e3769e0029e021b9fa85d0c5e30f17438e335e862748787125655b20f84fe641

Analysis

max time kernel
1111s
max time network
1114s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-08-2022 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

1.9MB
MD5

459612ae4f7594bc66db8030f50fd77d
SHA1

3beff442c1e897f5ff8f8312be7d7a1feb991b6f
SHA256

e3769e0029e021b9fa85d0c5e30f17438e335e862748787125655b20f84fe641
SHA512

60df943e0a79a5ea754c344a1e84522e8c34e87ce097f105958b20767dbef2fa6f6459c28eedb3014cb53ed38c25f2d6fba00223b23fb788bd2309e13f38d9ec
SSDEEP

24576:ScZKJe84Q/r6PseDjqyCJwkFvmqfn3tNJJnFtwoFnFtwoFSH/C7f8n6iG:WJe844WsDLWSOOt/JnFtbnFtXSc8n6iG

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 6 IoCs

Processes:

pdfeTools.exePDFEditor.exePDFEditor.exePDFEditor.exePDFEditor.exePDFEditor.exe

pid process

1756 pdfeTools.exe
1896 PDFEditor.exe
1660 PDFEditor.exe
1080 PDFEditor.exe
984 PDFEditor.exe
292 PDFEditor.exe

pid	process
1756	pdfeTools.exe
1896	PDFEditor.exe
1660	PDFEditor.exe
1080	PDFEditor.exe
984	PDFEditor.exe
292	PDFEditor.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BA1A27D7-D3AE-4A03-BEE0-E694A5EF591E}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BA1A27D7-D3AE-4A03-BEE0-E694A5EF591E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\fypdfeditor\\pdfeditormenu64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BA1A27D7-D3AE-4A03-BEE0-E694A5EF591E}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Loads dropped DLL 30 IoCs

Processes:

setup.exeregsvr32.exeregsvr32.exePDFEditor.exeregsvr32.exePDFEditor.exePDFEditor.exePDFEditor.exePDFEditor.exe

pid	process
1444	setup.exe
1444	setup.exe
1444	setup.exe
1444	setup.exe
1444	setup.exe
1444	setup.exe
1444	setup.exe
1444	setup.exe
1444	setup.exe
1444	setup.exe
1444	setup.exe
1272	regsvr32.exe
768	regsvr32.exe
1660	PDFEditor.exe
1660	PDFEditor.exe
1720	regsvr32.exe
1660	PDFEditor.exe
1660	PDFEditor.exe
1080	PDFEditor.exe
1080	PDFEditor.exe
1080	PDFEditor.exe
984	PDFEditor.exe
984	PDFEditor.exe
292	PDFEditor.exe
292	PDFEditor.exe
292	PDFEditor.exe
292	PDFEditor.exe
1896	PDFEditor.exe
1896	PDFEditor.exe
1896	PDFEditor.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

regsvr32.exePDFEditor.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EC7DCD5-6BCF-45EF-9D8B-10C69174FFC5}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C5BB3E9-6AFE-4894-BA80-5B774BE40011}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C8D5F404-EDB5-400C-92CD-4DD4180C13BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3E2C472-5A54-4169-98DE-CED5FEDB39F2}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7A9134A9-20F7-4D8D-806D-8DEFDF70029F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{87CBE853-7868-4688-8847-BFE67802F826}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69E71C54-93FD-403B-BED2-E9B703EFCCF8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BB35E2D7-12DB-4DD7-AE5E-43B6E2B9D163}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D083D8FD-73C0-4467-B913-43FAE1F15FD4}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1B4807E-65DB-4FE7-88FE-DB703CF57807}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3116D512-3C69-454E-9040-8EE1652886C8}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6C5CE95F-3FC4-4FE8-8159-21D550451AF8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C0A30CF-1B2F-4091-AC7F-9D11D74326B0}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A527388D-E382-4227-BDAA-D8278C7B1924}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98D7F239-5146-4B3D-884D-9008721C75B7}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5E71F605-B8D3-4478-BDBA-7021069C464F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5E71F605-B8D3-4478-BDBA-7021069C464F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BCBDCD6D-0C0A-4040-A69C-2008C35B7525}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F25D53D5-5F88-4FDD-BB3F-88EFC7E7C2CE}\ = "INumArray"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{69E71C54-93FD-403B-BED2-E9B703EFCCF8}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CD3E64CE-677F-4A57-89A3-08250712CCF2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FECBB317-0A10-475D-886A-1345F764D242}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0647EED6-CE73-4167-8D0C-541654EADA08}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21CEE151-F458-4B54-B6DB-45285E04AEC1}\ = "IPXV_DocList"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F16D4312-0B2D-4C64-9FC7-DBC648B9B3AA}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F1B4807E-65DB-4FE7-88FE-DB703CF57807}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5CC12C51-E255-427D-8385-10304C887256}\ = "IPXV_DocSaveEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{95ABC066-9919-4571-8387-7A7CFB5FAEEF}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDFXEdit.PXV_Control\ = "PDF-XChange Editor ActiveX Control"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3F5231AB-AF92-4184-A361-5A3307A3464E}\ = "IAUX_Inst"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9764FFB4-99C8-4FE5-BF07-225580214F60}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{081DC047-58D5-42E2-B263-2477CE37D502}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8D5F404-EDB5-400C-92CD-4DD4180C13BB}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D14D8C84-A4A9-4CC4-AD61-441F949A360A}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF87328C-B7C8-4FC8-8DE6-043E83F25A17}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3F5231AB-AF92-4184-A361-5A3307A3464E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BCBDCD6D-0C0A-4040-A69C-2008C35B7525}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E920A0D-3156-4EB6-932F-5AB7287C54E5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{71D744C0-D3E3-4BF2-8405-56ABFC895DFC}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{88D5604A-0C19-4F47-BD4A-969D740A5B16}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{058487BC-FAB1-43E1-B9E0-77E7ADB97460}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76F6C77B-0FFF-43F5-8DE3-0715163D80DD}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{78527649-463C-49AA-8EA8-8DC10505FB31}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71300D43-687F-436A-A699-2B37448D0803}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C577CE3-F5BD-4AC5-B52D-76264D51D578}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{84B23B1A-25E5-46A4-90ED-E4C8B678F535}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{74CB8E24-D85D-4A6D-BE72-AF57F21A1034}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D934750D-E5CF-49BD-B949-525E56FA1A69}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF87328C-B7C8-4FC8-8DE6-043E83F25A17}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDFEditor.pdffile\DefaultIcon	PDFEditor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{71F2FEB3-5452-49FF-8A0F-AC49C635ECD9}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{79A56420-B280-448E-B2DC-9ECF68F82A34}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FECBB317-0A10-475D-886A-1345F764D242}\ = "IUIX_Spin"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1149909-4EDC-4421-B9E5-E93C25A000A1}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6554EA2D-9436-4F25-8B11-A4CB7C2608DB}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{71D744C0-D3E3-4BF2-8405-56ABFC895DFC}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E0AAB4D6-161B-4ED0-8BA2-BDD15BF79C47}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7AE52AAD-8807-46DA-8EF6-C20E2E8AEF2D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{78874680-AE90-4F97-8236-5016AFFE6569}\ = "IUIX_ControlsLock"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D726366D-34D6-49FC-A341-7B84C54CCA3E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F16D4312-0B2D-4C64-9FC7-DBC648B9B3AA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A31C9941-4A55-43F6-87BC-0738234B5CAB}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{555C4721-774B-4E81-9BA5-62D7ED4E5B87}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CED0F57-B96A-4CF2-83B8-130E544A2644}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}"	regsvr32.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

