322d47fcdc11c5bc9e22aae2dbc9a0298d774111958f661840b6ffa167b969f5

Analysis

max time kernel
88s
max time network
161s
platform
windows7_x64
resource
win7-20230220-es
resource tags

arch:x64arch:x86image:win7-20230220-eslocale:es-esos:windows7-x64systemwindows
submitted
19/04/2023, 07:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

pdfelement-pro_full5239.exe
Size

149.8MB
MD5

3e878afcf65f6eeff94b0b5c62137ee8
SHA1

626b7204651c16b01c574358125350e86fc2cad8
SHA256

322d47fcdc11c5bc9e22aae2dbc9a0298d774111958f661840b6ffa167b969f5
SHA512

78e375d5a3cc66eddbfc6dbc12a8bca077b0741072989aae8ab07254710c692b7964f2278e3d1356a23c60bdf83db3984dcf062c82055c2009e42c6437795e46
SSDEEP

3145728:/U/7QVqiuOKX6yZoB5oh5id99H1iNjvzgWalNCQKw934YbbXJksKJjsmSOqAF:sjMqC06XB5xdDVaHg5lNeweYbdksKhsw

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 17 IoCs

pid	Process
1356	pdfelement-pro_full5239.tmp
968	PEPreviewDeployment.exe
1780	_setup64.tmp
784	PEAddInDeployment.exe
316	PEShellContextMenu4.exe
1496	PEShellContextMenu4.exe
1368	FileAssociation.exe
1620	WSPrtSetup.exe
360	Process not Found
1132	PEToolDeployment.exe
1532	PEToolDeployment.exe
1856	PEToolDeployment.exe
1808	PEPreviewDeployment.exe
304	PENotify.exe
1888	PEToolDeployment.exe
2684	PEPreviewDeployment.exe
2728	fontlistsave.exe

