00000003.2753204165.000001E3414B9000.00000004.00000020.00020000.00000000.sdmp, pdq-connect-agent.exe, 0000000C.00000002.3294770461.000001E3414B8000.00000004.00000020.00020000.00000000.sdmp, pdq-connect-agent.exe, 0000000C.00000003.2745757092.000001E3414B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://app.pdq.com/v1/devices/registeristration
Source: pdq-connect-agent.exe, 0000000C.00000002.3294419444.000001E340F96000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://app.pdq.com/v1/devices/release-channels/stable/manifest.json
Source: pdq-connect-agent.exe, 0000000C.00000003.2152939224.000001E3414B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://app.pdq.com/v1/devices/release-channels/stable/manifest.jsonD
Source: powershell.exe, 00000015.00000002.2572142905.00000219018C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000015.00000002.2572142905.00000219018C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000015.00000002.2572142905.00000219018C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: pdq-connect-agent.exe.1.dr String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: powershell.exe, 00000015.00000002.2572142905.0000021901840000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2572142905.0000021900F8A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: pdq-connect-agent.exe.1.dr String found in binary or memory: https://github.com/clap-rs/clap/issues
Source: pdq-connect-agent.exe, 0000000C.00000002.3295758131.00007FF78CF92000.00000002.00000001.01000000.0000000A.sdmp, pdq-connect-agent.exe, 0000000C.00000000.2139822757.00007FF78CF92000.00000002.00000001.01000000.0000000A.sdmp, pdq-connect-agent.exe.1.dr String found in binary or memory: https://github.com/clap-rs/clap/issues/rustc/eeb90cda1969383f56a2637cbd3037bdf598841c
Source: pdq-connect-agent.exe, 0000000C.00000002.3295758131.00007FF78CF92000.00000002.00000001.01000000.0000000A.sdmp, pdq-connect-agent.exe, 0000000C.00000000.2139822757.00007FF78CF92000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: https://github.com/clap-rs/clap/issues0#
Source: pdq-connect-agent.exe.1.dr String found in binary or memory: https://github.com/clap-rs/clap/issues0#n
Source: pdq-connect-agent.exe.1.dr String found in binary or memory: https://github.com/clap-rs/clap/issuesC:
Source: pdq-connect-agent.exe, 0000000C.00000002.3295758131.00007FF78CF92000.00000002.00000001.01000000.0000000A.sdmp, pdq-connect-agent.exe, 0000000C.00000000.2139822757.00007FF78CF92000.00000002.00000001.01000000.0000000A.sdmp, pdq-connect-agent.exe.1.dr String found in binary or memory: https://github.com/clap-rs/clap/issuesx
Source: rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr String found in binary or memory: https://github.com/oleg-shilo/wixsharp/issues/1396#issuecomment-1849731522
Source: powershell.exe, 0000000E.00000002.2321295734.00000236BBBEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2321295734.00000236BB80A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2361843090.0000024180F8F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2361843090.0000024181370000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2446101439.0000027C4B88A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2446101439.0000027C4BC6D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2446101439.0000027C4BA4B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2572142905.0000021900F8A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 0000000E.00000002.2321295734.00000236BC14F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2336776852.00000236CA8FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2361843090.00000241818CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2406930107.000002419007D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2531039874.0000027C5A97D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2446101439.0000027C4C1CB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2705252077.000002191007C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2572142905.00000219018C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: pdq-connect-agent.exe, 0000000C.00000002.3294419444.000001E340F0C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://o192192.ingest.sentry.io/api/6095569/envelope/
Source: pdq-connect-agent.exe, 0000000C.00000002.3294419444.000001E340F0C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://o192192.ingest.sentry.io/api/6095569/envelope/3
Source: powershell.exe, 0000000E.00000002.2321295734.00000236BBC7E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2361843090.00000241813F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2446101439.0000027C4BDE2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2572142905.0000021900F8A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneget.org
Source: powershell.exe, 0000000E.00000002.2321295734.00000236BBC7E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2361843090.00000241813F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2446101439.0000027C4BDE2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2572142905.0000021900F8A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneget.orgX
Source: pdq-connect-agent.exe, 0000000C.00000003.2152939224.000001E3414E6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pdqinstallers.e9d69694c3d8f7465fd531512c22bd0f.r2.cloudflarestorage.com/connect-agent/PDQCon