PDFEditor.exePDFEditor.exe

pid process

1660 PDFEditor.exe
292 PDFEditor.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

setup.exe

pid process

1444 setup.exe
1444 setup.exe
1444 setup.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

setup.exe

pid process

1444 setup.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

PDFEditor.exePDFEditor.exePDFEditor.exePDFEditor.exePDFEditor.exe

pid	process
1660	PDFEditor.exe
1660	PDFEditor.exe
1080	PDFEditor.exe
984	PDFEditor.exe
1660	PDFEditor.exe
292	PDFEditor.exe
292	PDFEditor.exe
1896	PDFEditor.exe
292	PDFEditor.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

setup.exepdfeTools.exeregsvr32.exePDFEditor.exe

description	pid	process	target process
PID 1444 wrote to memory of 1756	1444	setup.exe	pdfeTools.exe
PID 1444 wrote to memory of 1756	1444	setup.exe	pdfeTools.exe
PID 1444 wrote to memory of 1756	1444	setup.exe	pdfeTools.exe
PID 1444 wrote to memory of 1756	1444	setup.exe	pdfeTools.exe
PID 1444 wrote to memory of 1896	1444	setup.exe	PDFEditor.exe
PID 1444 wrote to memory of 1896	1444	setup.exe	PDFEditor.exe
PID 1444 wrote to memory of 1896	1444	setup.exe	PDFEditor.exe
PID 1444 wrote to memory of 1896	1444	setup.exe	PDFEditor.exe
PID 1756 wrote to memory of 1272	1756	pdfeTools.exe	regsvr32.exe
PID 1756 wrote to memory of 1272	1756	pdfeTools.exe	regsvr32.exe
PID 1756 wrote to memory of 1272	1756	pdfeTools.exe	regsvr32.exe
PID 1756 wrote to memory of 1272	1756	pdfeTools.exe	regsvr32.exe
PID 1756 wrote to memory of 1272	1756	pdfeTools.exe	regsvr32.exe
PID 1756 wrote to memory of 1272	1756	pdfeTools.exe	regsvr32.exe
PID 1756 wrote to memory of 1272	1756	pdfeTools.exe	regsvr32.exe
PID 1272 wrote to memory of 768	1272	regsvr32.exe	regsvr32.exe
PID 1272 wrote to memory of 768	1272	regsvr32.exe	regsvr32.exe
PID 1272 wrote to memory of 768	1272	regsvr32.exe	regsvr32.exe
PID 1272 wrote to memory of 768	1272	regsvr32.exe	regsvr32.exe
PID 1272 wrote to memory of 768	1272	regsvr32.exe	regsvr32.exe
PID 1272 wrote to memory of 768	1272	regsvr32.exe	regsvr32.exe
PID 1272 wrote to memory of 768	1272	regsvr32.exe	regsvr32.exe
PID 1660 wrote to memory of 1720	1660	PDFEditor.exe	regsvr32.exe
PID 1660 wrote to memory of 1720	1660	PDFEditor.exe	regsvr32.exe
PID 1660 wrote to memory of 1720	1660	PDFEditor.exe	regsvr32.exe
PID 1660 wrote to memory of 1720	1660	PDFEditor.exe	regsvr32.exe
PID 1660 wrote to memory of 1720	1660	PDFEditor.exe	regsvr32.exe
PID 1660 wrote to memory of 1720	1660	PDFEditor.exe	regsvr32.exe
PID 1660 wrote to memory of 1720	1660	PDFEditor.exe	regsvr32.exe
PID 1660 wrote to memory of 1080	1660	PDFEditor.exe	PDFEditor.exe
PID 1660 wrote to memory of 1080	1660	PDFEditor.exe	PDFEditor.exe
PID 1660 wrote to memory of 1080	1660	PDFEditor.exe	PDFEditor.exe
PID 1660 wrote to memory of 1080	1660	PDFEditor.exe	PDFEditor.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1444

C:\Users\Admin\AppData\Roaming\fypdfeditor\pdfeTools.exe
"C:\Users\Admin\AppData\Roaming\fypdfeditor\pdfeTools.exe" regdll=C:\Users\Admin\AppData\Roaming\fypdfeditor\pdfeditormenu64.dll
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Roaming\fypdfeditor\pdfeditormenu64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1272

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Roaming\fypdfeditor\pdfeditormenu64.dll"
4⤵
- Registers COM server for autorun
- Loads dropped DLL
PID:768

C:\Users\Admin\AppData\Roaming\fypdfeditor\PDFEditor.exe
"C:\Users\Admin\AppData\Roaming\fypdfeditor\PDFEditor.exe" RegisterFileRelation
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1896

C:\Users\Admin\AppData\Roaming\fypdfeditor\PDFEditor.exe
C:\Users\Admin\AppData\Roaming\fypdfeditor\PDFEditor.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Roaming\fypdfeditor\PDFXEditCore.x86.dll
3⤵
- Loads dropped DLL
- Modifies registry class
PID:1720