Loads dropped DLL 41 IoCs

pid	Process
268	pdfelement-pro_full5239.exe
1356	pdfelement-pro_full5239.tmp
1356	pdfelement-pro_full5239.tmp
1356	pdfelement-pro_full5239.tmp
1356	pdfelement-pro_full5239.tmp
1356	pdfelement-pro_full5239.tmp
1356	pdfelement-pro_full5239.tmp
1356	pdfelement-pro_full5239.tmp
1356	pdfelement-pro_full5239.tmp
1356	pdfelement-pro_full5239.tmp
1356	pdfelement-pro_full5239.tmp
1356	pdfelement-pro_full5239.tmp
1356	pdfelement-pro_full5239.tmp
1356	pdfelement-pro_full5239.tmp
1356	pdfelement-pro_full5239.tmp
360	Process not Found
360	Process not Found
360	Process not Found
360	Process not Found
360	Process not Found
360	Process not Found
1888	regsvr32.exe
1888	regsvr32.exe
1356	pdfelement-pro_full5239.tmp
1356	pdfelement-pro_full5239.tmp
1356	pdfelement-pro_full5239.tmp
1356	pdfelement-pro_full5239.tmp
304	PENotify.exe
1668	regasm.exe
1668	regasm.exe
1668	regasm.exe
1668	regasm.exe
1668	regasm.exe
1668	regasm.exe
1668	regasm.exe
1668	regasm.exe
1356	pdfelement-pro_full5239.tmp
1356	pdfelement-pro_full5239.tmp
2740	Process not Found
2728	fontlistsave.exe
2728	fontlistsave.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0AB6CE26-ED92-47B3-AC4A-24BCECE80A53}\InprocServer32\ = "mscoree.dll"	PEAddInDeployment.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DF83C4E9-D71A-4411-A9CD-1130412C5FC0}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DF83C4E9-D71A-4411-A9CD-1130412C5FC0}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{815BAF99-0C5D-4FA8-8CCD-1129EE6D25B9}\InprocServer32\Assembly = "PEPreview4, Version=1.0.0.68, Culture=neutral, PublicKeyToken=a0a98582c8d3e9fb"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{815BAF99-0C5D-4FA8-8CCD-1129EE6D25B9}\InprocServer32\1.0.0.68	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{815BAF99-0C5D-4FA8-8CCD-1129EE6D25B9}\InprocServer32\1.0.0.68\CodeBase = "file:///C:/Program Files/Common Files/Wondershare/PDFelement9/Preview/1.0.0.68/PEPreview4.DLL"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40A41303-42B0-3A6C-83BE-5077DB73EAC0}\InprocServer32\1.0.0.68\Class = "au5"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{49BF25A4-E2D4-358B-A75B-08BC3F5F7AB9}\InprocServer32\1.0.0.68\Assembly = "PEPreview4, Version=1.0.0.68, Culture=neutral, PublicKeyToken=a0a98582c8d3e9fb"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0AB6CE26-ED92-47B3-AC4A-24BCECE80A53}\InprocServer32\1.0.6860.23340\Class = "PEOfficeAddIn.Connect"	PEAddInDeployment.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0AB6CE26-ED92-47B3-AC4A-24BCECE80A53}\InprocServer32\1.0.6860.23340\Assembly = "PEOfficeAddIn, Version=1.0.6860.23340, Culture=neutral, PublicKeyToken=null"	PEAddInDeployment.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ea6c980d-7823-3752-88ac-d43b3a873d20}\InprocServer32\9.0.0.40\CodeBase = "file:///C:/Program Files/Common Files/Wondershare/PDFelement9/Shell Extensions/PEShellContextMenu4.exe"	PEShellContextMenu4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{49BF25A4-E2D4-358B-A75B-08BC3F5F7AB9}\InprocServer32\RuntimeVersion = "v4.0.30319"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0AB6CE26-ED92-47B3-AC4A-24BCECE80A53}\InprocServer32\1.0.6860.23340\RuntimeVersion = "v4.0.30319"	PEAddInDeployment.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ea6c980d-7823-3752-88ac-d43b3a873d20}\InprocServer32	PEShellContextMenu4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{815BAF99-0C5D-4FA8-8CCD-1129EE6D25B9}\InprocServer32\ = "mscoree.dll"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40A41303-42B0-3A6C-83BE-5077DB73EAC0}\InprocServer32\CodeBase = "file:///C:/Program Files/Common Files/Wondershare/PDFelement9/Preview/1.0.0.68/PEPreview4.DLL"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{49BF25A4-E2D4-358B-A75B-08BC3F5F7AB9}\InprocServer32\ThreadingModel = "Both"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ea6c980d-7823-3752-88ac-d43b3a873d20}\InprocServer32\ = "mscoree.dll"	PEShellContextMenu4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ea6c980d-7823-3752-88ac-d43b3a873d20}\InprocServer32\9.0.0.40	PEShellContextMenu4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ea6c980d-7823-3752-88ac-d43b3a873d20}\InprocServer32\9.0.0.40\Class = "i9u"	PEShellContextMenu4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{815BAF99-0C5D-4FA8-8CCD-1129EE6D25B9}\InprocServer32\ThreadingModel = "Both"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{49BF25A4-E2D4-358B-A75B-08BC3F5F7AB9}\InprocServer32\1.0.0.68	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0AB6CE26-ED92-47B3-AC4A-24BCECE80A53}\InprocServer32\1.0.6860.23340\ = "mscoree.dll"	PEAddInDeployment.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0AB6CE26-ED92-47B3-AC4A-24BCECE80A53}\InprocServer32\1.0.6860.23340\CodeBase = "File:///C:/Program Files/Common Files/Wondershare/PDFelement9/AddIns/PEOfficeAddIn_x64.dll"	PEAddInDeployment.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DF83C4E9-D71A-4411-A9CD-1130412C5FC0}\InprocServer32\ = "C:\\Program Files\\Common Files\\Wondershare\\PDFelement9\\Preview\\1.0.0.68\\PDFThumbnailHandler.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0AB6CE26-ED92-47B3-AC4A-24BCECE80A53}\InprocServer32\1.0.6860.23340	PEAddInDeployment.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{49BF25A4-E2D4-358B-A75B-08BC3F5F7AB9}\InprocServer32\CodeBase = "file:///C:/Program Files/Common Files/Wondershare/PDFelement9/Preview/1.0.0.68/PEPreview4.DLL"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{49BF25A4-E2D4-358B-A75B-08BC3F5F7AB9}\InprocServer32\1.0.0.68\Class = "auu"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0AB6CE26-ED92-47B3-AC4A-24BCECE80A53}\InprocServer32\ThreadingModel = "Both"	PEAddInDeployment.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ea6c980d-7823-3752-88ac-d43b3a873d20}\InprocServer32\9.0.0.40\RuntimeVersion = "v4.0.30319"	PEShellContextMenu4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{815BAF99-0C5D-4FA8-8CCD-1129EE6D25B9}\InprocServer32\1.0.0.68\Class = "PE.Preview.PDF.PDFPreview"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{815BAF99-0C5D-4FA8-8CCD-1129EE6D25B9}\InprocServer32\1.0.0.68\Assembly = "PEPreview4, Version=1.0.0.68, Culture=neutral, PublicKeyToken=a0a98582c8d3e9fb"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0AB6CE26-ED92-47B3-AC4A-24BCECE80A53}\InprocServer32\Class = "PEOfficeAddIn.Connect"	PEAddInDeployment.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0AB6CE26-ED92-47B3-AC4A-24BCECE80A53}\InprocServer32\Assembly = "PEOfficeAddIn, Version=1.0.6860.23340, Culture=neutral, PublicKeyToken=null"	PEAddInDeployment.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{815BAF99-0C5D-4FA8-8CCD-1129EE6D25B9}\InprocServer32\Class = "PE.Preview.PDF.PDFPreview"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40A41303-42B0-3A6C-83BE-5077DB73EAC0}\InprocServer32\ = "mscoree.dll"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40A41303-42B0-3A6C-83BE-5077DB73EAC0}\InprocServer32\Class = "au5"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40A41303-42B0-3A6C-83BE-5077DB73EAC0}\InprocServer32\Assembly = "PEPreview4, Version=1.0.0.68, Culture=neutral, PublicKeyToken=a0a98582c8d3e9fb"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40A41303-42B0-3A6C-83BE-5077DB73EAC0}\InprocServer32\1.0.0.68\Assembly = "PEPreview4, Version=1.0.0.68, Culture=neutral, PublicKeyToken=a0a98582c8d3e9fb"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40A41303-42B0-3A6C-83BE-5077DB73EAC0}\InprocServer32\1.0.0.68\RuntimeVersion = "v4.0.30319"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40A41303-42B0-3A6C-83BE-5077DB73EAC0}\InprocServer32\1.0.0.68\CodeBase = "file:///C:/Program Files/Common Files/Wondershare/PDFelement9/Preview/1.0.0.68/PEPreview4.DLL"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ea6c980d-7823-3752-88ac-d43b3a873d20}\InprocServer32\ThreadingModel = "Both"	PEShellContextMenu4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ea6c980d-7823-3752-88ac-d43b3a873d20}\InprocServer32\CodeBase = "file:///C:/Program Files/Common Files/Wondershare/PDFelement9/Shell Extensions/PEShellContextMenu4.exe"	PEShellContextMenu4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{815BAF99-0C5D-4FA8-8CCD-1129EE6D25B9}\InprocServer32\RuntimeVersion = "v4.0.30319"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40A41303-42B0-3A6C-83BE-5077DB73EAC0}\InprocServer32\1.0.0.68	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{49BF25A4-E2D4-358B-A75B-08BC3F5F7AB9}\InprocServer32\Class = "auu"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{49BF25A4-E2D4-358B-A75B-08BC3F5F7AB9}\InprocServer32\1.0.0.68\CodeBase = "file:///C:/Program Files/Common Files/Wondershare/PDFelement9/Preview/1.0.0.68/PEPreview4.DLL"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ea6c980d-7823-3752-88ac-d43b3a873d20}\InprocServer32\9.0.0.40\Assembly = "PEShellContextMenu4, Version=9.0.0.40, Culture=neutral, PublicKeyToken=a0a98582c8d3e9fb"	PEShellContextMenu4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{815BAF99-0C5D-4FA8-8CCD-1129EE6D25B9}\InprocServer32	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{815BAF99-0C5D-4FA8-8CCD-1129EE6D25B9}\InprocServer32\1.0.0.68\RuntimeVersion = "v4.0.30319"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40A41303-42B0-3A6C-83BE-5077DB73EAC0}\InprocServer32	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{49BF25A4-E2D4-358B-A75B-08BC3F5F7AB9}\InprocServer32\ = "mscoree.dll"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{49BF25A4-E2D4-358B-A75B-08BC3F5F7AB9}\InprocServer32\1.0.0.68\RuntimeVersion = "v4.0.30319"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0AB6CE26-ED92-47B3-AC4A-24BCECE80A53}\InprocServer32\CodeBase = "File:///C:/Program Files/Common Files/Wondershare/PDFelement9/AddIns/PEOfficeAddIn_x64.dll"	PEAddInDeployment.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40A41303-42B0-3A6C-83BE-5077DB73EAC0}\InprocServer32\ThreadingModel = "Both"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40A41303-42B0-3A6C-83BE-5077DB73EAC0}\InprocServer32\RuntimeVersion = "v4.0.30319"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{815BAF99-0C5D-4FA8-8CCD-1129EE6D25B9}\InprocServer32\CodeBase = "file:///C:/Program Files/Common Files/Wondershare/PDFelement9/Preview/1.0.0.68/PEPreview4.DLL"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{49BF25A4-E2D4-358B-A75B-08BC3F5F7AB9}\InprocServer32\Assembly = "PEPreview4, Version=1.0.0.68, Culture=neutral, PublicKeyToken=a0a98582c8d3e9fb"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0AB6CE26-ED92-47B3-AC4A-24BCECE80A53}\InprocServer32	PEAddInDeployment.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0AB6CE26-ED92-47B3-AC4A-24BCECE80A53}\InprocServer32\RuntimeVersion = "v4.0.30319"	PEAddInDeployment.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ea6c980d-7823-3752-88ac-d43b3a873d20}\InprocServer32\Class = "i9u"	PEShellContextMenu4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ea6c980d-7823-3752-88ac-d43b3a873d20}\InprocServer32\RuntimeVersion = "v4.0.30319"	PEShellContextMenu4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{49BF25A4-E2D4-358B-A75B-08BC3F5F7AB9}\InprocServer32	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ea6c980d-7823-3752-88ac-d43b3a873d20}\InprocServer32\Assembly = "PEShellContextMenu4, Version=9.0.0.40, Culture=neutral, PublicKeyToken=a0a98582c8d3e9fb"	PEShellContextMenu4.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\PECRT32.dll	pdfelement-pro_full5239.tmp
File created	C:\Windows\system32\spool\DRIVERS\x64\PSCRIPT5.DLL	WSPrtSetup.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\PSCRIPT.NTF	WSPrtSetup.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\PDFCREAT.PPD	WSPrtSetup.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\PS5UI.DLL	WSPrtSetup.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\PSCRIPT.HLP	WSPrtSetup.exe
File created	C:\Windows\SysWOW64\is-LOTV0.tmp	pdfelement-pro_full5239.tmp
File created	C:\Windows\system32\PEPrinterMonitor.dll	WSPrtSetup.exe
File opened for modification	C:\Windows\system32\PEPrinterMonitor.dll	WSPrtSetup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Wondershare\PDFelement9\SolidFramework\Win64\Resources\CMap\is-JUJEI.tmp	pdfelement-pro_full5239.tmp
File opened for modification	C:\Program Files\Wondershare\PDFelement9\PECaptureTool.exe	pdfelement-pro_full5239.tmp
File opened for modification	C:\Program Files\Wondershare\PDFelement9\WSPrtSetup\x64\PSCRIPT5.DLL	pdfelement-pro_full5239.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Wondershare\PDFelement9\Preview\1.0.0.68\WUL.Svg.dll	pdfelement-pro_full5239.tmp
File created	C:\Program Files\Wondershare\PDFelement9\is-E9GC0.tmp	pdfelement-pro_full5239.tmp
File created	C:\Program Files\Wondershare\PDFelement9\is-ODA94.tmp	pdfelement-pro_full5239.tmp
File created	C:\Program Files\Wondershare\PDFelement9\SolidFramework\Win64\Resources\is-V9N3M.tmp	pdfelement-pro_full5239.tmp
File created	C:\Program Files\Wondershare\PDFelement9\SolidFramework\Win64\Resources\CMap\is-JKF5F.tmp	pdfelement-pro_full5239.tmp
File opened for modification	C:\Program Files\Wondershare\PDFelement9\SolidFramework\Win64\PdfDbEditor.dll	pdfelement-pro_full5239.tmp
File opened for modification	C:\Program Files\Wondershare\PDFelement9\fontlistsave.exe	pdfelement-pro_full5239.tmp
File opened for modification	C:\Program Files\Wondershare\PDFelement9\BugSplatRc64.dll	pdfelement-pro_full5239.tmp
File created	C:\Program Files\Wondershare\PDFelement9\is-SNT4K.tmp	pdfelement-pro_full5239.tmp
File opened for modification	C:\Program Files\Wondershare\PDFelement9\api-ms-win-crt-multibyte-l1-1-0.dll	pdfelement-pro_full5239.tmp
File created	C:\Program Files\Wondershare\PDFelement9\SolidFramework\Win64\Resources\CMap\is-K57IV.tmp	pdfelement-pro_full5239.tmp
File created	C:\Program Files\Wondershare\PDFelement9\is-JGUHE.tmp	pdfelement-pro_full5239.tmp
File created	C:\Program Files\Wondershare\PDFelement9\SolidFramework\Win64\Resources\CMap\is-FDMUN.tmp	pdfelement-pro_full5239.tmp
File created	C:\Program Files\Wondershare\PDFelement9\SolidFramework\Win64\Resources\CMap\is-VSA60.tmp	pdfelement-pro_full5239.tmp
File opened for modification	C:\Program Files\Wondershare\PDFelement9\api-ms-win-crt-locale-l1-1-0.dll	pdfelement-pro_full5239.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Wondershare\PDFelement9\Preview\1.0.0.68\libPdfCore.dll	pdfelement-pro_full5239.tmp
File created	C:\Program Files\Wondershare\PDFelement9\is-LDKL8.tmp	pdfelement-pro_full5239.tmp
File created	C:\Program Files\Wondershare\PDFelement9\SolidFramework\Win64\is-JJ5TG.tmp	pdfelement-pro_full5239.tmp
File created	C:\Program Files (x86)\Common Files\Wondershare\PDFelement9\Preview\1.0.0.68\Languages\Preview\is-M4JKP.tmp	pdfelement-pro_full5239.tmp
File created	C:\Program Files\Wondershare\PDFelement9\SolidFramework\Win64\Resources\is-OFL8U.tmp	pdfelement-pro_full5239.tmp
File created	C:\Program Files\Wondershare\PDFelement9\SolidFramework\Win64\Resources\CMap\is-MNLVK.tmp	pdfelement-pro_full5239.tmp
File opened for modification	C:\Program Files\Wondershare\PDFelement9\WsAP-PDFelement.dll	pdfelement-pro_full5239.tmp
File created	C:\Program Files\Wondershare\PDFelement9\SolidFramework\Win64\Resources\CMap\is-EQDOE.tmp	pdfelement-pro_full5239.tmp
File created	C:\Program Files\Wondershare\PDFelement9\SolidFramework\Win64\Resources\CMap\is-QFLD3.tmp	pdfelement-pro_full5239.tmp
File opened for modification	C:\Program Files\Wondershare\PDFelement9\WSPrtSetup\PEToolboxMonitor.dll	pdfelement-pro_full5239.tmp
File created	C:\Program Files\Wondershare\PDFelement9\SolidFramework\Win64\is-5FB9H.tmp	pdfelement-pro_full5239.tmp
File created	C:\Program Files\Wondershare\PDFelement9\Intro\PDFelement\DEU\is-UQEUM.tmp	pdfelement-pro_full5239.tmp
File opened for modification	C:\Program Files\Wondershare\PDFelement9\WSPrtSetup\x64\PS5UI.DLL	pdfelement-pro_full5239.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Wondershare\PDFelement9\Preview\1.0.0.68\Newtonsoft.Json.dll	pdfelement-pro_full5239.tmp
File created	C:\Program Files\Wondershare\PDFelement9\is-ME189.tmp	pdfelement-pro_full5239.tmp
File created	C:\Program Files\Wondershare\PDFelement9\SolidFramework\Win64\Resources\CMap\is-D66QR.tmp	pdfelement-pro_full5239.tmp
File created	C:\Program Files\Wondershare\PDFelement9\SolidFramework\Win64\Resources\CMap\is-H2RKF.tmp	pdfelement-pro_full5239.tmp
File created	C:\Program Files\Wondershare\PDFelement9\Languages\PDFelement\is-1IK1U.tmp	pdfelement-pro_full5239.tmp
File created	C:\Program Files\Wondershare\PDFelement9\SolidFramework\Win64\Resources\CMap\is-R8S0V.tmp	pdfelement-pro_full5239.tmp
File created	C:\Program Files\Wondershare\PDFelement9\is-HU8AT.tmp	pdfelement-pro_full5239.tmp
File created	C:\Program Files\Common Files\Wondershare\PDFelement9\Preview\1.0.0.68\is-542AI.tmp	pdfelement-pro_full5239.tmp
File created	C:\Program Files\Wondershare\PDFelement9\is-DDH03.tmp	pdfelement-pro_full5239.tmp
File created	C:\Program Files\Wondershare\PDFelement9\SolidFramework\Win64\is-L8134.tmp	pdfelement-pro_full5239.tmp
File created	C:\Program Files\Wondershare\PDFelement9\SolidFramework\Win64\Resources\is-6I9SK.tmp	pdfelement-pro_full5239.tmp
File created	C:\Program Files\Wondershare\PDFelement9\SolidFramework\Win64\Resources\is-6MU2U.tmp	pdfelement-pro_full5239.tmp
File created	C:\Program Files\Wondershare\PDFelement9\SolidFramework\Win64\Resources\is-TCBUM.tmp	pdfelement-pro_full5239.tmp
File created	C:\Program Files\Wondershare\PDFelement9\SolidFramework\Win64\Resources\CMap\is-8O1FQ.tmp	pdfelement-pro_full5239.tmp
File created	C:\Program Files\Wondershare\PDFelement9\SolidFramework\Win64\Resources\CMap\is-PD4AL.tmp	pdfelement-pro_full5239.tmp
File created	C:\Program Files\Wondershare\PDFelement9\SolidFramework\Win64\Resources\CMap\is-9PB5E.tmp	pdfelement-pro_full5239.tmp
File created	C:\Program Files\Wondershare\PDFelement9\Languages\Uninstall\is-03K25.tmp	pdfelement-pro_full5239.tmp
File opened for modification	C:\Program Files\Wondershare\PDFelement9\SolidFramework\Win64\concrt140.dll	pdfelement-pro_full5239.tmp
File opened for modification	C:\Program Files\Common Files\Wondershare\PDFelement9\Preview\1.0.0.68\WsAP-PDFelement.dll	pdfelement-pro_full5239.tmp
File opened for modification	C:\Program Files\Wondershare\PDFelement9\PrinterRepairTool.exe	pdfelement-pro_full5239.tmp
File created	C:\Program Files\Wondershare\PDFelement9\SolidFramework\Win64\is-LRIEQ.tmp	pdfelement-pro_full5239.tmp
File created	C:\Program Files\Wondershare\PDFelement9\Languages\Uninstall\is-TPGL8.tmp	pdfelement-pro_full5239.tmp
File created	C:\Program Files\Wondershare\PDFelement9\SpellCheck\PTG\is-8ENGO.tmp	pdfelement-pro_full5239.tmp
File opened for modification	C:\Program Files\Wondershare\PDFelement9\WUL.Svg.dll	pdfelement-pro_full5239.tmp
File opened for modification	C:\Program Files\Wondershare\PDFelement9\WSPrtSetup\WSPrtSetup.exe	pdfelement-pro_full5239.tmp
File created	C:\Program Files\Wondershare\PDFelement9\SolidFramework\Win64\Resources\CMap\is-ECMGG.tmp	pdfelement-pro_full5239.tmp
File created	C:\Program Files\Wondershare\PDFelement9\SolidFramework\Win64\Resources\CMap\is-JO730.tmp	pdfelement-pro_full5239.tmp
File created	C:\Program Files\Wondershare\PDFelement9\SolidFramework\Win64\Resources\CMap\is-FO22D.tmp	pdfelement-pro_full5239.tmp
File created	C:\Program Files\Wondershare\PDFelement9\SolidFramework\Win64\Resources\CMap\is-L2A79.tmp	pdfelement-pro_full5239.tmp
File created	C:\Program Files\Wondershare\PDFelement9\SpellCheck\NLD\is-BT4QH.tmp	pdfelement-pro_full5239.tmp
File opened for modification	C:\Program Files\Wondershare\PDFelement9\ucrtbase.dll	pdfelement-pro_full5239.tmp
File opened for modification	C:\Program Files\Wondershare\PDFelement9\PEPreviewDeployment.exe	pdfelement-pro_full5239.tmp
File created	C:\Program Files\Wondershare\PDFelement9\is-HBQB4.tmp	pdfelement-pro_full5239.tmp