Source: rundll32.exe, 00000004.00000003.2060074603.000001F96F002000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082240245.000001B489421000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2101046515.000001F0B0292000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2115010899.0000024569AF1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132284855.000001B2FB391000.00000004.00000020.00020000.00000000.sdmp, Portal.msi, WixSharp.dll.5.dr, PDQConnectUpdater-0.3.0.msi.12.dr, MSI1F2D.tmp.1.dr, WixToolset.Dtf.WindowsInstaller.dll.4.dr String found in binary or memory: https://wixtoolset.org/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49984 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49987
Source: unknown HTTPS traffic detected: 104.16.77.47:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.140.238:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.77.47:443 -> 192.168.2.5:49979 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.77.47:443 -> 192.168.2.5:49980 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.77.47:443 -> 192.168.2.5:49981 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.77.47:443 -> 192.168.2.5:49982 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.128.163.126:443 -> 192.168.2.5:49983 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.77.47:443 -> 192.168.2.5:49984 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.128.163.126:443 -> 192.168.2.5:49985 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.77.47:443 -> 192.168.2.5:49986 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.128.163.126:443 -> 192.168.2.5:49987 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.77.47:443 -> 192.168.2.5:49988 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.128.163.126:443 -> 192.168.2.5:49989 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands
barindex
Reads the Security eventlog
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PDQConnectAgent Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PDQConnectAgent Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PDQ.com Jump to behavior
Reads the System eventlog
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\6a12c9.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI146E.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{F03416B2-8C97-4CC4-8578-5F6A58F3EB84} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI1F2D.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI1F3E.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI1F6E.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2451.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI24EE.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2676.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2C05.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI328E.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3B87.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3BA8.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\6a12cb.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\6a12cb.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{F03416B2-8C97-4CC4-8578-5F6A58F3EB84} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{F03416B2-8C97-4CC4-8578-5F6A58F3EB84}\app_icon.ico Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCAFF0EF70119428EDA813B551E8FF8FDE9 Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCAFF0EF70119428EDA813B551E8FF8FDE9\WixSharp.dll Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCAFF0EF70119428EDA813B551E8FF8FDE9\CustomAction.config Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCAFF0EF70119428EDA813B551E8FF8FDE9\pdqconnectagent-setup.exe Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCAFF0EF70119428EDA813B551E8FF8FDE9\WixToolset.Dtf.WindowsInstaller.dll Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA9B20618A2F4D43A947D4DDC1A40E47B6 Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA9B20618A2F4D43A947D4DDC1A40E47B6\WixSharp.dll Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA9B20618A2F4D43A947D4DDC1A40E47B6\CustomAction.config Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA9B20618A2F4D43A947D4DDC1A40E47B6\pdqconnectagent-setup.exe Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA9B20618A2F4D43A947D4DDC1A40E47B6\WixToolset.Dtf.WindowsInstaller.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\wix{F03416B2-8C97-4CC4-8578-5F6A58F3EB84}.SchedServiceConfig.rmi Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA363E23D38342B28859B2E30EB0910098 Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA363E23D38342B28859B2E30EB0910098\pdqconnectagent-setup.exe Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA363E23D38342B28859B2E30EB0910098\CustomAction.config Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA363E23D38342B28859B2E30EB0910098\pdqconnectagent-setup.pdb Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA363E23D38342B28859B2E30EB0910098\WixSharp.dll Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA363E23D38342B28859B2E30EB0910098\WixToolset.Dtf.WindowsInstaller.dll Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA87E78A4C484AC7BA8DC6E0B5627E7F20 Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA87E78A4C484AC7BA8DC6E0B5627E7F20\pdqconnectagent-setup.exe Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA87E78A4C484AC7BA8DC6E0B5627E7F20\CustomAction.config Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA87E78A4C484AC7BA8DC6E0B5627E7F20\pdqconnectagent-setup.pdb Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA87E78A4C484AC7BA8DC6E0B5627E7F20\WixSharp.dll Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA87E78A4C484AC7BA8DC6E0B5627E7F20\WixToolset.Dtf.WindowsInstaller.dll Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCABAC30776D64ECC5AFC62613A5E146B74 Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCABAC30776D64ECC5AFC62613A5E146B74\pdqconnectagent-setup.exe Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCABAC30776D64ECC5AFC62613A5E146B74\CustomAction.config Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCABAC30776D64ECC5AFC62613A5E146B74\pdqconnectagent-setup.pdb Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCABAC30776D64ECC5AFC62613A5E146B74\WixSharp.dll Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCABAC30776D64ECC5AFC62613A5E146B74\WixToolset.Dtf.WindowsInstaller.dll Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSI146E.tmp Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\rundll32.exe Code function: 4_3_00007FF848A46D65 4_3_00007FF848A46D65
Source: C:\Windows\System32\rundll32.exe Code function: 4_3_00007FF848A41610 4_3_00007FF848A41610
Source: C:\Windows\System32\rundll32.exe Code function: 4_3_00007FF848A43741 4_3_00007FF848A43741
Source: C:\Windows\System32\rundll32.exe Code function: 4_3_00007FF848A412F0 4_3_00007FF848A412F0
Source: C:\Windows\System32\rundll32.exe Code function: 4_3_00007FF848A412D0 4_3_00007FF848A412D0
Source: C:\Windows\System32\rundll32.exe Code function: 5_3_00007FF848A11610 5_3_00007FF848A11610
Source: C:\Windows\System32\rundll32.exe Code function: 5_3_00007FF848A13741 5_3_00007FF848A13741
Source: C:\Windows\System32\rundll32.exe Code function: 5_3_00007FF848A112F0 5_3_00007FF848A112F0
Source: C:\Windows\System32\rundll32.exe Code function: 5_3_00007FF848A112D0 5_3_00007FF848A112D0
Source: C:\Windows\System32\rundll32.exe Code function: 7_3_00007FF848A11610 7_3_00007FF848A11610
Source: C:\Windows\System32\rundll32.exe Code function: 7_3_00007FF848A112F0 7_3_00007FF848A112F0
Source: C:\Windows\System32\rundll32.exe Code function: 7_3_00007FF848A112D0 7_3_00007FF848A112D0
Source: C:\Windows\System32\rundll32.exe Code function: 7_3_00007FF848A15155 7_3_00007FF848A15155
Source: C:\Windows\System32\rundll32.exe Code function: 7_3_00007FF848A13741 7_3_00007FF848A13741
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_00007FF848A051C5 8_3_00007FF848A051C5
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_00007FF848A01610 8_3_00007FF848A01610
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_00007FF848A012F0 8_3_00007FF848A012F0
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_00007FF848A012D0 8_3_00007FF848A012D0
Source: C:\Windows\System32\rundll32.exe Code function: 8_3_00007FF848A03741 8_3_00007FF848A03741
Source: C:\Windows\System32\rundll32.exe Code function: 9_3_00007FF848A36709 9_3_00007FF848A36709
Source: C:\Windows\System32\rundll32.exe Code function: 9_3_00007FF848A352B5 9_3_00007FF848A352B5
Source: C:\Windows\System32\rundll32.exe Code function: 9_3_00007FF848A31610 9_3_00007FF848A31610
Source: C:\Windows\System32\rundll32.exe Code function: 9_3_00007FF848A33741 9_3_00007FF848A33741
Source: C:\Windows\System32\rundll32.exe Code function: 9_3_00007FF848A312F0 9_3_00007FF848A312F0
Source: C:\Windows\System32\rundll32.exe Code function: 9_3_00007FF848A312D0 9_3_00007FF848A312D0
Source: C:\Windows\System32\rundll32.exe Code function: 9_3_00007FF848A36831 9_3_00007FF848A36831
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_00007FF8489647FA 14_2_00007FF8489647FA
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe E545C996BBBFE3F969EF417744256A807BCC50983F606702B8A407FA781D199F
Enables security privileges
Source: C:\Windows\System32\rundll32.exe Process token adjusted: Security Jump to behavior
Sample file is different than original file name gathered from version info
Source: Portal.msi Binary or memory string: OriginalFilenameutilca.dll8 vs Portal.msi
Source: Portal.msi Binary or memory string: OriginalFilenamepdqconnectagent-setup.exeL vs Portal.msi
Source: Portal.msi Binary or memory string: OriginalFilenameSfxCA.dll8 vs Portal.msi
Source: Portal.msi Binary or memory string: OriginalFilenameWixSharp.dll2 vs Portal.msi
Source: pdq-connect-agent.exe.1.dr Binary string: poisonedAfdPollInfo\Device\Afd\Mio
Source: pdq-connect-agent.exe.1.dr Binary string: Failed to open \Device\Afd\Mio:
Source: rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr Binary or memory string: publish!wix.tools.csproj
Source: rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.2145240567.000001B280001000.00000004.00000800.00020000.00000000.sdmp, WixSharp.dll.5.dr Binary or memory string: .csproj
Source: rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr Binary or memory string: *.csprojwix\.wxi?Error: Cannot find UI project `
Source: rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr Binary or memory string: .aot.csproj
Source: classification engine Classification label: mal64.troj.evad.winMSI@31/77@4/3
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\PDQ Jump to behavior
Source: C:\Windows\System32\rundll32.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rundll32.exe.log Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\netfxeventlog.1.0