C:\Users\Admin\AppData\Roaming\fypdfeditor\PDFEditor.exe
"C:\Users\Admin\AppData\Roaming\fypdfeditor\PDFEditor.exe" RegisterFileRelation
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1080

C:\Users\Admin\AppData\Roaming\fypdfeditor\PDFEditor.exe
"C:\Users\Admin\AppData\Roaming\fypdfeditor\PDFEditor.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:984

C:\Users\Admin\AppData\Roaming\fypdfeditor\PDFEditor.exe
"C:\Users\Admin\AppData\Roaming\fypdfeditor\PDFEditor.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.cs-CZ.xcl

Filesize
542KB

MD5
7ad2262665706cb3c942e4a96481e0b8

SHA1
6707ecf91fddd6e02105dfaff21ad17e1f95ba90

SHA256
b3ba3b8f9d08d84d5a4cdd8c81c48e93ea66a2fafb6df39b970c48cf60445081

SHA512
359bf1a19a9da316dbb0232d33409d9085b773df15b8426554044b274bd42c98d659779d22a931f7c5eab129eb083b7821a822b2ade357531c3361069fb3f462

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.da-DK.xcl

Filesize
519KB

MD5
583eb3292ac0d42f745dd3117d1c663f

SHA1
a831bc116491249b1923f4fcec56cdc57e9e0867

SHA256
f84091bb1518343cb960dd9e5e07112c6e5fe223191c9d2569718c806e9336ed

SHA512
2fe02a8d35cabf0d1f65eedfb334dea7e9abb0815462ee9168a5451dc2445918b9cc90c2c1f98828c5f91157b0e1ec027b368f5b86bd0bb2325fce73c25faf38

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.de-DE.xcl

Filesize
568KB

MD5
ca1ad439e25e5ffb428cc434a2d1f0a5

SHA1
0014307ece52976f579bb2bb3882257aef7e2542

SHA256
f134542f0a32ee8fa91e23cb45546de850bde961c84229df188e10e9ad66483a

SHA512
728e2876fc6190ddbced9b279c48989f9602d0c4a9f5dcb9ea92eed68742014fd54c7b7ee72e23d5e0115f20279d0c974b9e39eda0db9918e61fd83b0a3700b5

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.el-GR.xcl

Filesize
528KB

MD5
000659ee3da793c0399f170657fb8423

SHA1
b36576aed27298dfe312489f5424d1547ace208a

SHA256
7cb493a3abb643c6a94e4fd2c6496b2bc021ff0bd54851b6bf45771368c1bd29

SHA512
aa145cd32cff0d91ffc3ffe94514648f0d0fe5146214f6999553b4825c9c54e08eaabfd63d29f6ef84d970a7cd71b8972f488776fa1892810b194c618af69091

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.es-ES.xcl

Filesize
558KB

MD5
739a4be3327e0b19a9d3507a228247be

SHA1
b327d80ba769e6a6cf2c34d0da45fec4e4b53104

SHA256
6c9074121255419f53c409e77630db1154ea274b0f86115790959ab82acd587c

SHA512
435c26377bff05f12f17f59b79ce7b961883c986d1e8765bd1aadf7c81c6ee81927e6fb8724393c1b5ad67fa0201231b4034be0816b3e8bf27aee03e045afbe4

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.fi-FI.xcl

Filesize
525KB

MD5
4e72fba3ddb0dd86fdc1177097dcc312

SHA1
828c4c51d27a93fb5444772bf008878528984f82

SHA256
f0e58a59bac97300e781a498366529b499d76e52405a7bde21ec278f9699fa31

SHA512
aab8a38f8915c3867c5c3e9406f955435b4d99ff123027b4a1467a0f4a4d06077072d3283e414543f093766fca4b1d8ef30fe7ff2386c6cdd551a046c4d799f2

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.fr-CH.xcl

Filesize
354KB

MD5
f65d8378a0af97b067928e813dbc7689

SHA1
13de4c0ad2be33dbc78080181037b3214f5b21f9

SHA256
db960a1be3bd55f2fafbd820395495e8fe939ef966bf8a18b341cc2e5541a01a

SHA512
7a4d7569c6820f1c7684337c0a0493d7d53b47ee274b09e421b6bbf16832bb5671c3cdb9682406820cb78081a1806610b0976f2fdfa9b0fe43387c7c251f5d67

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.fr-FR.xcl

Filesize
564KB

MD5
2fae3d3390ada31e77df3388d40f3944

SHA1
078aebba62984f5b8662dc91a5ed055eadb2ec0a

SHA256
20e97164abb21898c8b4062fe0d8bc531d42992218a9dd419d77ff29f1c2c936

SHA512
045223c5e83cc726c2fc3df7ce885e2dd33fe0c31398867057ec0fd38b43f30b86253fb65aaa2a223adbf1c3f76aae1c74b2635d231ab671a01b32cc42d2824d

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.fy-NL.xcl

Filesize
555KB

MD5
cc7f5d17e1e3b73808d3be34fa728928

SHA1
d7fc1e6eedd272a1b7b2336b470a464a96d4b7f7

SHA256
24581c9a55c5cffeeb8335bb3c6818fca7deaf3ec00e00482678498ef1dab3a3

SHA512
dbe69b8399bfa29ec0698ca72c0927e98bb18d2829df71becf75b077655199edfaa271d232e7ac1de2bf9053a54b14e6a5f5a3017d3ada10dfe77e95e61dc012

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.gl-ES.xcl

Filesize
549KB

MD5
5a6550d303da084c6273361369f363fc

SHA1
916782e0d3e71a9dab0583efb79c3e5cd7c38faf

SHA256
434568902c8b9509e094410518f0af2320081d52b79976a6989fb273ed64fc91

SHA512
e7100b2f44ca8d8459077dacc8b4ec317040d771b34dbc3cfbee3fbcde9ef30f29fafa03aff87588d3e94b1980199abcf5feaa9303e36c881583e3aa790ef5af