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1584	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40A41303-42B0-3A6C-83BE-5077DB73EAC0}\ProgId\ = "au5"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{815BAF99-0C5D-4FA8-8CCD-1129EE6D25B9}\InprocServer32\1.0.0.68	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DF83C4E9-D71A-4411-A9CD-1130412C5FC0}\InprocServer32\ = "C:\\Program Files\\Common Files\\Wondershare\\PDFelement9\\Preview\\1.0.0.68\\PDFThumbnailHandler.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{815BAF99-0C5D-4FA8-8CCD-1129EE6D25B9}\ = "PDFPreview"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{815BAF99-0C5D-4FA8-8CCD-1129EE6D25B9}\AppID = "{815baf99-0c5d-4fa8-8ccd-1129ee6d25ba}"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{815BAF99-0C5D-4FA8-8CCD-1129EE6D25B9}\InprocServer32\1.0.0.68\Assembly = "PEPreview4, Version=1.0.0.68, Culture=neutral, PublicKeyToken=a0a98582c8d3e9fb"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40A41303-42B0-3A6C-83BE-5077DB73EAC0}\InprocServer32\Class = "au5"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0AB6CE26-ED92-47B3-AC4A-24BCECE80A53}	PEAddInDeployment.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ea6c980d-7823-3752-88ac-d43b3a873d20}\InprocServer32\9.0.0.40\RuntimeVersion = "v4.0.30319"	PEShellContextMenu4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{5C1DDF80-80FA-3855-9D3F-A426014090BA}\1.0.0.68\Class = "as5"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{815BAF99-0C5D-4FA8-8CCD-1129EE6D25B9}\InprocServer32\CodeBase = "file:///C:/Program Files/Common Files/Wondershare/PDFelement9/Preview/1.0.0.68/PEPreview4.DLL"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDFelement.AssocFile.PDF\shell\open\FriendlyAppName = "Wondershare PDFelement"	FileAssociation.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{815BAF99-0C5D-4FA8-8CCD-1129EE6D25B9}\InprocServer32	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40A41303-42B0-3A6C-83BE-5077DB73EAC0}\ProgId	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PEOfficeAddIn.Connect\CLSID	PEAddInDeployment.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0AB6CE26-ED92-47B3-AC4A-24BCECE80A53}\InprocServer32\1.0.6859.32006\ = "mscoree.dll"	PEAddInDeployment.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ea6c980d-7823-3752-88ac-d43b3a873d20}\InprocServer32\9.0.0.40\Class = "i9u"	PEShellContextMenu4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{815BAF99-0C5D-4FA8-8CCD-1129EE6D25B9}\InprocServer32\1.0.0.68\Class = "PE.Preview.PDF.PDFPreview"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{815BAF99-0C5D-4FA8-8CCD-1129EE6D25B9}\InprocServer32\RuntimeVersion = "v4.0.30319"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{49BF25A4-E2D4-358B-A75B-08BC3F5F7AB9}\InprocServer32\Assembly = "PEPreview4, Version=1.0.0.68, Culture=neutral, PublicKeyToken=a0a98582c8d3e9fb"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0AB6CE26-ED92-47B3-AC4A-24BCECE80A53}\InprocServer32\RuntimeVersion = "v4.0.30319"	PEAddInDeployment.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDFelement.AssocFile.FDF\shell\open\command	FileAssociation.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{815BAF99-0C5D-4FA8-8CCD-1129EE6D25B9}\InprocServer32\RuntimeVersion = "v4.0.30319"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}\ = "{815baf99-0c5d-4fa8-8ccd-1129ee6d25b9}"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40A41303-42B0-3A6C-83BE-5077DB73EAC0}\InprocServer32\CodeBase = "file:///C:/Program Files (x86)/Common Files/Wondershare/PDFelement9/Preview/1.0.0.68/PEPreview4.DLL"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}\ = "{815baf99-0c5d-4fa8-8ccd-1129ee6d25b9}"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0AB6CE26-ED92-47B3-AC4A-24BCECE80A53}	PEAddInDeployment.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ea6c980d-7823-3752-88ac-d43b3a873d20}\InprocServer32\ThreadingModel = "Both"	PEShellContextMenu4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49BF25A4-E2D4-358B-A75B-08BC3F5F7AB9}\InprocServer32\ = "mscoree.dll"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\au5\ = "au5"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{49BF25A4-E2D4-358B-A75B-08BC3F5F7AB9}\InprocServer32\CodeBase = "file:///C:/Program Files/Common Files/Wondershare/PDFelement9/Preview/1.0.0.68/PEPreview4.DLL"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DF83C4E9-D71A-4411-A9CD-1130412C5FC0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\au5\CLSID\ = "{40A41303-42B0-3A6C-83BE-5077DB73EAC0}"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49BF25A4-E2D4-358B-A75B-08BC3F5F7AB9}\InprocServer32\RuntimeVersion = "v4.0.30319"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40A41303-42B0-3A6C-83BE-5077DB73EAC0}\InprocServer32\Assembly = "PEPreview4, Version=1.0.0.68, Culture=neutral, PublicKeyToken=a0a98582c8d3e9fb"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PE.Preview.PDF.PDFPreview\ = "PE.Preview.PDF.PDFPreview"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{49BF25A4-E2D4-358B-A75B-08BC3F5F7AB9}\ = "auu"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{49BF25A4-E2D4-358B-A75B-08BC3F5F7AB9}\Implemented Categories	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{5C1DDF80-80FA-3855-9D3F-A426014090BA}\1.0.0.68\CodeBase = "file:///C:/Program Files/Common Files/Wondershare/PDFelement9/Preview/1.0.0.68/PEPreview4.DLL"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0AB6CE26-ED92-47B3-AC4A-24BCECE80A53}\ = "PEOfficeAddIn.Connect"	PEAddInDeployment.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0AB6CE26-ED92-47B3-AC4A-24BCECE80A53}\ProgId\ = "PEOfficeAddIn.Connect"	PEAddInDeployment.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{DDC42084-A006-3A9C-8C7C-6F8CB28F8186}\1.0.0.68\CodeBase = "file:///C:/Program Files (x86)/Common Files/Wondershare/PDFelement9/Preview/1.0.0.68/PEPreview4.DLL"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}\ = "{815BAF99-0C5D-4FA8-8CCD-1129EE6D25B9}"	pdfelement-pro_full5239.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{40A41303-42B0-3A6C-83BE-5077DB73EAC0}\InprocServer32\Class = "au5"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49BF25A4-E2D4-358B-A75B-08BC3F5F7AB9}\InprocServer32\1.0.0.68\Assembly = "PEPreview4, Version=1.0.0.68, Culture=neutral, PublicKeyToken=a0a98582c8d3e9fb"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0AB6CE26-ED92-47B3-AC4A-24BCECE80A53}\InprocServer32\1.0.6860.23340\Class = "PEOfficeAddIn.Connect"	PEAddInDeployment.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ea6c980d-7823-3752-88ac-d43b3a873d20}\InprocServer32	PEShellContextMenu4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDFelement.AssocFile.PDF\EditFlags = "65536"	FileAssociation.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40A41303-42B0-3A6C-83BE-5077DB73EAC0}\InprocServer32\ThreadingModel = "Both"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{40A41303-42B0-3A6C-83BE-5077DB73EAC0}\InprocServer32\1.0.0.68\Class = "au5"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{49BF25A4-E2D4-358B-A75B-08BC3F5F7AB9}\InprocServer32\1.0.0.68\Assembly = "PEPreview4, Version=1.0.0.68, Culture=neutral, PublicKeyToken=a0a98582c8d3e9fb"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDFelement.AssocFile.FDF\shell\open\command\ = "\"C:\\Program Files\\Wondershare\\PDFelement9\\PDFelement.exe\" \"%1\""	FileAssociation.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{815BAF99-0C5D-4FA8-8CCD-1129EE6D25B9}\InprocServer32\1.0.0.68\RuntimeVersion = "v4.0.30319"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{815BAF99-0C5D-4FA8-8CCD-1129EE6D25B9}\ProgId	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{815BAF99-0C5D-4FA8-8CCD-1129EE6D25B9}\ = "PE.Preview.PDF.PDFPreview"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{815BAF99-0C5D-4FA8-8CCD-1129EE6D25B9}\InprocServer32\Class = "PE.Preview.PDF.PDFPreview"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{815BAF99-0C5D-4FA8-8CCD-1129EE6D25B9}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29}	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{DDC42084-A006-3A9C-8C7C-6F8CB28F8186}\1.0.0.68\RuntimeVersion = "v4.0.30319"	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wspe8	pdfelement-pro_full5239.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0AB6CE26-ED92-47B3-AC4A-24BCECE80A53}\InprocServer32\ThreadingModel = "Both"	PEAddInDeployment.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{DDC42084-A006-3A9C-8C7C-6F8CB28F8186}\1.0.0.68\Class = "asm"	regasm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{815BAF99-0C5D-4FA8-8CCD-1129EE6D25B9}\DisableLowILProcessIsolation = "1"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\auu\ = "auu"	regasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{DDC42084-A006-3A9C-8C7C-6F8CB28F8186}\1.0.0.68\RuntimeVersion = "v4.0.30319"	regasm.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	PENotify.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	PENotify.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	PENotify.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	PENotify.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1356	pdfelement-pro_full5239.tmp
1356	pdfelement-pro_full5239.tmp
784	PEAddInDeployment.exe
784	PEAddInDeployment.exe
1956	chrome.exe
1956	chrome.exe
304	PENotify.exe
304	PENotify.exe
304	PENotify.exe
304	PENotify.exe
304	PENotify.exe
304	PENotify.exe
304	PENotify.exe
304	PENotify.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	784	PEAddInDeployment.exe
Token: SeDebugPrivilege	304	PENotify.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	304	PENotify.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
1356	pdfelement-pro_full5239.tmp
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
304	PENotify.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
304	PENotify.exe