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5492:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6392:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5276:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:2076:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:1396:120:WilError_03
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\TEMP\~DF9BE1662B759EAFF5.TMP Jump to behavior
Source: C:\Windows\System32\msiexec.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI146E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6952171 2 WixSharp!WixSharp.ManagedProjectActions.WixSharp_InitRuntime_Action
Source: pdq-connect-agent.exe, 0000000C.00000002.3295758131.00007FF78CF92000.00000002.00000001.01000000.0000000A.sdmp, pdq-connect-agent.exe, 0000000C.00000000.2139822757.00007FF78CF92000.00000002.00000001.01000000.0000000A.sdmp, pdq-connect-agent.exe.1.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: pdq-connect-agent.exe, 0000000C.00000002.3295758131.00007FF78CF92000.00000002.00000001.01000000.0000000A.sdmp, pdq-connect-agent.exe, 0000000C.00000000.2139822757.00007FF78CF92000.00000002.00000001.01000000.0000000A.sdmp, pdq-connect-agent.exe.1.dr Binary or memory string: INSERT OR REPLACE INTO updates (product, version, last_try) VALUES (?, ?, CURRENT_TIMESTAMP);src\events\events_queue.rsSuccessfully read events from DB
Source: pdq-connect-agent.exe, 0000000C.00000002.3295758131.00007FF78CF92000.00000002.00000001.01000000.0000000A.sdmp, pdq-connect-agent.exe, 0000000C.00000000.2139822757.00007FF78CF92000.00000002.00000001.01000000.0000000A.sdmp, pdq-connect-agent.exe.1.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: pdq-connect-agent.exe, 0000000C.00000002.3295758131.00007FF78CF92000.00000002.00000001.01000000.0000000A.sdmp, pdq-connect-agent.exe, 0000000C.00000000.2139822757.00007FF78CF92000.00000002.00000001.01000000.0000000A.sdmp, pdq-connect-agent.exe.1.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: pdq-connect-agent.exe, 0000000C.00000002.3295758131.00007FF78CF92000.00000002.00000001.01000000.0000000A.sdmp, pdq-connect-agent.exe, 0000000C.00000000.2139822757.00007FF78CF92000.00000002.00000001.01000000.0000000A.sdmp, pdq-connect-agent.exe.1.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: pdq-connect-agent.exe, 0000000C.00000002.3295758131.00007FF78CF92000.00000002.00000001.01000000.0000000A.sdmp, pdq-connect-agent.exe, 0000000C.00000000.2139822757.00007FF78CF92000.00000002.00000001.01000000.0000000A.sdmp, pdq-connect-agent.exe.1.dr Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: pdq-connect-agent.exe, 0000000C.00000002.3295758131.00007FF78CF92000.00000002.00000001.01000000.0000000A.sdmp, pdq-connect-agent.exe, 0000000C.00000000.2139822757.00007FF78CF92000.00000002.00000001.01000000.0000000A.sdmp, pdq-connect-agent.exe.1.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: pdq-connect-agent.exe, 0000000C.00000002.3295758131.00007FF78CF92000.00000002.00000001.01000000.0000000A.sdmp, pdq-connect-agent.exe, 0000000C.00000000.2139822757.00007FF78CF92000.00000002.00000001.01000000.0000000A.sdmp, pdq-connect-agent.exe.1.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: pdq-connect-agent.exe, 0000000C.00000002.3294770461.000001E3414B8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT value FROM settings WHERE key = ?;
Source: pdq-connect-agent.exe, 0000000C.00000002.3295758131.00007FF78CF92000.00000002.00000001.01000000.0000000A.sdmp, pdq-connect-agent.exe, 0000000C.00000000.2139822757.00007FF78CF92000.00000002.00000001.01000000.0000000A.sdmp, pdq-connect-agent.exe.1.dr Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: pdq-connect-agent.exe, 0000000C.00000002.3295758131.00007FF78CF92000.00000002.00000001.01000000.0000000A.sdmp, pdq-connect-agent.exe, 0000000C.00000000.2139822757.00007FF78CF92000.00000002.00000001.01000000.0000000A.sdmp, pdq-connect-agent.exe.1.dr Binary or memory string: SELECT step FROM WHERE id = ?;
Source: Portal.msi Static file information: TRID: Microsoft Windows Installer (60509/1) 57.88%
Source: unknown Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Portal.msi"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 6CC2AEC21F9691D9400C52C3CC91B334
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI146E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6952171 2 WixSharp!WixSharp.ManagedProjectActions.WixSharp_InitRuntime_Action
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI1F6E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6954890 16 WixSharp!WixSharp.ManagedProjectActions.WixSharp_BeforeInstall_Action
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding F809AF2B04EF2DCECEB62F05202EAA97 E Global\MSI0000
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI2676.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6956718 38 pdqconnectagent-setup!pdqconnectagent_setup.CustomActions.CreateEventSource
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI328E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6959781 50 pdqconnectagent-setup!pdqconnectagent_setup.CustomActions.StartService
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start "PDQConnectAgent"
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe "C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe" --service