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.he-IL.xcl

Filesize
328KB

MD5
e404f8d0a8a72f0f931f237be838d10a

SHA1
1a4d55beb4f2a48e6b9eff98bd2ea6cbaa7fd2a3

SHA256
19f64ff0b1df8e72e013c799a235961fe4679df60beebae766747c72938a523f

SHA512
fdbd04473986cf500e1031542d974ca393171871feb32ff0d0ba1b29fa06c8dc92c23db43ea8a8aaed7dd90cf109813ba717618e86ed73219785f90d331d4bd7

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.hu-HU.xcl

Filesize
413KB

MD5
3978a67d2d965acb20fa4349bdd82180

SHA1
d72ea881b5738878c0a5037b5907b2b150ac1b44

SHA256
aae01cd12a1a77f2fa56046901b62fc60d2350665170b40def67006c771a8d00

SHA512
7754e8c9978f002773bf1174db1c01135a68e044b0856720dc5cb08c5792d61efef05e6336a2a71376a3171b15391d3947e196404463bcb36b1775ac025f1fdd

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.it-IT.xcl

Filesize
563KB

MD5
d0744bf024b160abc85f6d214cea80c0

SHA1
2bf0060c567bc06b5bf0706a07f7c23d834242fc

SHA256
80961cee4a96d99e5f6cbbdc5982d494da1c6ebbc8145b634927d362a573eca8

SHA512
58097c2369c0884dea3554cdb0c9a7b197d0671c84331c76aa963dcaf99e711ea2e83b7984ca080d5079e9fb205be28878749811cce519e43c959bf3688bd4b7

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.ja-JP.xcl

Filesize
596KB

MD5
09cbcdf62c94ab49c58fe1ae15f1dddd

SHA1
1e31835edaf8a965550a5aa561afaad94ad1a38c

SHA256
b904eff69afb7b9d9500d45f00fc59a022e933acc6e6c1f4f1964028b67e7c68

SHA512
1df8187e3c9b37913d257800c06a99427f07fd540ab55a20c33946c431b197dfc4f7f5b4755604fe954418f83b87c2bc51f3887489a20ca3c7be9be776f354ed

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.ko-KR.xcl

Filesize
325KB

MD5
26fdd257d2a38f24276af49b565d0ef3

SHA1
299a1c653e41f18e7a1391cfe98ce3a716f970df

SHA256
2340281a0374e405bba3a0d3fbec4b4d7cafafc4bdf37b25eaa2c73a36330ead

SHA512
7aa5dd8127713792c5789cc62e370e29e458575383846704c8c0fb60ca9884fc4015bb6f6edb814700e4bc22cbd3ed0e3b59d39eaedfa153e636ba7aa823f23a

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.nl-NL.xcl

Filesize
514KB

MD5
01acfdd4c5f611a3ef77a3630171f665

SHA1
53e741bc4fe10ed43ae3e04c8fe47ae477ac75b0

SHA256
d64d31e7fbb36e6b811032d11525e38ec8c41d6931680d24f98acecfcb09a9a9

SHA512
1f00ccf69a49e691b018987ddf118927af895e825f2b1979f56b9f0103cff5be0c933c99501422b94ae5eef25cefad8acb76d266de3772e494c70484d0836ab9

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.pl-PL.xcl

Filesize
490KB

MD5
6eb08f46c37634f143be3cc0bed9c2d2

SHA1
3c7bb1b67c873ab301728314a7cee1e8318baa3f

SHA256
a262ed5ca1bc6e7960d544a66be5a579b75bdc1fd9ce01467c3c089e503d5e58

SHA512
14389a817150466fdf4ed6c8f5917016e4749e65f9c7e916237312ef8a6a78f499a9ab76dc6d31978267ed371b5dcb69266f3a831208f7e04126c703e0ebc31c

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.pt-BR.xcl

Filesize
560KB

MD5
b0e773407592a9e006a0cf6a3ccf8714

SHA1
989ba3c5fcc5c8e309cff217dc665ca0381a80a7

SHA256
5f0fc3b7ba11efc99a61cc1bfb455bb2faea227a0e10202894ccbfe549c65302

SHA512
dd8a3a84ec23894eeedbb4254e783a7a42b722801a0f0e8f557a961c67f02d0486104a696288da3e1fdea8f3cf48cff59142ccc0ee179a97deabc53819fa1552

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.pt-PT.xcl

Filesize
370KB

MD5
13bd9ac22a78b741566f8ee3f135630a

SHA1
d172bba852e88ec9d2303207b4d79fb30350bb0a

SHA256
b10c3940510b0c5e1aff0a5a862fbdcc5fc999f2a80f5268520c4d31f9a38442

SHA512
9e2c2299f947f7cdadfd4ba209e474a27d47eb2d0e4c70996b00fb4ea16aa010f9efdf5164bec728103a5afe8e7776ef8c51a967eaac5850b30304510c107e81

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.ro-RO.xcl

Filesize
368KB

MD5
73cb320d257246cec6dc035004a1f59d

SHA1
f6fc11c301ff2cc29c25272e06899511555e1744

SHA256
5cfec41cf2b4691a95e1608ae24e22cde7482cac44c583328d9aa2f58c5c252b

SHA512
99c0ae296cab39c2099b01f7ded417e1d87ece1b09ce28dc60237be530a4fa3aca6a264aab3478088652881e7f58e162a2faba679e08609cd609cbd50b204c1f

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.ru-RU.xcl

Filesize
707KB

MD5
88a152e0877f333cc2863549323a5546

SHA1
0f8f70cfcc3ab194deef2fc390da9ab20d0751bb

SHA256
3374e482352439f852172360334cfe71f77bc0c1bcefeaa67718de39e002d6de

SHA512
54b90291bc98d62f67d40f4b2e81fb1b8b0878dd4bd1d208858f31ed61559b630cebf90c62c8f77e3fb3cc76eefab6386f4427a59bf3158c7a2033ef3270e214

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.sk-SK.xcl

Filesize
398KB

MD5
e865eed8477026f6e0fe5349cfca88dc

SHA1
f995e02759455a2a78872847a93430b08fcfd36e

SHA256
7a64e7445bca3c648790928aa6c03dddffa74a60e38d82f8f92249fde4268ec1

SHA512
75a6606173c162ed0f0aee245b4564ba513d46e610a6965d489b1fd9e110ce4c720246762b54d830d7ead12a4b1c36675a39bf41f7627ff55921f1c743098f74