Suspicious use of SendNotifyMessage 34 IoCs

pid	Process
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
304	PENotify.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
304	PENotify.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 268 wrote to memory of 1356	268	pdfelement-pro_full5239.exe	28
PID 268 wrote to memory of 1356	268	pdfelement-pro_full5239.exe	28
PID 268 wrote to memory of 1356	268	pdfelement-pro_full5239.exe	28
PID 268 wrote to memory of 1356	268	pdfelement-pro_full5239.exe	28
PID 268 wrote to memory of 1356	268	pdfelement-pro_full5239.exe	28
PID 268 wrote to memory of 1356	268	pdfelement-pro_full5239.exe	28
PID 268 wrote to memory of 1356	268	pdfelement-pro_full5239.exe	28
PID 1356 wrote to memory of 968	1356	pdfelement-pro_full5239.tmp	29
PID 1356 wrote to memory of 968	1356	pdfelement-pro_full5239.tmp	29
PID 1356 wrote to memory of 968	1356	pdfelement-pro_full5239.tmp	29
PID 1356 wrote to memory of 968	1356	pdfelement-pro_full5239.tmp	29
PID 1356 wrote to memory of 1780	1356	pdfelement-pro_full5239.tmp	31
PID 1356 wrote to memory of 1780	1356	pdfelement-pro_full5239.tmp	31
PID 1356 wrote to memory of 1780	1356	pdfelement-pro_full5239.tmp	31
PID 1356 wrote to memory of 1780	1356	pdfelement-pro_full5239.tmp	31
PID 1356 wrote to memory of 784	1356	pdfelement-pro_full5239.tmp	33
PID 1356 wrote to memory of 784	1356	pdfelement-pro_full5239.tmp	33
PID 1356 wrote to memory of 784	1356	pdfelement-pro_full5239.tmp	33
PID 1356 wrote to memory of 784	1356	pdfelement-pro_full5239.tmp	33
PID 1356 wrote to memory of 316	1356	pdfelement-pro_full5239.tmp	36
PID 1356 wrote to memory of 316	1356	pdfelement-pro_full5239.tmp	36
PID 1356 wrote to memory of 316	1356	pdfelement-pro_full5239.tmp	36
PID 1356 wrote to memory of 316	1356	pdfelement-pro_full5239.tmp	36
PID 316 wrote to memory of 1496	316	PEShellContextMenu4.exe	38
PID 316 wrote to memory of 1496	316	PEShellContextMenu4.exe	38
PID 316 wrote to memory of 1496	316	PEShellContextMenu4.exe	38
PID 1356 wrote to memory of 1368	1356	pdfelement-pro_full5239.tmp	40
PID 1356 wrote to memory of 1368	1356	pdfelement-pro_full5239.tmp	40
PID 1356 wrote to memory of 1368	1356	pdfelement-pro_full5239.tmp	40
PID 1356 wrote to memory of 1368	1356	pdfelement-pro_full5239.tmp	40
PID 1356 wrote to memory of 1620	1356	pdfelement-pro_full5239.tmp	42
PID 1356 wrote to memory of 1620	1356	pdfelement-pro_full5239.tmp	42
PID 1356 wrote to memory of 1620	1356	pdfelement-pro_full5239.tmp	42
PID 1356 wrote to memory of 1620	1356	pdfelement-pro_full5239.tmp	42
PID 1356 wrote to memory of 1620	1356	pdfelement-pro_full5239.tmp	42
PID 1356 wrote to memory of 1620	1356	pdfelement-pro_full5239.tmp	42
PID 1356 wrote to memory of 1620	1356	pdfelement-pro_full5239.tmp	42
PID 1356 wrote to memory of 1584	1356	pdfelement-pro_full5239.tmp	43
PID 1356 wrote to memory of 1584	1356	pdfelement-pro_full5239.tmp	43
PID 1356 wrote to memory of 1584	1356	pdfelement-pro_full5239.tmp	43
PID 1356 wrote to memory of 1584	1356	pdfelement-pro_full5239.tmp	43
PID 1356 wrote to memory of 1888	1356	pdfelement-pro_full5239.tmp	45
PID 1356 wrote to memory of 1888	1356	pdfelement-pro_full5239.tmp	45
PID 1356 wrote to memory of 1888	1356	pdfelement-pro_full5239.tmp	45
PID 1356 wrote to memory of 1888	1356	pdfelement-pro_full5239.tmp	45
PID 1356 wrote to memory of 1888	1356	pdfelement-pro_full5239.tmp	45
PID 1356 wrote to memory of 1888	1356	pdfelement-pro_full5239.tmp	45
PID 1356 wrote to memory of 1888	1356	pdfelement-pro_full5239.tmp	45
PID 1356 wrote to memory of 1132	1356	pdfelement-pro_full5239.tmp	46
PID 1356 wrote to memory of 1132	1356	pdfelement-pro_full5239.tmp	46
PID 1356 wrote to memory of 1132	1356	pdfelement-pro_full5239.tmp	46
PID 1356 wrote to memory of 1132	1356	pdfelement-pro_full5239.tmp	46
PID 1132 wrote to memory of 1180	1132	PEToolDeployment.exe	47
PID 1132 wrote to memory of 1180	1132	PEToolDeployment.exe	47
PID 1132 wrote to memory of 1180	1132	PEToolDeployment.exe	47
PID 1356 wrote to memory of 1532	1356	pdfelement-pro_full5239.tmp	48
PID 1356 wrote to memory of 1532	1356	pdfelement-pro_full5239.tmp	48
PID 1356 wrote to memory of 1532	1356	pdfelement-pro_full5239.tmp	48
PID 1356 wrote to memory of 1532	1356	pdfelement-pro_full5239.tmp	48
PID 1532 wrote to memory of 1000	1532	PEToolDeployment.exe	51
PID 1532 wrote to memory of 1000	1532	PEToolDeployment.exe	51
PID 1532 wrote to memory of 1000	1532	PEToolDeployment.exe	51
PID 512 wrote to memory of 1856	512	explorer.exe	52
PID 512 wrote to memory of 1856	512	explorer.exe	52