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 6CC2AEC21F9691D9400C52C3CC91B334 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding F809AF2B04EF2DCECEB62F05202EAA97 E Global\MSI0000 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI146E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6952171 2 WixSharp!WixSharp.ManagedProjectActions.WixSharp_InitRuntime_Action Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI1F6E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6954890 16 WixSharp!WixSharp.ManagedProjectActions.WixSharp_BeforeInstall_Action Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI2676.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6956718 38 pdqconnectagent-setup!pdqconnectagent_setup.CustomActions.CreateEventSource Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI2C05.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6958093 44 pdqconnectagent-setup!pdqconnectagent_setup.CustomActions.WriteToken Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI328E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6959781 50 pdqconnectagent-setup!pdqconnectagent_setup.CustomActions.StartService Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start "PDQConnectAgent" Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command - Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command - Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command - Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command - Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msihnd.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: spp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: activeds.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: activeds.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: activeds.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: activeds.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: activeds.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: windows.globalization.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: icu.dll Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\PDQ Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\PDQ\PDQConnectAgent Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\PDQ\PDQConnectAgent\LICENSE.html Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F03416B2-8C97-4CC4-8578-5F6A58F3EB84} Jump to behavior
Source: Portal.msi Static file information: File size 4946944 > 1048576
Source: Binary string: D:\dev\wixsharp-wix4\Source\src\WixSharp\obj\Release\WixSharp.pdbt~ source: rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr
Source: Binary string: \??\C:\Windows\Installer\SFXCA363E23D38342B28859B2E30EB0910098\pdqconnectagent-setup.pdbm source: rundll32.exe, 00000007.00000002.2111161917.000001F0B0268000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Installer\SFXCABAC30776D64ECC5AFC62613A5E146B74\pdqconnectagent-setup.pdbll source: rundll32.exe, 00000009.00000002.2145984383.000001B2FB360000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: pdqconnectupdater-setup.pdb source: PDQConnectUpdater-0.3.0.msi.12.dr
Source: Binary string: WixToolset.Dtf.WindowsInstaller.pdbSHA256 source: rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, WixToolset.Dtf.WindowsInstaller.dll.4.dr
Source: Binary string: D:\dev\wixsharp-wix4\Source\src\WixSharp\obj\Release\WixSharp.pdb source: rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr
Source: Binary string: D:\a\wix\wix\build\dtf\Release\x64\SfxCA.pdb source: Portal.msi, PDQConnectUpdater-0.3.0.msi.12.dr, MSI1F2D.tmp.1.dr, MSI328E.tmp.1.dr
Source: Binary string: pdqconnectagent-setup.pdb source: Portal.msi, MSI1F2D.tmp.1.dr, MSI328E.tmp.1.dr
Source: Binary string: D:\a\wix4\wix4\build\api\Release\v143\x86\mbanative.pdb source: rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr
Source: Binary string: \??\C:\Windows\Installer\SFXCA87E78A4C484AC7BA8DC6E0B5627E7F20\pdqconnectagent-setup.pdblH source: rundll32.exe, 00000008.00000002.2125319285.0000024569AC0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\wix\wix\build\Util.wixext\Release\x64\utilca.pdb source: Portal.msi, PDQConnectUpdater-0.3.0.msi.12.dr, MSI1F2D.tmp.1.dr
Source: Binary string: D:\a\rover\rover\wix\pdqconnectagent-setup\obj\Release\pdqconnectagent-setup.pdb source: rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, pdqconnectagent-setup.exe.7.dr
Source: Binary string: cscs.exe.pdb!Build_CA_DLL.cmd source: rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, WixSharp.dll.5.dr
Source: Binary string: Yqw pdqconnectupdater-setup.pdbh source: PDQConnectUpdater-0.3.0.msi.12.dr
Source: Binary string: WixToolset.Dtf.WindowsInstaller.pdb source: rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, WixToolset.Dtf.WindowsInstaller.dll.4.dr
Source: Binary string: PDQCON~1.PDBpdqconnectagent-setup.pdbx source: rundll32.exe, 00000008.00000002.2125319285.0000024569B62000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d1YKt pdqconnectagent-setup.pdbh source: Portal.msi, MSI1F2D.tmp.1.dr, MSI328E.tmp.1.dr
Source: Binary string: pdq_connect_agent.pdb source: pdq-connect-agent.exe, 0000000C.00000002.3295758131.00007FF78CF92000.00000002.00000001.01000000.0000000A.sdmp, pdq-connect-agent.exe, 0000000C.00000000.2139822757.00007FF78CF92000.00000002.00000001.01000000.0000000A.sdmp, pdq-connect-agent.exe.1.dr
