The modified installer of legit “PDFescape Desktop Installer” app looks like this:  Fake PDFescape Desktop Installer AppSHA-256: 0c933001de544ebc071d175d9f8e3bfad8066b532dc69dea4c713c52eb6a64a0 Cyren detects this kind of malware as W32/SolarMarker.A.gen!Eldorado. Upon execution, It creates an encoded file under %Userdir%<randomchars><randomchars><randomchars><randomchars><randomchars><randomchars><randomchars> (encoded file). It then executes a Power Shell Script command to decode and execute the