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.sl-SI.xcl

Filesize
474KB

MD5
5eee8736c32559a98274d689f30d9c0a

SHA1
be22050d6bc217b9080db027efd8325146b6f52b

SHA256
82f21256af2ab1e252ca10ed496f3f4db0e04f3201e7c6a57a564013ffc7ac32

SHA512
c13ead94bd9983a4b099fe3b344d9b9e2fbf54fdefe3280f395a4b591faf02568bd812588b9b551391c41318d85297110e8e7a69b03f27db19fefac2e0c50dd5

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.sr-Latn-RS.xcl

Filesize
531KB

MD5
ba6a7e87cda2dba7b13bc39d28016536

SHA1
448411f4c2f3390f9e827ae627f464c1b1328c0e

SHA256
52ea1c0fc8a5bee3c65ac85b59f52a15a2f526f53239c26728a12478db761735

SHA512
99a8341777c83ee6403fa30a4d383d41c5b9d7a56007227285fe0e94d029b451575189eb87b3f06a8bff59a1943ce5f3bcc3b69a499c968727c8f1e91b9dd47a

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.sv-SE.xcl

Filesize
530KB

MD5
64eab720293432b7c9d1b930c08f9dfb

SHA1
faa8ce0855f829a2826c28bd0b87d9e0339bac95

SHA256
e701c9c13f7a67101743372f6303fcd955258d12002efb2bdff823b076b18592

SHA512
c05896706c8ea25bdc34b4b0c59f07729e10889666b1c745ffd0a45f002978cb0f3bbb7d2ca5e9b33c32fd725c5ecb7d1eff28ddb331f6522388356856e4660f

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.tr-TR.xcl

Filesize
544KB

MD5
6d6cba4183a3c3fbad0578011b2de388

SHA1
118badf030e3e867138259045a504b8e3441277e

SHA256
d96835e3b618b0296e9e5fe65280dab68534655ed8bc56c394e05a9b116aebe3

SHA512
b3bf4c55e1e7dc4c018109e8974866ef839e581d88b0cd24002ab0e035d06f88ed9f69e34b9f95684f00c619c81c34413ef720158a97774690fcad8a8938d562

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.uk-UA.xcl

Filesize
697KB

MD5
329b5e93bdf45d8e27a0f7b3cbcba2f8

SHA1
596e69f6cb7dbcfdfa440566dd124be9317a6bda

SHA256
255b28066c3c5c8ab003866b02897085cc3430b29f4b2c01cbbd47340884551e

SHA512
53a284b08cfbc0a436f05864177eb2b99fbc42317bbf20696a7e5797817355aff06cf93913409c26fb02882ba5e93525c6c8e23bdee10377f8305f26343392c2

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.zh-CN.xcl

Filesize
483KB

MD5
0cf7cdb07ad7d1045438e0ab6e1847a8

SHA1
5421d35733973ea58428ac20887200517160d849

SHA256
6acd53ea0bcc4964ad70068efed922dc048f1fce206d6a31c143885178093ca6

SHA512
a39c8458859f380ad82231e34fa93a04f5d640ccf69e3febb9cb40e6c341edc28d31de4e30e9116026a27f27cf1a9ff657ffbf71f2938fd943daa22a39d6500d

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.zh-TW.xcl

Filesize
512KB

MD5
c656f83d1f087b6353de074c8cb67311

SHA1
144fe26005e38d816593074797011d8a75a649bd

SHA256
09f6ac47e033b2687cd753a9e3f8f7e3269e9cae6f5fc23c16e49b4d71a21997

SHA512
1f7083b65a4ffacc959363ad98a51ee311eea7c92ff325b2bd22c7ce623f0c20a425fa4e9b94aa4eedb581a7743935d635548b1d61168b4cafbfe45161638c35

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\PDFEditor.exe

Filesize
6.1MB

MD5
122e9fc7e769af2e91d31df6e938889a

SHA1
766c60a43bec69f0a286d3139cbf487f4df0cf77

SHA256
d20fade71c2f893ad663a28a3b0ddc2380dabcaf3e60dc1c3a637f2831863084

SHA512
6a33c8c42747b93ef156959f12109f5b324641dc076ce4d8cb220d5442b578fa46b8891eaae11ef652a5ffe1255edbbae77301c26a0ffad40384b7dd3edff1e6

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\PDFEditor.exe

Filesize
6.1MB

MD5
122e9fc7e769af2e91d31df6e938889a

SHA1
766c60a43bec69f0a286d3139cbf487f4df0cf77

SHA256
d20fade71c2f893ad663a28a3b0ddc2380dabcaf3e60dc1c3a637f2831863084

SHA512
6a33c8c42747b93ef156959f12109f5b324641dc076ce4d8cb220d5442b578fa46b8891eaae11ef652a5ffe1255edbbae77301c26a0ffad40384b7dd3edff1e6

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\PDFEditor.exe

Filesize
6.1MB

MD5
122e9fc7e769af2e91d31df6e938889a

SHA1
766c60a43bec69f0a286d3139cbf487f4df0cf77

SHA256
d20fade71c2f893ad663a28a3b0ddc2380dabcaf3e60dc1c3a637f2831863084

SHA512
6a33c8c42747b93ef156959f12109f5b324641dc076ce4d8cb220d5442b578fa46b8891eaae11ef652a5ffe1255edbbae77301c26a0ffad40384b7dd3edff1e6

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\PDFEditor.exe

Filesize
6.1MB

MD5
122e9fc7e769af2e91d31df6e938889a

SHA1
766c60a43bec69f0a286d3139cbf487f4df0cf77

SHA256
d20fade71c2f893ad663a28a3b0ddc2380dabcaf3e60dc1c3a637f2831863084

SHA512
6a33c8c42747b93ef156959f12109f5b324641dc076ce4d8cb220d5442b578fa46b8891eaae11ef652a5ffe1255edbbae77301c26a0ffad40384b7dd3edff1e6