Source: Binary string: D:\a\rover\rover\wix\pdqconnectagent-setup\obj\Release\pdqconnectagent-setup.pdb=MWM IM_CorExeMainmscoree.dll source: rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2114835794.000002456B5A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2132130065.000001B2FCD72000.00000004.00000020.00020000.00000000.sdmp, pdqconnectagent-setup.exe.7.dr
Binary contains a suspicious time stamp
Source: pdqconnectagent-setup.exe.4.dr Static PE information: 0xBDE62C11 [Tue Dec 16 17:59:45 2070 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\rundll32.exe Code function: 5_3_00007FF848A13D95 push FFFFFFE8h; ret 5_3_00007FF848A13DF9
Source: C:\Windows\System32\rundll32.exe Code function: 5_3_00007FF848A17DC2 pushad ; ret 5_3_00007FF848A17DD1
Drops PE files
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI24EE.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3B87.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3BA8.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA87E78A4C484AC7BA8DC6E0B5627E7F20\WixToolset.Dtf.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI146E.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCAFF0EF70119428EDA813B551E8FF8FDE9\WixToolset.Dtf.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI1F3E.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA9B20618A2F4D43A947D4DDC1A40E47B6\WixSharp.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA9B20618A2F4D43A947D4DDC1A40E47B6\WixToolset.Dtf.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA363E23D38342B28859B2E30EB0910098\WixToolset.Dtf.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCABAC30776D64ECC5AFC62613A5E146B74\WixSharp.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCAFF0EF70119428EDA813B551E8FF8FDE9\pdqconnectagent-setup.exe Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA363E23D38342B28859B2E30EB0910098\WixSharp.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA363E23D38342B28859B2E30EB0910098\pdqconnectagent-setup.exe Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCAFF0EF70119428EDA813B551E8FF8FDE9\WixSharp.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA87E78A4C484AC7BA8DC6E0B5627E7F20\pdqconnectagent-setup.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI328E.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2451.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2676.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI1F6E.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCABAC30776D64ECC5AFC62613A5E146B74\WixToolset.Dtf.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2C05.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA87E78A4C484AC7BA8DC6E0B5627E7F20\WixSharp.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA9B20618A2F4D43A947D4DDC1A40E47B6\pdqconnectagent-setup.exe Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCABAC30776D64ECC5AFC62613A5E146B74\pdqconnectagent-setup.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI24EE.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3B87.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3BA8.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA87E78A4C484AC7BA8DC6E0B5627E7F20\WixToolset.Dtf.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI146E.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCAFF0EF70119428EDA813B551E8FF8FDE9\WixToolset.Dtf.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI1F3E.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA9B20618A2F4D43A947D4DDC1A40E47B6\WixSharp.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA9B20618A2F4D43A947D4DDC1A40E47B6\WixToolset.Dtf.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA363E23D38342B28859B2E30EB0910098\WixToolset.Dtf.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCABAC30776D64ECC5AFC62613A5E146B74\WixSharp.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCAFF0EF70119428EDA813B551E8FF8FDE9\pdqconnectagent-setup.exe Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA363E23D38342B28859B2E30EB0910098\WixSharp.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA363E23D38342B28859B2E30EB0910098\pdqconnectagent-setup.exe Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCAFF0EF70119428EDA813B551E8FF8FDE9\WixSharp.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA87E78A4C484AC7BA8DC6E0B5627E7F20\pdqconnectagent-setup.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI328E.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2451.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2676.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI1F6E.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCABAC30776D64ECC5AFC62613A5E146B74\WixToolset.Dtf.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2C05.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA87E78A4C484AC7BA8DC6E0B5627E7F20\WixSharp.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCA9B20618A2F4D43A947D4DDC1A40E47B6\pdqconnectagent-setup.exe Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Windows\Installer\SFXCABAC30776D64ECC5AFC62613A5E146B74\pdqconnectagent-setup.exe Jump to dropped file
Creates or modifies windows services
Source: C:\Windows\System32\rundll32.exe Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\PDQ.com Jump to behavior
Modifies existing windows services