C:\Users\Admin\AppData\Local\Temp\pdfelement-pro_full5239.exe
"C:\Users\Admin\AppData\Local\Temp\pdfelement-pro_full5239.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:268
- C:\Users\Admin\AppData\Local\Temp\is-J0SV5.tmp\pdfelement-pro_full5239.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-J0SV5.tmp\pdfelement-pro_full5239.tmp" /SL5="$80130,156199013,339456,C:\Users\Admin\AppData\Local\Temp\pdfelement-pro_full5239.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Users\Admin\AppData\Local\Temp\is-FSCNK.tmp\PEPreviewDeployment.exe
    "C:\Users\Admin\AppData\Local\Temp\is-FSCNK.tmp\PEPreviewDeployment.exe" /NeedInstall /Clsid:{815BAF99-0C5D-4FA8-8CCD-1129EE6D25B9} /NewVersion:1.0.0.68 /Is64BitSystem
    3⤵
    - Executes dropped EXE
    PID:968
- - C:\Users\Admin\AppData\Local\Temp\is-FSCNK.tmp\_isetup\_setup64.tmp
    helper 105 0x200
    3⤵
    - Executes dropped EXE
    PID:1780
- - C:\Program Files\Wondershare\PDFelement9\PEAddInDeployment.exe
    "C:\Program Files\Wondershare\PDFelement9\PEAddInDeployment.exe"
    3⤵
    - Executes dropped EXE
    - Registers COM server for autorun
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:784
- - C:\Program Files\Wondershare\PDFelement9\PEShellContextMenu4.exe
    "C:\Program Files\Wondershare\PDFelement9\PEShellContextMenu4.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:316
  - - C:\Program Files\Common Files\Wondershare\PDFelement9\Shell Extensions\PEShellContextMenu4.exe
      "C:\Program Files\Common Files\Wondershare\PDFelement9\Shell Extensions\PEShellContextMenu4.exe"
      4⤵
      Executes dropped EXE
      Registers COM server for autorun
      Modifies registry class
      PID:1496
- - C:\Program Files\Wondershare\PDFelement9\FileAssociation.exe
    "C:\Program Files\Wondershare\PDFelement9\FileAssociation.exe" /a .fdf;.pdf "C:\Program Files\Wondershare\PDFelement9\PDFelement.exe" "C:\Program Files\Wondershare\PDFelement9\projectfile.ico" /FriendlyAppName "Wondershare PDFelement"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:1368
- - C:\Program Files\Wondershare\PDFelement9\WSPrtSetup\WSPrtSetup.exe
    "C:\Program Files\Wondershare\PDFelement9\WSPrtSetup\WSPrtSetup.exe" /log "C:\Users\Admin\AppData\Roaming\Wondershare\PDFelement9\log\InstallVirtualPrinter.log" /dvrname "Wondershare PDFelement" /prtname "Wondershare PDFelement" /monname "Wondershare PDFelement Monitor" /monport "Wondershare PDFelement Port" /monfile "PEPrinterMonitor.dll"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:1620
- - C:\Windows\system32\sc.exe
    "C:\Windows\system32\sc.exe" start Spooler
    3⤵
    - Launches sc.exe
    PID:1584
- - C:\Windows\system32\regsvr32.exe
    "regsvr32.exe" /s "C:\Program Files\Common Files\Wondershare\PDFelement9\Preview\1.0.0.68\PDFThumbnailHandler.dll"
    3⤵
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    PID:1888
- - C:\Program Files\Wondershare\PDFelement9\PEToolDeployment.exe
    "C:\Program Files\Wondershare\PDFelement9\PEToolDeployment.exe" /install /path "C:\Program Files\Wondershare\PDFelement9\PDFToolbox.exe" /notifydeviceboot 1 /defaultnotifydeviceboot 1 /deviceboot "Wondershare PEToolbox.lnk" /startup /explorerstartup proxy /entrance DeviceBoot /loggernameend .Install
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1132
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe" C:\Program Files\Wondershare\PDFelement9\PEToolDeployment.exe
      4⤵
      PID:1180
- - C:\Program Files\Wondershare\PDFelement9\PEToolDeployment.exe
    "C:\Program Files\Wondershare\PDFelement9\PEToolDeployment.exe" /install /path "C:\Program Files\Wondershare\PDFelement9\PECaptureTool.exe" /notifydeviceboot 1 /defaultnotifydeviceboot 1 /deviceboot "Wondershare PEScreenshot.lnk" /startup /explorerstartup proxy /entrance DeviceBoot /loggernameend .Install
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe" C:\Program Files\Wondershare\PDFelement9\PEToolDeployment.exe
      4⤵
      PID:1000
- - C:\Users\Admin\AppData\Local\Temp\is-FSCNK.tmp\PEPreviewDeployment.exe
    "C:\Users\Admin\AppData\Local\Temp\is-FSCNK.tmp\PEPreviewDeployment.exe" /Install "/Net4032Dll:C:\Program Files (x86)\Common Files\Wondershare\PDFelement9\Preview\1.0.0.68\PEPreview4.dll" "/Net2032Dll:C:\Program Files (x86)\Common Files\Wondershare\PDFelement9\Preview\1.0.0.68\PEPreview.dll" "/Net4064Dll:C:\Program Files\Common Files\Wondershare\PDFelement9\Preview\1.0.0.68\PEPreview4.dll" "/Net2064Dll:C:\Program Files\Common Files\Wondershare\PDFelement9\Preview\1.0.0.68\PEPreview.dll" /Is64BitSystem
    3⤵
    - Executes dropped EXE
    PID:1808
  - - C:\Windows\Microsoft.Net\Framework\v4.0.30319\regasm.exe
      "C:\Windows\Microsoft.Net\Framework\v4.0.30319\regasm.exe" /codebase "C:\Program Files (x86)\Common Files\Wondershare\PDFelement9\Preview\1.0.0.68\PEPreview4.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:1668
  - - C:\Windows\Microsoft.Net\Framework64\v4.0.30319\regasm.exe
      "C:\Windows\Microsoft.Net\Framework64\v4.0.30319\regasm.exe" /codebase "C:\Program Files\Common Files\Wondershare\PDFelement9\Preview\1.0.0.68\PEPreview4.dll"
      4⤵
      Registers COM server for autorun
      Modifies registry class
      PID:2540
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" http://cbs.wondershare.com/go.php?pid=5257&m=i&product_version=9.4.7&client_sign={f13adaf1-7f03-4a2a-b732-11912f07e3a9G}&is_silent_install=2
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1956
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef58f9758,0x7fef58f9768,0x7fef58f9778
      4⤵
      PID:1728
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1172 --field-trial-handle=1184,i,8154693096365730585,259022742510787145,131072 /prefetch:2
      4⤵
      PID:1492
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1184,i,8154693096365730585,259022742510787145,131072 /prefetch:8
      4⤵
      PID:1720
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1424 --field-trial-handle=1184,i,8154693096365730585,259022742510787145,131072 /prefetch:8
      4⤵
      PID:560
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2288 --field-trial-handle=1184,i,8154693096365730585,259022742510787145,131072 /prefetch:1
      4⤵
      PID:2256
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2296 --field-trial-handle=1184,i,8154693096365730585,259022742510787145,131072 /prefetch:1
      4⤵
      PID:2264
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3184 --field-trial-handle=1184,i,8154693096365730585,259022742510787145,131072 /prefetch:1
      4⤵
      PID:2800
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1324 --field-trial-handle=1184,i,8154693096365730585,259022742510787145,131072 /prefetch:2
      4⤵
      PID:1368
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2540 --field-trial-handle=1184,i,8154693096365730585,259022742510787145,131072 /prefetch:2
      4⤵
      PID:2904
- - C:\Users\Admin\AppData\Local\Temp\is-FSCNK.tmp\PEPreviewDeployment.exe
    "C:\Users\Admin\AppData\Local\Temp\is-FSCNK.tmp\PEPreviewDeployment.exe" /Uninstall /Clsid:{815BAF99-0C5D-4FA8-8CCD-1129EE6D25B9} /OnlyOldVersion /Is64BitSystem
    3⤵
    - Executes dropped EXE
    PID:2684
- - C:\Program Files\Wondershare\PDFelement9\fontlistsave.exe
    "C:\Program Files\Wondershare\PDFelement9\fontlistsave.exe" C:\Users\Admin\AppData\Roaming\Wondershare\PDFelement9\Config\SystemFontList.cfg
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2728

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:512
- C:\Program Files\Wondershare\PDFelement9\PEToolDeployment.exe
  "C:\Program Files\Wondershare\PDFelement9\PEToolDeployment.exe"
  2⤵
  - Executes dropped EXE
  PID:1856
- - C:\Program Files\Wondershare\PDFelement9\PENotify.exe
    "C:\Program Files\Wondershare\PDFelement9\PENotify.exe" "/enablenotify" "1" "/path" "PDFToolbox" "/defaultnotifydeviceboot" "1" "/explorerstartup" "proxy" "/entrance" "DeviceBoot" "/loggernameend" ".Install"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:304

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1336
- C:\Program Files\Wondershare\PDFelement9\PEToolDeployment.exe
  "C:\Program Files\Wondershare\PDFelement9\PEToolDeployment.exe"
  2⤵
  - Executes dropped EXE
  PID:1888

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Wondershare\PDFelement9\Preview\1.0.0.68\Newtonsoft.Json.dll

Filesize
459KB

MD5
43211efd8c506f45ed17cb5cc9b9e819

SHA1
ddd9404796a3dce9e1bce63cdf7cfa3cdc6f53a3

SHA256
ddf3874be55137271dd5b2c4d052b273d3543c49352fafcc37ef877f4a0c025d

SHA512
257caddf09404158eaca274573f8539f72ab19fcb23f73845ea62914e6c1eb29998f0abf5f089d4951ff8a18fdf33a09e4cf9d0dc6a2a89d440fc220111d8e4d

Download Submit
C:\Program Files (x86)\Common Files\Wondershare\PDFelement9\Preview\1.0.0.68\PDFCore.dll

Filesize
1.2MB

MD5
ed573b56f39ca91b73e5270a1adda2d8

SHA1
869c3e75010ee63791e576f75e474308de8a0138

SHA256
55697ead436606ec5fa291116bb17ae47499f086f5c53080d2fb645d74fbf0b3

SHA512
f13e85d004d72cbbff39779d3aa3600af56c1ba53c061e0cc3332b96dbec54acc925bbd51d761a0d58371f3dd605a724d2b8d0d7701b61ab27bada18004fe5b9

Download Submit
C:\Program Files (x86)\Common Files\Wondershare\PDFelement9\Preview\1.0.0.68\WUL.Ctrls.dll

Filesize
2.7MB

MD5
b0deb37a816a63df17d52fc434a3cfaa

SHA1
f12581c05b7370f0ffb05420a14b73f93a0545f0

SHA256
66de7bb1ef21e4f129c52f1f2ed5b31a8c944e2ad8412955c5bc4ad732cac163

SHA512
b395ce497268d3b4b6c83267a28884111ae322dec0bb77975721ee2b73c87d69ef3c14c0cce8ee8da5d031e8a3464b0af0f949637cad104f411f163f392367a5

Download Submit
C:\Program Files\Common Files\Wondershare\PDFelement9\Preview\1.0.0.68\Languages\Preview\Chinese.dat

Filesize
1KB

MD5
56c39e309af1a6f9bcc9ffc6c03787ab

SHA1
03adb1806fb642905168d3cf0c3c7928257ad995

SHA256
60744af893268566873e00dfbb71718c25e0ac97fc456d494ed803e75d87c60b

SHA512
4db422858c0765e5c528f70d46bcc0809bd496a44a7d4b86b35da17888652ab29f93663010144cf9d2dc8123be8c58162cbbb7ee5f8a2b9499c2975235e1f99e

Download Submit
C:\Program Files\Common Files\Wondershare\PDFelement9\Preview\1.0.0.68\Languages\Preview\ChineseTrad.dat

Filesize
1KB

MD5
706af567453be6c24fd3164ae1bcb256

SHA1
638755694ddb2dcfe4bbf6da1fbe7298ddc4bcb5

SHA256
e9ee5c6b861cdfa443022cc096b174fefc84639d62f61a520da82d98051da3e9

SHA512
53f9e5f4bbc4bf609081f33ebb5469e386c3dbd9ec1215bde5488acacbe4c9fd66fda03e9e0c83060464fc3569d96b9f787fc45f64084ad65ae4906113a21cc2

Download Submit
C:\Program Files\Common Files\Wondershare\PDFelement9\Preview\1.0.0.68\Languages\Preview\Dutch.dat

Filesize
1KB

MD5
ad74da81dcfecb23cc239cdd1cbc6381

SHA1
26b21325493dfe42f58d55fa075e3a772733b640

SHA256
d9134eff96291502ffde4f4d684ca1f486ca4fdded342e14b2cbdb1463a4a184

SHA512
635d09b3529f3d81de51852ce35fe68cdd3a6964136dac4a82c2b0b68001f4b7c8f0873526d965b1970f7aa5a15f5441ea2f29cf47ddb5ba923c1e0f6ddcaeab