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\PDFEditor.exe

Filesize
6.1MB

MD5
122e9fc7e769af2e91d31df6e938889a

SHA1
766c60a43bec69f0a286d3139cbf487f4df0cf77

SHA256
d20fade71c2f893ad663a28a3b0ddc2380dabcaf3e60dc1c3a637f2831863084

SHA512
6a33c8c42747b93ef156959f12109f5b324641dc076ce4d8cb220d5442b578fa46b8891eaae11ef652a5ffe1255edbbae77301c26a0ffad40384b7dd3edff1e6

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\PDFXEditCore.x86.dll

Filesize
35.2MB

MD5
7405bfafceb97d1b3392d3d22a331392

SHA1
bfac9c26f6c7715e6256e81612921d0903783a27

SHA256
1da6b0fc2f63f381f39a6ba04c72ab1b1abad36effa10c971427b6abfb9e51ce

SHA512
d90468d588932959977265eac229530f2a0866ceb9c0ddf165857af287822e02d67005e2b08eaed5c37a6a14064f2fe375bd5f145b85ab0c85943d0708518083

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Resources.dat

Filesize
5.8MB

MD5
7c4076ed15c5e80095fad68019ba0d92

SHA1
d8a49e11cd3e451dde3be736ac097dd418503812

SHA256
63a6ecc761e08a6ac26e5feb2a9e34b72a204003443a6a0cd585c5068f3b8e21

SHA512
4751a88cd3a16633ab5b268b57abfb042f7540f09a01fbb104e31ddff434b6de55435053dde768faf19bf0fef834abca615b884f15573400f62611d70b4e614d

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\UserAndPayClient.dll

Filesize
3.8MB

MD5
35753fe8257bc37be3163bc22c76a410

SHA1
dfae70796d06ac62f277bb570ae33c632ec0ac5b

SHA256
9500095a5a85f716412f4c3e42fdbdad279e870b16a4e386ab7beb9b82e37a8c

SHA512
2e18eb267866619398265cbb7e8d622c748c0402d8e52a82b0b419194eac7a5e7707043f313596c9632f083bea43ed22397855071b6d4128acdda8ec1eaacf97

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\VMProtectSDK32.dll

Filesize
98KB

MD5
afbc9d53d31478a193ce74d24d07196d

SHA1
970a6c02bacdb4506bb88258fccf1bdf776d17b2

SHA256
8a154897ec692a3a8571952e8caec49c09bddcc57b1ca9a9b54184fc66ae2982

SHA512
02a52fe395bdfc7399d1b2c811923ece1e3b96dac9e7e0819acc7b7946921d606c1b6f8b38fee8b5a9bb7d84ef6978b6b2b14951d1542cd4e14c8b5b310cf057

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\main.ini

Filesize
248B

MD5
11155e0090968aa58b4e4ec1fc9bd34e

SHA1
468d08b99252eafc1ca85590e88ee794fb17e02a

SHA256
e1bd17a65044837c21f60b0d2a3035a72fddae90df2d9ece0c6a531d597e5d0e

SHA512
55246eaf5b7f83748a600e5f235f9791efb1c2ea0f962cd57df23289cf21310f4a1e56d4c7cc44bfd424e957fa608b5af5fd3d59baaa59e905da36d27ffb0fdb

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\node.dll

Filesize
16.0MB

MD5
477f86e7501168050e657b76078662e3

SHA1
d756bc4f9af91d29d7cf541974a6f55e1a0ecd63

SHA256
86757d7c22ee09e27d673c51007f4b28cbbc8f09fe78d92feb1617b399d152ca

SHA512
1aa889c09d63e011edb351059a294f1318473237efb44ecde05674a7ac70311a7628d08e38e18b9f12c2df9e06f06d31be0b44e42078c977f8ac4063398172cd

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\pdfeTools.exe

Filesize
174KB

MD5
250175abee5aa98c9805a4ba1fc5c0f5

SHA1
803254dc885e94a77096cc53c2888ab425db9f30

SHA256
4cad083c8bcafb53a9834d98c938c4a17904c06aff6c6a23e3568dffce0e923d

SHA512
e1b3f5d5d3fd7ef427b8ebb0821c0230015289cc0beed290302f5891b0bafca2fe276d3e5fc9b5eed986d1945de08a344ccc21172017431efeb81ea2b3daa4e2

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\pdfeditormenu64.dll

Filesize
334KB

MD5
904af7508f0d328e7c7143e4851e238e

SHA1
85a791f1c52884ea16297ea66681d7a5eeb54708

SHA256
28aba656592b3f2c7617fe8a0fde8c19d11340b99bad0f324bc6a733deacad5e

SHA512
e2a603f1489c6db3456c833d11acab8adcfe7e98a7aa19d6df3e356c96073ed58c188b12cacdabd37700927c63c0c737303b2933ea26ef87919ea360b85ecf48

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\pdftools.dll

Filesize
108KB

MD5
92fe04ae41e97f3c66577838ee84cce4

SHA1
1f0a5fd454eeead93d3bc5edb01c06402d634a89

SHA256
481ae7a4b6da5830f7909242d137f1040d6afe4fa8a7bedfdb0000fb810430d9

SHA512
a7c051073744d9e598fc3d6184a232ab0e358ef78d27b8da9bc29862875379d5c0412784d385240937e6cdc36b912ba18b00701ed89151687fbe187a2108b762

Download Submit
\Users\Admin\AppData\Roaming\fypdfeditor\PDFEditor.exe

Filesize
6.1MB

MD5
122e9fc7e769af2e91d31df6e938889a

SHA1
766c60a43bec69f0a286d3139cbf487f4df0cf77

SHA256
d20fade71c2f893ad663a28a3b0ddc2380dabcaf3e60dc1c3a637f2831863084

SHA512
6a33c8c42747b93ef156959f12109f5b324641dc076ce4d8cb220d5442b578fa46b8891eaae11ef652a5ffe1255edbbae77301c26a0ffad40384b7dd3edff1e6

Download Submit
\Users\Admin\AppData\Roaming\fypdfeditor\PDFEditor.exe

Filesize
6.1MB

MD5
122e9fc7e769af2e91d31df6e938889a

SHA1
766c60a43bec69f0a286d3139cbf487f4df0cf77

SHA256
d20fade71c2f893ad663a28a3b0ddc2380dabcaf3e60dc1c3a637f2831863084

SHA512
6a33c8c42747b93ef156959f12109f5b324641dc076ce4d8cb220d5442b578fa46b8891eaae11ef652a5ffe1255edbbae77301c26a0ffad40384b7dd3edff1e6