Source: C:\Windows\System32\rundll32.exe Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\PDQ.com Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start "PDQConnectAgent"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4921
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4904
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8249
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1512
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5392
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3896
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7383
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2348
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI24EE.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI3B87.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\SFXCA87E78A4C484AC7BA8DC6E0B5627E7F20\WixToolset.Dtf.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI3BA8.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI146E.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\SFXCAFF0EF70119428EDA813B551E8FF8FDE9\WixToolset.Dtf.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI1F3E.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\SFXCA9B20618A2F4D43A947D4DDC1A40E47B6\WixToolset.Dtf.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\SFXCA363E23D38342B28859B2E30EB0910098\WixToolset.Dtf.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\SFXCA9B20618A2F4D43A947D4DDC1A40E47B6\WixSharp.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\SFXCABAC30776D64ECC5AFC62613A5E146B74\WixSharp.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\SFXCAFF0EF70119428EDA813B551E8FF8FDE9\pdqconnectagent-setup.exe Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\SFXCA363E23D38342B28859B2E30EB0910098\WixSharp.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\SFXCA363E23D38342B28859B2E30EB0910098\pdqconnectagent-setup.exe Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\SFXCAFF0EF70119428EDA813B551E8FF8FDE9\WixSharp.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\SFXCA87E78A4C484AC7BA8DC6E0B5627E7F20\pdqconnectagent-setup.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI328E.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI1F6E.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI2451.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI2676.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\SFXCABAC30776D64ECC5AFC62613A5E146B74\WixToolset.Dtf.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI2C05.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\SFXCA87E78A4C484AC7BA8DC6E0B5627E7F20\WixSharp.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\SFXCA9B20618A2F4D43A947D4DDC1A40E47B6\pdqconnectagent-setup.exe Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: C:\Windows\Installer\SFXCABAC30776D64ECC5AFC62613A5E146B74\pdqconnectagent-setup.exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1992 Thread sleep count: 4921 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1992 Thread sleep count: 4904 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6756 Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6020 Thread sleep count: 8249 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6020 Thread sleep count: 1512 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5240 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5700 Thread sleep count: 5392 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5700 Thread sleep count: 3896 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3332 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6644 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2292 Thread sleep count: 7383 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2292 Thread sleep count: 2348 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6624 Thread sleep time: -4611686018427385s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: pdq-connect-agent.exe, 0000000C.00000002.3294770461.000001E341465000.00000004.00000020.00020000.00000000.sdmp, pdq-connect-agent.exe, 0000000C.00000003.2745757092.000001E341465000.00000004.00000020.00020000.00000000.sdmp, pdq-connect-agent.exe, 0000000C.00000003.2152939224.000001E341479000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll.
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\rundll32.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Bypasses PowerShell execution policy
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command -
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start "PDQConnectAgent" Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command - Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command - Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command - Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command - Jump to behavior