Download Submit
C:\Program Files\Common Files\Wondershare\PDFelement9\Preview\1.0.0.68\Languages\Preview\English.dat

Filesize
1KB

MD5
87b35a58971d43918c25802b198767c3

SHA1
3591273b4d085835287037b4df5eb08a812196fa

SHA256
8449657870b5b04cec29b7369258eb44efcb2ac136a88f0c42bb20d29cb4bdb3

SHA512
5f7445a0cb8d1a2bba46982ea6618e999f51dee4f5301b66ab363798e47f92c7cf2fc61d464f8d21b86f4068c9d4ab44c63b8f8ca71cfc00b5ea3a4da5b93ceb

Download Submit
C:\Program Files\Common Files\Wondershare\PDFelement9\Preview\1.0.0.68\Languages\Preview\French.dat

Filesize
1KB

MD5
a44f4ba0372a28e623e63b740b24af53

SHA1
a3b067cb96a4ab2122ebfa7e1fb695b24317998b

SHA256
1c5fd0e622d03d80f0903c935cb295bc13f5f5025a7576780570c0f9522a80a3

SHA512
f02d5beb273135734205220b0d3ac4bb942210c7d6a5b33d5d39d3253bc25d82952307c39e3831cdd8d72984284522c9b65149f6d3b836ad55984318676ba4cb

Download Submit
C:\Program Files\Common Files\Wondershare\PDFelement9\Preview\1.0.0.68\Languages\Preview\German.dat

Filesize
1KB

MD5
86803d263c970c6ba8092096034b80e3

SHA1
f1bf5e19fd8c83aec64725777fce44ff2ce92d1b

SHA256
257d9f9d7ffd4af1dc1cdc17947aadd88454fb83a72aa9febf3e06f170ceaa7f

SHA512
558be4d72885827613d9ef8322bbe05ba24b5f04e11aa8709c5250aabbb676cf42136165bd3489cc607ef1d75ff0b8032290660bf27393341528e392a0794c24

Download Submit
C:\Program Files\Common Files\Wondershare\PDFelement9\Preview\1.0.0.68\Languages\Preview\Italian.dat

Filesize
1KB

MD5
c9893256f33cb1047c01483974c9f034

SHA1
73c1bc8621dcf556b85e4a7aacd3066cb9ccf8df

SHA256
89637178e756d5b847d50132919f56e450f9b53f362a59197382e787c7574f36

SHA512
16d012318658a1ddaf7e1d70ae16db9c0a3176fddc5ffb6252f24e9cdc2e156551af3a07cbfc476ffb553f78c255c1729a2fe256ab96cfce3faac2559bcc1afa

Download Submit
C:\Program Files\Common Files\Wondershare\PDFelement9\Preview\1.0.0.68\Languages\Preview\Japanese.dat

Filesize
1KB

MD5
2a5a949092ef0080ed33fe8730b67502

SHA1
be1a9fd0f8a00aaa85874d6f794dc78fc773d4af

SHA256
ee654d15a978f1a10b0f245cdea5aacf2e64bbd2a46087fe07913edbd204c9ed

SHA512
acf48ed619b4bb52b6f78dc18e83fcf4603a604bdbe963883a240c771b80104d65c533cdb2661c9c8657ec0c30c09ed522362d074736fd27b5bf101777cfdb55

Download Submit
C:\Program Files\Common Files\Wondershare\PDFelement9\Preview\1.0.0.68\Languages\Preview\Korean.dat

Filesize
1KB

MD5
6a2cdb3374539d30e740faee4efc199f

SHA1
84b5a967f3a36c680ddf793a73ffe7903f5c0f44

SHA256
ca854fda32b4a7d162551e2a3528e4e05e4ca0cff4b01571b6b2fe24c7523cfa

SHA512
c010d23f34908c7d9793a8522151b57d7a6c6afd76bf9087d9bf6086f006127e69d91e41e2bf27feba9c9b9c1416a5a426261504f4d9d43503cd988fd2e6de60

Download Submit
C:\Program Files\Common Files\Wondershare\PDFelement9\Preview\1.0.0.68\Languages\Preview\Portuguese.dat

Filesize
1KB

MD5
e728781bb89a0b7a3ed0e8bd3b69095a

SHA1
fef29889dda8cc0d9b5fcd3e921db1dd30de3e2b

SHA256
5d2b2ab441654a460d1a6f544355dce35d564cd85422c5a48ba0f5782cac9fc2

SHA512
1d1b347bfa9dae9f0ec5e20c93d3da59ed4fdf684e43b0abc0673052b38033d1eaee71a663ce917458215ed7792853a5c65cec2c7d3e7ae35ed12e135cb4dcbe

Download Submit
C:\Program Files\Common Files\Wondershare\PDFelement9\Preview\1.0.0.68\Languages\Preview\Russian.dat

Filesize
1KB

MD5
f24df3f1bdffa9bf62e5469baf7b8592

SHA1
99cfb37c1c7bffadf67cb270454e55318039eb24

SHA256
728f2db1ca5fc65b181e561cc768ef70a752edfcaf65deb39f380af07c6fb3d4

SHA512
82f565a2375538093f5dde48e103754765621016c1811917bc6ace6592857a3c70df90df40042d2771de0dcbb1eb36a1bcffc1faeed6523fce2db0517c2f5006

Download Submit
C:\Program Files\Common Files\Wondershare\PDFelement9\Preview\1.0.0.68\Languages\Preview\Spanish.dat

Filesize
1KB

MD5
0812951e0c76719e77ac8b198540c51f

SHA1
d78d9cd3cf36bd96952b227ceb22bb1db4aa5d6d

SHA256
122df514ae77cceddc97ac24d232767347c5ed8303ac27e04a77b485fff6ca69

SHA512
4cf9da6cb973c5e3958ed8204305c25b66261bd51f9d0c3cab235498a0549fe711a9f7b7a6b27a4343ef7069e7de1a7debd92fea105e214d81cb47b8fbd76242

Download Submit
C:\Program Files\Common Files\Wondershare\PDFelement9\Preview\1.0.0.68\PDFThumbnailHandler.dll

Filesize
320KB

MD5
de7fa9ad647e8a64384ea3b1a2225713

SHA1
6b2008853cf62da8b4518177adeda8e60ff61899

SHA256
c139cc771902134d332d75a380b31cf78f73339fc7173e951c9193f3a46279c2

SHA512
7626ddbf36382f53b1ec9ff57fb03f1f247dab909ccfac6e7b1fac73a1a277ada0005a51580f186f06147905568b12a44b46d9fbb9e088cc07c0b109a7ff601a

Download Submit
C:\Program Files\Common Files\Wondershare\PDFelement9\Preview\1.0.0.68\PEPreview.dll

Filesize
2.8MB

MD5
41bac0aa85a653cc5ab72e2df974c60d

SHA1
a19b4d9b8cd1bcdd950e63d4f4866f706c7549a2

SHA256
75fec76765931bb9e9ad8316638f05e505aa6852553097bf6fc1cde1d8cd0702

SHA512
327c6c7403819b165a5275eb2d5c0ae49149b631dc78befc8026f007a714440295731f9bf43e807e8ea67adc8b724c6e734b5247a2aa16330c32018e723f4c94

Download Submit
C:\Program Files\Common Files\Wondershare\PDFelement9\Preview\1.0.0.68\PEPreview4.dll

Filesize
2.8MB

MD5
190730ffdd736ded886447b581f7073e

SHA1
c4e152b591265df3ee5149e53cbbdf4a3688963d

SHA256
62f8eba45108dc98f71796293f70a27c3d56defb9f9205ea24175403c9c70e02

SHA512
a41afe52d551b0d68792543dea8fae9adc91e2fe689670c083429ecbe4e7cbbe9314ba3121a1d90ab659320db4623490b8e628d925c962c21335751c25202e9b

Download Submit
C:\Program Files\Common Files\Wondershare\PDFelement9\Preview\1.0.0.68\Skin\Preview.skin

Filesize
58KB

MD5
589d63641ef12b171aa2524f33b973e8

SHA1
a711b86bff6260260b96dfa72b2911dcb8170be7

SHA256
85a8037e4e59bd7d3c7c92a2c8433c4a9b9f62146b477fd0e2609eaba7161db7

SHA512
560d6529e0f08964534e3bcd69b5ec536b6a77f082307ebde97b88189451f8df6c87aef0e2e7febcd76ba30ed60deb26da813083be51bf4c2ffa692dc734834b

Download Submit
C:\Program Files\Common Files\Wondershare\PDFelement9\Preview\1.0.0.68\WUL.Svg.dll

Filesize
1.7MB

MD5
8312cced6ed36701eb3b8a04c3c1e46d

SHA1
a88a459fbcddae344fe8aab60c69c8bedc1f9e65

SHA256
69997f08e78b9154405fa1a54ae8e825d633cc9d9a405861c3d8b9899380e8e0

SHA512
9bccadc7eb98c61e15e033329bf6c42e01839e2f75752889af0bebf88c90047218242da720f3cc7bd4a0edacd4df14ee0210ccac8aca192a4eb3fcae81e851ec

Download Submit
C:\Program Files\Common Files\Wondershare\PDFelement9\Preview\1.0.0.68\WsAP-PDFelement.dll

Filesize
4.0MB

MD5
4814120c44e0f886ec525f1d03afb192

SHA1
6f654c40230573d712ed6f4d3630dcbdfea1fd42

SHA256
b93520c519a87cd72d2e0afd47bf58a9aea2fdb5a418cbdc78cf7ac5ab81fadf

SHA512
2bcdee654b317da1559d0a5e92d92d654f992475f77951594b202f01bef9bf03611654333384b1b1be6a98f819faccf34453d6eb22654513d166fd459d3e79e0

Download Submit
C:\Program Files\Common Files\Wondershare\PDFelement9\Preview\1.0.0.68\icudt.dll

Filesize
9.5MB

MD5
e7a7e2a66c39dc31487c33af9815338f

SHA1
b448491765398f3e97dd445ec771fafcc27fe9b2

SHA256
b3b4143785b010965ca36bdd5dfa773bf4a64e3e00044b7da2b290de87c6916a

SHA512
a1b71b92f8f9128cd8d44b973ec8b627a67bebf66f025ae8bfb32c34533acd14f79e82cf01821601bcc010f4d6c3fa7c8090ce80fb1bcd45330ca141cb04ec20

Download Submit
C:\Program Files\Common Files\Wondershare\PDFelement9\Preview\1.0.0.68\libPdfCore.dll

Filesize
27.0MB

MD5
a13396f3ea8956f3cdf356d41bd27987

SHA1
7da23768b745278ce803748b0443d78bcd5403cb

SHA256
5abcd7a7db07dc979c22c2a928c28398bccfd4100ee5a8809a4dd9f08b237345

SHA512
9f8b4e707915ea3e4c89e3eaa1c5b679d6c90b492ef092aeda74a1340a1d89a554ad15d2f475c5a80dc104c70a18687bfbfe65ef14d6e25652badedda31e3fa0