Download Submit
\Users\Admin\AppData\Roaming\fypdfeditor\PDFEditor.exe

Filesize
6.1MB

MD5
122e9fc7e769af2e91d31df6e938889a

SHA1
766c60a43bec69f0a286d3139cbf487f4df0cf77

SHA256
d20fade71c2f893ad663a28a3b0ddc2380dabcaf3e60dc1c3a637f2831863084

SHA512
6a33c8c42747b93ef156959f12109f5b324641dc076ce4d8cb220d5442b578fa46b8891eaae11ef652a5ffe1255edbbae77301c26a0ffad40384b7dd3edff1e6

Download Submit
\Users\Admin\AppData\Roaming\fypdfeditor\PDFEditor.exe

Filesize
6.1MB

MD5
122e9fc7e769af2e91d31df6e938889a

SHA1
766c60a43bec69f0a286d3139cbf487f4df0cf77

SHA256
d20fade71c2f893ad663a28a3b0ddc2380dabcaf3e60dc1c3a637f2831863084

SHA512
6a33c8c42747b93ef156959f12109f5b324641dc076ce4d8cb220d5442b578fa46b8891eaae11ef652a5ffe1255edbbae77301c26a0ffad40384b7dd3edff1e6

Download Submit
\Users\Admin\AppData\Roaming\fypdfeditor\PDFEditor.exe

Filesize
6.1MB

MD5
122e9fc7e769af2e91d31df6e938889a

SHA1
766c60a43bec69f0a286d3139cbf487f4df0cf77

SHA256
d20fade71c2f893ad663a28a3b0ddc2380dabcaf3e60dc1c3a637f2831863084

SHA512
6a33c8c42747b93ef156959f12109f5b324641dc076ce4d8cb220d5442b578fa46b8891eaae11ef652a5ffe1255edbbae77301c26a0ffad40384b7dd3edff1e6

Download Submit
\Users\Admin\AppData\Roaming\fypdfeditor\PDFEditor.exe

Filesize
6.1MB

MD5
122e9fc7e769af2e91d31df6e938889a

SHA1
766c60a43bec69f0a286d3139cbf487f4df0cf77

SHA256
d20fade71c2f893ad663a28a3b0ddc2380dabcaf3e60dc1c3a637f2831863084

SHA512
6a33c8c42747b93ef156959f12109f5b324641dc076ce4d8cb220d5442b578fa46b8891eaae11ef652a5ffe1255edbbae77301c26a0ffad40384b7dd3edff1e6

Download Submit
\Users\Admin\AppData\Roaming\fypdfeditor\PDFXEditCore.x86.dll

Filesize
35.2MB

MD5
7405bfafceb97d1b3392d3d22a331392

SHA1
bfac9c26f6c7715e6256e81612921d0903783a27

SHA256
1da6b0fc2f63f381f39a6ba04c72ab1b1abad36effa10c971427b6abfb9e51ce

SHA512
d90468d588932959977265eac229530f2a0866ceb9c0ddf165857af287822e02d67005e2b08eaed5c37a6a14064f2fe375bd5f145b85ab0c85943d0708518083

Download Submit
\Users\Admin\AppData\Roaming\fypdfeditor\PDFXEditCore.x86.dll

Filesize
35.2MB

MD5
7405bfafceb97d1b3392d3d22a331392

SHA1
bfac9c26f6c7715e6256e81612921d0903783a27

SHA256
1da6b0fc2f63f381f39a6ba04c72ab1b1abad36effa10c971427b6abfb9e51ce

SHA512
d90468d588932959977265eac229530f2a0866ceb9c0ddf165857af287822e02d67005e2b08eaed5c37a6a14064f2fe375bd5f145b85ab0c85943d0708518083

Download Submit
\Users\Admin\AppData\Roaming\fypdfeditor\Uninst.exe

Filesize
1.4MB

MD5
a5531167bddee0cf9c9571db48cfd510

SHA1
235d4289bafba8d6a7cadebdbdd1a5ba0260c418

SHA256
b14dfbd61d055e5a24ea9d57e9c379ac51ad0b3d43b85da363b35f1c23dcab12

SHA512
2629f0095234162fd3d773d41dd8749e3bad024fe79004b8deade3ac74bd8bf91082456de68e84e8beb99a7faad09549429f12b17c0d8feeec76d232e0b9043c

Download Submit
\Users\Admin\AppData\Roaming\fypdfeditor\UserAndPayClient.dll

Filesize
3.8MB

MD5
35753fe8257bc37be3163bc22c76a410

SHA1
dfae70796d06ac62f277bb570ae33c632ec0ac5b

SHA256
9500095a5a85f716412f4c3e42fdbdad279e870b16a4e386ab7beb9b82e37a8c

SHA512
2e18eb267866619398265cbb7e8d622c748c0402d8e52a82b0b419194eac7a5e7707043f313596c9632f083bea43ed22397855071b6d4128acdda8ec1eaacf97

Download Submit
\Users\Admin\AppData\Roaming\fypdfeditor\UserAndPayClient.dll

Filesize
3.8MB

MD5
35753fe8257bc37be3163bc22c76a410

SHA1
dfae70796d06ac62f277bb570ae33c632ec0ac5b

SHA256
9500095a5a85f716412f4c3e42fdbdad279e870b16a4e386ab7beb9b82e37a8c

SHA512
2e18eb267866619398265cbb7e8d622c748c0402d8e52a82b0b419194eac7a5e7707043f313596c9632f083bea43ed22397855071b6d4128acdda8ec1eaacf97

Download Submit
\Users\Admin\AppData\Roaming\fypdfeditor\VMProtectSDK32.dll

Filesize
98KB

MD5
afbc9d53d31478a193ce74d24d07196d

SHA1
970a6c02bacdb4506bb88258fccf1bdf776d17b2

SHA256
8a154897ec692a3a8571952e8caec49c09bddcc57b1ca9a9b54184fc66ae2982

SHA512
02a52fe395bdfc7399d1b2c811923ece1e3b96dac9e7e0819acc7b7946921d606c1b6f8b38fee8b5a9bb7d84ef6978b6b2b14951d1542cd4e14c8b5b310cf057