Source: rundll32.exe, 00000004.00000003.2059789312.000001F970B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2082116470.000001B48AEE2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2100910825.000001F0B1E06000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Windows\Installer\SFXCAFF0EF70119428EDA813B551E8FF8FDE9\WixToolset.Dtf.WindowsInstaller.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Windows\Installer\SFXCAFF0EF70119428EDA813B551E8FF8FDE9\WixSharp.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Windows\Installer\SFXCA9B20618A2F4D43A947D4DDC1A40E47B6\WixToolset.Dtf.WindowsInstaller.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Windows\Installer\SFXCA9B20618A2F4D43A947D4DDC1A40E47B6\WixSharp.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Windows\Installer\SFXCA9B20618A2F4D43A947D4DDC1A40E47B6\pdqconnectagent-setup.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Windows\Installer\SFXCA363E23D38342B28859B2E30EB0910098\WixToolset.Dtf.WindowsInstaller.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Windows\Installer\SFXCA363E23D38342B28859B2E30EB0910098\pdqconnectagent-setup.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Windows\Installer\SFXCA363E23D38342B28859B2E30EB0910098\WixSharp.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Windows\Installer\SFXCA87E78A4C484AC7BA8DC6E0B5627E7F20\WixToolset.Dtf.WindowsInstaller.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Windows\Installer\SFXCA87E78A4C484AC7BA8DC6E0B5627E7F20\pdqconnectagent-setup.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Windows\Installer\SFXCA87E78A4C484AC7BA8DC6E0B5627E7F20\WixSharp.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Windows\Installer\SFXCABAC30776D64ECC5AFC62613A5E146B74\WixToolset.Dtf.WindowsInstaller.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Windows\Installer\SFXCABAC30776D64ECC5AFC62613A5E146B74\pdqconnectagent-setup.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\Windows\Installer\SFXCABAC30776D64ECC5AFC62613A5E146B74\WixSharp.dll VolumeInformation Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Queries volume information: C:\ProgramData\PDQ\PDQConnectAgent\token VolumeInformation Jump to behavior
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Queries volume information: C:\ProgramData\PDQ\PDQConnectAgent\token VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Program Files\PDQ\PDQConnectAgent\pdq-connect-agent.exe Code function: 12_2_00007FF78CF6F928 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 12_2_00007FF78CF6F928
Source: C:\Windows\System32\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1527957 Sample: Portal.msi Startdate: 07/10/2024 Architecture: WINDOWS Score: 64 81 pdqinstallers.e9d69694c3d8f7465fd531512c22bd0f.r2.cloudflarestorage.com 2->81 83 websocket.app.pdq.com 2->83 85 app.pdq.com 2->85 95 Bypasses PowerShell execution policy 2->95 97 AI detected suspicious sample 2->97 10 pdq-connect-agent.exe 7 2->10         started        13 msiexec.exe 82 44 2->13         started        16 msiexec.exe 5 2->16         started        signatures3 99 Queries the IP of a very long domain name 81->99 process4 dnsIp5 87 pdqinstallers.e9d69694c3d8f7465fd531512c22bd0f.r2.cloudflarestorage.com 162.159.140.238, 443, 49706 CLOUDFLARENETUS United States 10->87 89 app.pdq.com 104.16.77.47, 443, 49705, 49979 CLOUDFLARENETUS United States 10->89 91 websocket.app.pdq.com 34.128.163.126, 443, 49983, 49985 ATGS-MMD-ASUS United States 10->91 18 powershell.exe 10->18         started        21 powershell.exe 10->21         started        23 powershell.exe 10->23         started        25 powershell.exe 10->25         started        73 C:\Program Files\...\pdq-connect-agent.exe, PE32+ 13->73 dropped 75 C:\Windows\Installer\MSI3BA8.tmp, PE32+ 13->75 dropped 77 C:\Windows\Installer\MSI3B87.tmp, PE32+ 13->77 dropped 79 8 other files (none is malicious) 13->79 dropped 27 msiexec.exe 1 13->27         started        29 msiexec.exe 13->29         started        file6 process7 signatures8 93 Loading BitLocker PowerShell Module 18->93 31 conhost.exe 18->31         started        33 conhost.exe 21->33         started        35 conhost.exe 23->35         started        37 conhost.exe 25->37         started        39 rundll32.exe 4 7 27->39         started        43 rundll32.exe 7 27->43         started        45 rundll32.exe 10 27->45         started        47 rundll32.exe 7 29->47         started        49 rundll32.exe 6 29->49         started        process9 file10 67 3 other files (none is malicious) 39->67 dropped 101 Reads the Security eventlog 39->101 103 Reads the System eventlog 39->103 55 C:\Windows\...\pdqconnectagent-setup.exe, PE32 43->55 dropped 57 C:\...\WixToolset.Dtf.WindowsInstaller.dll, PE32 43->57 dropped 59 C:\Windows\Installer\...\WixSharp.dll, PE32 43->59 dropped 51 sc.exe 1 43->51         started        69 3 other files (none is malicious) 45->69 dropped 61 C:\Windows\...\pdqconnectagent-setup.exe, PE32 47->61 dropped 63 C:\...\WixToolset.Dtf.WindowsInstaller.dll, PE32 47->63 dropped 65 C:\Windows\Installer\...\WixSharp.dll, PE32 47->65 dropped 71 3 other files (none is malicious) 49->71 dropped signatures11 process12 process13 53 conhost.exe 51->53         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.128.163.126
 websocket.app.pdq.com United States
2686 ATGS-MMD-ASUS false
104.16.77.47
 app.pdq.com United States
13335 CLOUDFLARENETUS false
162.159.140.238
 pdqinstallers.e9d69694c3d8f7465fd531512c22bd0f.r2.cloudflarestorage.com United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
pdqinstallers.e9d69694c3d8f7465fd531512c22bd0f.r2.cloudflarestorage.com 162.159.140.238 true
app.pdq.com 104.16.77.47 true
websocket.app.pdq.com 34.128.163.126 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://websocket.app.pdq.com:443/v1/devices/socket/websocket?device_id=dvc_cf03d73e6c6b34abc8bc8409f8ee13c1 false
    		unknown