Download Submit
C:\Program Files\Common Files\Wondershare\PDFelement9\Preview\1.0.0.68\libPdfCore.dll

Filesize
27.0MB

MD5
a13396f3ea8956f3cdf356d41bd27987

SHA1
7da23768b745278ce803748b0443d78bcd5403cb

SHA256
5abcd7a7db07dc979c22c2a928c28398bccfd4100ee5a8809a4dd9f08b237345

SHA512
9f8b4e707915ea3e4c89e3eaa1c5b679d6c90b492ef092aeda74a1340a1d89a554ad15d2f475c5a80dc104c70a18687bfbfe65ef14d6e25652badedda31e3fa0

Download Submit
C:\Program Files\Common Files\Wondershare\PDFelement9\Preview\1.0.0.68\libSolidEngine.dll

Filesize
538KB

MD5
93a0289367298337fe1e6eed4bb3d3b2

SHA1
832f6693a0a268f67371b7b743f8405df80fb13a

SHA256
8dc7f442f01faa2724515179b0fd873e2fe3e2bd8001cc5b1efa558e31c52382

SHA512
d8025b9fcaed4630ca1110e589c2ff5b72fc253a12cc5d2547f3eb2bc9531a6e4c5694bf6ca38b6354ea73be5165f2d9e5fa54975553b6a565d71277eff5d3b7

Download Submit
C:\Program Files\Common Files\Wondershare\PDFelement9\Shell Extensions\PEShellContextMenu4.exe

Filesize
755KB

MD5
7fdd691c77cfb16db78e6a09d27ef8b6

SHA1
edc37318243710a322f160466d5445bcec861f70

SHA256
60431b04286fda53bac93fe1fecfc54ebf9c1eb00552cbc01786c0198c0d92f5

SHA512
63e60bb491b13d1d8ed438ed710335d79e7694d5e901fb8ffc22f2d0ca5274c0c2df4ee0de705b7fddbf00b1662636e5d8e0b351216e15746f5a30dabcca210f

Download Submit
C:\Program Files\Common Files\Wondershare\PDFelement9\Shell Extensions\PEShellContextMenu4.exe

Filesize
755KB

MD5
7fdd691c77cfb16db78e6a09d27ef8b6

SHA1
edc37318243710a322f160466d5445bcec861f70

SHA256
60431b04286fda53bac93fe1fecfc54ebf9c1eb00552cbc01786c0198c0d92f5

SHA512
63e60bb491b13d1d8ed438ed710335d79e7694d5e901fb8ffc22f2d0ca5274c0c2df4ee0de705b7fddbf00b1662636e5d8e0b351216e15746f5a30dabcca210f

Download Submit
C:\Program Files\Common Files\Wondershare\PDFelement9\Shell Extensions\PEShellContextMenu4.exe

Filesize
755KB

MD5
7fdd691c77cfb16db78e6a09d27ef8b6

SHA1
edc37318243710a322f160466d5445bcec861f70

SHA256
60431b04286fda53bac93fe1fecfc54ebf9c1eb00552cbc01786c0198c0d92f5

SHA512
63e60bb491b13d1d8ed438ed710335d79e7694d5e901fb8ffc22f2d0ca5274c0c2df4ee0de705b7fddbf00b1662636e5d8e0b351216e15746f5a30dabcca210f

Download Submit
C:\Program Files\Wondershare\PDFelement9\AddIns\EXP_PDF.DLL

Filesize
94KB

MD5
01b6bab757adb8e800f467f5dd6f20a4

SHA1
c3a143c1671c91a826460c15401767675dccd6f6

SHA256
77b0cf57e08bcf0b4bd2274ada906e19c67ac7a2d04df19ff300a756fe96399d

SHA512
6f300e5bdb7eb5c9b91a8dc93b4f54f0f9ba23ca6e8c30bf92dba1e39902f85c8a1b7cc1bec1db569fa0f3e5761ef270f34adbc7d6855674a18707dc263003ed

Download Submit
C:\Program Files\Wondershare\PDFelement9\AddIns\EXP_XPS.DLL

Filesize
55KB

MD5
ee6e8231bf4a7cc9539eeb457d8acf39

SHA1
643956b3bf9aa29a643c47710f8369dd95622d23

SHA256
7b4d3b16ea4dc23773911971cde5de6a4125c7e4590c1245d78667e02526e769

SHA512
c330faf25588fe3420cfe2b38487fcac4ffb5011a2b4e6cb149d7679bd2ac29d4a76cbe804082451b02e83a3bcf80ed70ea351f60175a5e1755b9819bd1a51ce

Download Submit
C:\Program Files\Wondershare\PDFelement9\AddIns\PEOfficeAddIn_x64.dll

Filesize
154KB

MD5
f2bca6fef41b8fb142d02c6d35e89b8a

SHA1
2b032298e3c46132ca71c4657a7d135d37f78c19

SHA256
5239f81fee7f9be20e97d995657f54f8973e415011b8a573fa68807232a8a368

SHA512
09b4a8b2be60dabb40e0cb0ea226e8b45245be2d839834fddb78a79e0277a990c447011992d84c78d24566d5d37c6f96c18f8b54e046f513a5903245bf2b4392

Download Submit
C:\Program Files\Wondershare\PDFelement9\AddIns\PEOfficeAddIn_x86.dll

Filesize
157KB

MD5
702589a68b14d050cb03a517ed087e14

SHA1
fc53e1e6f68e49780c4872d117ef7b3213735b8c

SHA256
3d2df3669948dca839af46f445357c4726850e5e992bfe08911af355d5057532

SHA512
6199f2b897c2a558584fc614bbe0897286d7a1017c955524a8c2bf17cb87b3a442000a55ee26e7df71567447a740a4c41e92a8ff77bfedd3470aa7a85a98beda

Download Submit
C:\Program Files\Wondershare\PDFelement9\Customization.xml

Filesize
199KB

MD5
4fe18272872b9e31fd7f1d9e63aa672a

SHA1
d9449fb71cf1d1fd9c21bcd42d32e29456cb0507

SHA256
a9e19a5a11a3c814b000443e356f6dab5beae84147e66ffb4e70ee7d936facbc

SHA512
e57ea54ab22df3c29a2d5812f6827b2820d24b53c69fda9ce23437c77de8da73467440835407eb9fe74ba7a629c60d2f97860c3a5c76196e5b26d6ef535e209e

Download Submit
C:\Program Files\Wondershare\PDFelement9\FileAssociation.exe

Filesize
85KB

MD5
2fd6bfa745b44921e18cb079000e9f78

SHA1
df4f12b2b80907c8d302514dcc0f849b41560e17

SHA256
40b9cd21cf17f4cd3a3cf583c63db057b643489a20e655a90974933e30f437bb

SHA512
1f8776d7152af93b8f0235f5f89cb308c7f6bb322ad7b64b52b7a99be06e5db50d93ad847fb0b68d4ffe54e32225a942e1715439e482973fe20d89b5d9286d67

Download Submit
C:\Program Files\Wondershare\PDFelement9\FileAssociation.exe

Filesize
85KB

MD5
2fd6bfa745b44921e18cb079000e9f78

SHA1
df4f12b2b80907c8d302514dcc0f849b41560e17

SHA256
40b9cd21cf17f4cd3a3cf583c63db057b643489a20e655a90974933e30f437bb

SHA512
1f8776d7152af93b8f0235f5f89cb308c7f6bb322ad7b64b52b7a99be06e5db50d93ad847fb0b68d4ffe54e32225a942e1715439e482973fe20d89b5d9286d67

Download Submit
C:\Program Files\Wondershare\PDFelement9\FileAssociation.exe.config

Filesize
539B

MD5
a70491f336626d0e533cb69ec59c9b63

SHA1
9b5a25038699abc1bf207755e38876e256f55821

SHA256
7323370e83d9d90e08467153d61c0c023891769051bd6656c15bd8b815ff6a8e

SHA512
6d31507ad0ab1135742054c631c408ec06d8623451eac70ab5ca6553de472e8a0061ad7c7472fd8d0cdde74e5ef382d6c6e89fd2c425805fd498ff1d4007284d

Download Submit
C:\Program Files\Wondershare\PDFelement9\PDFelement.exe

Filesize
17.5MB

MD5
fbc9ce80f869ba5f1e138e6812675dba

SHA1
fc6767cede551153e87e032841ad2823beff54a6

SHA256
04475c1d46753e73e4251001c1dc8e7a6e0e965e60249a72d60249abc3b4ddf3

SHA512
f85a35dfcb8556a1ca43d735a6e9f0529df03f7eb6b560d8331bd461bf074b6c80c49336ec75b102aae7d9a49230a78ba77048e138b761cdda32afe4e8758220

Download Submit
C:\Program Files\Wondershare\PDFelement9\PDFelement.exe

Filesize
17.5MB

MD5
fbc9ce80f869ba5f1e138e6812675dba

SHA1
fc6767cede551153e87e032841ad2823beff54a6

SHA256
04475c1d46753e73e4251001c1dc8e7a6e0e965e60249a72d60249abc3b4ddf3

SHA512
f85a35dfcb8556a1ca43d735a6e9f0529df03f7eb6b560d8331bd461bf074b6c80c49336ec75b102aae7d9a49230a78ba77048e138b761cdda32afe4e8758220

Download Submit
C:\Program Files\Wondershare\PDFelement9\PDFelement.ini

Filesize
10B

MD5
a4e98fcc53cef8464dc4635e247005a0

SHA1
874da095036349c10dd2e33ff52d68009a91540f

SHA256
c194a0be243178a9ecb11a2032a4ea5bda33e92e165e570b59f5babc852e82e8

SHA512
b97503ec848952f7884117043d03206eb8ce759f87068afd055d1089ba2335daf6d48547c0968bdccf70114ae8f771b5b65b21b13f46e6ab2ae7f64962c09882

Download Submit
C:\Program Files\Wondershare\PDFelement9\PEAddInDeployment.exe

Filesize
170KB

MD5
50b6b66103a6d8928c296f5f2ee41e79

SHA1
94de7a432a56c456c43d8154b01e5b2311543fe9

SHA256
e096b73352ff5b4c0b960008675bcc85e466d6209e514fdbad40cbd18b321707

SHA512
6c227c06ab62c86af1f4edd3f270c1a458e2745cb763a3a4de72ed5323bed4e5c87aba76d91df619d645a4b003edda51f230b2399e17b5efe558c973d989686f

Download Submit
C:\Program Files\Wondershare\PDFelement9\PEAddInDeployment.exe

Filesize
170KB

MD5
50b6b66103a6d8928c296f5f2ee41e79

SHA1
94de7a432a56c456c43d8154b01e5b2311543fe9

SHA256
e096b73352ff5b4c0b960008675bcc85e466d6209e514fdbad40cbd18b321707

SHA512
6c227c06ab62c86af1f4edd3f270c1a458e2745cb763a3a4de72ed5323bed4e5c87aba76d91df619d645a4b003edda51f230b2399e17b5efe558c973d989686f