Download Submit
\Users\Admin\AppData\Roaming\fypdfeditor\VMProtectSDK32.dll

Filesize
98KB

MD5
afbc9d53d31478a193ce74d24d07196d

SHA1
970a6c02bacdb4506bb88258fccf1bdf776d17b2

SHA256
8a154897ec692a3a8571952e8caec49c09bddcc57b1ca9a9b54184fc66ae2982

SHA512
02a52fe395bdfc7399d1b2c811923ece1e3b96dac9e7e0819acc7b7946921d606c1b6f8b38fee8b5a9bb7d84ef6978b6b2b14951d1542cd4e14c8b5b310cf057

Download Submit
\Users\Admin\AppData\Roaming\fypdfeditor\node.dll

Filesize
16.0MB

MD5
477f86e7501168050e657b76078662e3

SHA1
d756bc4f9af91d29d7cf541974a6f55e1a0ecd63

SHA256
86757d7c22ee09e27d673c51007f4b28cbbc8f09fe78d92feb1617b399d152ca

SHA512
1aa889c09d63e011edb351059a294f1318473237efb44ecde05674a7ac70311a7628d08e38e18b9f12c2df9e06f06d31be0b44e42078c977f8ac4063398172cd

Download Submit
\Users\Admin\AppData\Roaming\fypdfeditor\pdfeTools.exe

Filesize
174KB

MD5
250175abee5aa98c9805a4ba1fc5c0f5

SHA1
803254dc885e94a77096cc53c2888ab425db9f30

SHA256
4cad083c8bcafb53a9834d98c938c4a17904c06aff6c6a23e3568dffce0e923d

SHA512
e1b3f5d5d3fd7ef427b8ebb0821c0230015289cc0beed290302f5891b0bafca2fe276d3e5fc9b5eed986d1945de08a344ccc21172017431efeb81ea2b3daa4e2

Download Submit
\Users\Admin\AppData\Roaming\fypdfeditor\pdfeTools.exe

Filesize
174KB

MD5
250175abee5aa98c9805a4ba1fc5c0f5

SHA1
803254dc885e94a77096cc53c2888ab425db9f30

SHA256
4cad083c8bcafb53a9834d98c938c4a17904c06aff6c6a23e3568dffce0e923d

SHA512
e1b3f5d5d3fd7ef427b8ebb0821c0230015289cc0beed290302f5891b0bafca2fe276d3e5fc9b5eed986d1945de08a344ccc21172017431efeb81ea2b3daa4e2

Download Submit
\Users\Admin\AppData\Roaming\fypdfeditor\pdfeTools.exe

Filesize
174KB

MD5
250175abee5aa98c9805a4ba1fc5c0f5

SHA1
803254dc885e94a77096cc53c2888ab425db9f30

SHA256
4cad083c8bcafb53a9834d98c938c4a17904c06aff6c6a23e3568dffce0e923d

SHA512
e1b3f5d5d3fd7ef427b8ebb0821c0230015289cc0beed290302f5891b0bafca2fe276d3e5fc9b5eed986d1945de08a344ccc21172017431efeb81ea2b3daa4e2

Download Submit
\Users\Admin\AppData\Roaming\fypdfeditor\pdfeTools.exe

Filesize
174KB

MD5
250175abee5aa98c9805a4ba1fc5c0f5

SHA1
803254dc885e94a77096cc53c2888ab425db9f30

SHA256
4cad083c8bcafb53a9834d98c938c4a17904c06aff6c6a23e3568dffce0e923d

SHA512
e1b3f5d5d3fd7ef427b8ebb0821c0230015289cc0beed290302f5891b0bafca2fe276d3e5fc9b5eed986d1945de08a344ccc21172017431efeb81ea2b3daa4e2

Download Submit
\Users\Admin\AppData\Roaming\fypdfeditor\pdfeditormenu64.dll

Filesize
334KB

MD5
904af7508f0d328e7c7143e4851e238e

SHA1
85a791f1c52884ea16297ea66681d7a5eeb54708

SHA256
28aba656592b3f2c7617fe8a0fde8c19d11340b99bad0f324bc6a733deacad5e

SHA512
e2a603f1489c6db3456c833d11acab8adcfe7e98a7aa19d6df3e356c96073ed58c188b12cacdabd37700927c63c0c737303b2933ea26ef87919ea360b85ecf48

Download Submit
\Users\Admin\AppData\Roaming\fypdfeditor\pdfeditormenu64.dll

Filesize
334KB

MD5
904af7508f0d328e7c7143e4851e238e

SHA1
85a791f1c52884ea16297ea66681d7a5eeb54708

SHA256
28aba656592b3f2c7617fe8a0fde8c19d11340b99bad0f324bc6a733deacad5e

SHA512
e2a603f1489c6db3456c833d11acab8adcfe7e98a7aa19d6df3e356c96073ed58c188b12cacdabd37700927c63c0c737303b2933ea26ef87919ea360b85ecf48

Download Submit
\Users\Admin\AppData\Roaming\fypdfeditor\pdftools.dll

Filesize
108KB

MD5
92fe04ae41e97f3c66577838ee84cce4

SHA1
1f0a5fd454eeead93d3bc5edb01c06402d634a89

SHA256
481ae7a4b6da5830f7909242d137f1040d6afe4fa8a7bedfdb0000fb810430d9

SHA512
a7c051073744d9e598fc3d6184a232ab0e358ef78d27b8da9bc29862875379d5c0412784d385240937e6cdc36b912ba18b00701ed89151687fbe187a2108b762

Download Submit
memory/768-76-0x0000000000000000-mapping.dmp

Download
memory/768-77-0x000007FEFC291000-0x000007FEFC293000-memory.dmp

Filesize
8KB

Download
memory/1080-94-0x0000000000000000-mapping.dmp

Download
memory/1272-70-0x0000000000000000-mapping.dmp

Download
memory/1444-54-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download
memory/1720-85-0x0000000000000000-mapping.dmp

Download
memory/1756-62-0x0000000000000000-mapping.dmp

Download
memory/1896-69-0x0000000000000000-mapping.dmp

Download