Download Submit
C:\Program Files\Wondershare\PDFelement9\PEAddInDeployment.exe.config

Filesize
541B

MD5
76d54a388667208b269aafec6e091bfa

SHA1
c54d5bea5fc945aac10d014fdb6463545413f377

SHA256
bf5856cf607ff0e85ca64b06997c0de15a8d95b8813dfa1471a680c22aab4c51

SHA512
be1612b68f52a39ccf75c9d08745547af423bca28c17dc7a258bd175a5271790385060d932adb093fc12c14cab0b8ebf317bf4787bb1ba81463abdb431696c67

Download Submit
C:\Program Files\Wondershare\PDFelement9\PENotify.exe

Filesize
7.7MB

MD5
8055be652b81967659f0a237d21b0d2a

SHA1
65bafb39485d3fb9f11e4675817f6ebb4d4c26f3

SHA256
5cd3cd33f8876916a0667b56cb8b46bde73ed24f280cb0bcba6cf25bcf227061

SHA512
33166473ebf34b86b18cd3f4a997c47bcf47a648fd00dafdb828669abaa68ce9f88d5a21381841cd623cbfa11eaee4da0663c7b560ec32349c60c6aad030a391

Download Submit
C:\Program Files\Wondershare\PDFelement9\PEOfficeAddInInstall2304.log

Filesize
5KB

MD5
11675611baf162f968b3f07325227c49

SHA1
340149e318cdd70e2f26492d9cc8d9779f3ac026

SHA256
99f73d05893134390fd7c7d331a33d92e9053370cd0496ff8ee960e54005c51c

SHA512
fcb1316d2387c81f3555451297ebe12ecfc4fb00742a8d577f65b5af10fade416991fbf2737e4451d99998de5e849596c29366427cdbd15a6fb9390adb02c50d

Download Submit
C:\Program Files\Wondershare\PDFelement9\PEShellContextMenu4.exe

Filesize
755KB

MD5
7fdd691c77cfb16db78e6a09d27ef8b6

SHA1
edc37318243710a322f160466d5445bcec861f70

SHA256
60431b04286fda53bac93fe1fecfc54ebf9c1eb00552cbc01786c0198c0d92f5

SHA512
63e60bb491b13d1d8ed438ed710335d79e7694d5e901fb8ffc22f2d0ca5274c0c2df4ee0de705b7fddbf00b1662636e5d8e0b351216e15746f5a30dabcca210f

Download Submit
C:\Program Files\Wondershare\PDFelement9\PEShellContextMenu4.exe

Filesize
755KB

MD5
7fdd691c77cfb16db78e6a09d27ef8b6

SHA1
edc37318243710a322f160466d5445bcec861f70

SHA256
60431b04286fda53bac93fe1fecfc54ebf9c1eb00552cbc01786c0198c0d92f5

SHA512
63e60bb491b13d1d8ed438ed710335d79e7694d5e901fb8ffc22f2d0ca5274c0c2df4ee0de705b7fddbf00b1662636e5d8e0b351216e15746f5a30dabcca210f

Download Submit
C:\Program Files\Wondershare\PDFelement9\PEShellContextMenu4.exe.config

Filesize
128B

MD5
4bae26d52d58b899abd26e5b17fd0b0a

SHA1
9d9bc1eff893b3d57732ef7cab8f93086314632c

SHA256
52fa6b1d17dbfd9b8f73a924c8f8df530b9a14b7e664763ab8ded97812a9989c

SHA512
a465bd1e37b6e4488bef341a162ff371a421c029702dd2ff4e8337fcff518a0a132eedb45941f53f2e1ed313d834c934610ea608dae06c5fc0af65584393a266

Download Submit
C:\Program Files\Wondershare\PDFelement9\PEToolDeployment.exe

Filesize
110KB

MD5
4c94cc69de514d4ecf297cce889ace04

SHA1
c48e0011106d9c87a9ba6623f463d443a3d94281

SHA256
8ddfb59f3abc8eaf91adb56fa43597d1012526e614d82c128eca7af2aad21368

SHA512
d8af6832dad1c77126378ebde50e90392ab1f3803a6d8c7927b995d67ee48d4b9774e0a7ec6c0409169a7dd83bbeecbe99a43d166cbf6d1e90a2a7abfcbcaa46

Download Submit
C:\Program Files\Wondershare\PDFelement9\PEToolDeployment.exe

Filesize
110KB

MD5
4c94cc69de514d4ecf297cce889ace04

SHA1
c48e0011106d9c87a9ba6623f463d443a3d94281

SHA256
8ddfb59f3abc8eaf91adb56fa43597d1012526e614d82c128eca7af2aad21368

SHA512
d8af6832dad1c77126378ebde50e90392ab1f3803a6d8c7927b995d67ee48d4b9774e0a7ec6c0409169a7dd83bbeecbe99a43d166cbf6d1e90a2a7abfcbcaa46

Download Submit
C:\Program Files\Wondershare\PDFelement9\PEToolDeployment.exe

Filesize
110KB

MD5
4c94cc69de514d4ecf297cce889ace04

SHA1
c48e0011106d9c87a9ba6623f463d443a3d94281

SHA256
8ddfb59f3abc8eaf91adb56fa43597d1012526e614d82c128eca7af2aad21368

SHA512
d8af6832dad1c77126378ebde50e90392ab1f3803a6d8c7927b995d67ee48d4b9774e0a7ec6c0409169a7dd83bbeecbe99a43d166cbf6d1e90a2a7abfcbcaa46

Download Submit
C:\Program Files\Wondershare\PDFelement9\PEToolDeployment.exe

Filesize
110KB

MD5
4c94cc69de514d4ecf297cce889ace04

SHA1
c48e0011106d9c87a9ba6623f463d443a3d94281

SHA256
8ddfb59f3abc8eaf91adb56fa43597d1012526e614d82c128eca7af2aad21368

SHA512
d8af6832dad1c77126378ebde50e90392ab1f3803a6d8c7927b995d67ee48d4b9774e0a7ec6c0409169a7dd83bbeecbe99a43d166cbf6d1e90a2a7abfcbcaa46

Download Submit
C:\Program Files\Wondershare\PDFelement9\PEToolDeployment.exe.config

Filesize
539B

MD5
a70491f336626d0e533cb69ec59c9b63

SHA1
9b5a25038699abc1bf207755e38876e256f55821

SHA256
7323370e83d9d90e08467153d61c0c023891769051bd6656c15bd8b815ff6a8e

SHA512
6d31507ad0ab1135742054c631c408ec06d8623451eac70ab5ca6553de472e8a0061ad7c7472fd8d0cdde74e5ef382d6c6e89fd2c425805fd498ff1d4007284d

Download Submit
C:\Program Files\Wondershare\PDFelement9\PEToolDeployment.exe.config

Filesize
539B

MD5
a70491f336626d0e533cb69ec59c9b63

SHA1
9b5a25038699abc1bf207755e38876e256f55821

SHA256
7323370e83d9d90e08467153d61c0c023891769051bd6656c15bd8b815ff6a8e

SHA512
6d31507ad0ab1135742054c631c408ec06d8623451eac70ab5ca6553de472e8a0061ad7c7472fd8d0cdde74e5ef382d6c6e89fd2c425805fd498ff1d4007284d

Download Submit
C:\Program Files\Wondershare\PDFelement9\SolidFramework\Win64\Resources\is-6MU2U.tmp

Filesize
219KB

MD5
c83ac04eb75e390fa0c9465ca66ae0fd

SHA1
4331410d4a59c1fbd8c46e609bfac5bbaba0f883

SHA256
949bfa729dfe77987a0da8d85bd24f272da512ece48b435e702f797f24f9038d

SHA512
2ad6924bdb903d4ad5c1a60e79fa64901c4c89075aa67e806a23442ab16ba1931e02d90881e4cdd3b9f7eeae1fc68d07d8bc11fb0e35209aa9724fb8071d78ce

Download Submit
C:\Program Files\Wondershare\PDFelement9\WSPrtSetup\PEPrinterMonitor.dll

Filesize
278KB

MD5
9dcb0351332621c00c7dfafcde6df3ad

SHA1
cf53a36158bca80ec89a8e276f661c6a63831d05

SHA256
011f682171bf61ee6000b1f921fa98647701bb11b11c86188c4395f1b955bd12

SHA512
0993493d221098ecbe2327eee7a43b1a122f094b467ef0b00476cb49e93c15b4ba7b982ae269203f64c3ca8245951d0b371e03bcaf25762f4bfeda78b602253b

Download Submit
C:\Program Files\Wondershare\PDFelement9\WSPrtSetup\PEPrinterMonitor.dll

Filesize
278KB

MD5
9dcb0351332621c00c7dfafcde6df3ad

SHA1
cf53a36158bca80ec89a8e276f661c6a63831d05

SHA256
011f682171bf61ee6000b1f921fa98647701bb11b11c86188c4395f1b955bd12

SHA512
0993493d221098ecbe2327eee7a43b1a122f094b467ef0b00476cb49e93c15b4ba7b982ae269203f64c3ca8245951d0b371e03bcaf25762f4bfeda78b602253b

Download Submit
C:\Program Files\Wondershare\PDFelement9\WSPrtSetup\PEToolboxMonitor.dll

Filesize
285KB

MD5
8c130ee8bb992361443f3df695f75b9d

SHA1
21bf97c65eea60ba32f4c487f519654dafb25b2d

SHA256
7b796c6a0646b0637d9428df020894c8e5a7defae1055b3c4cc8e74bdee5c056

SHA512
acdc3a01181d881544e1937045e974bb7d6b6ee32d14446681190d8e64fb543ce0d623c1497069c52e1853728c1dc656a3a31cf9628cd1d55498ea24b7e05d8d

Download Submit
C:\Program Files\Wondershare\PDFelement9\WSPrtSetup\WSPrtSetup.exe

Filesize
146KB

MD5
2f95c0f7b5429cad4fef24c37b005014

SHA1
bfcbf13f4639f3784d630153449fa3ce2048d1d8

SHA256
ff754b2719b5e08db2bc34aad3e7d1b14f6651e7c4944707eb38de95e461b69a

SHA512
8868bcad45924eecc443bb3c2ffdd0ad48487de8687edb2c8ccc2b01b64860b8993d7afc70d12cca64ebc563889d6687d242a0f83983f1e621457454049d8421

Download Submit
C:\Program Files\Wondershare\PDFelement9\WSPrtSetup\x64\PDFCREAT.PPD

Filesize
31KB

MD5
7b3694cff54a0f58525abd9cc3e62475

SHA1
d7fffbb17f7e02ae03b1dca1a808c53dbff67436

SHA256
479ded50a99ee0ea2d671cbeb68cabfda049b18ba6729eb81422fcd08d690afd

SHA512
a440dbabf93bb0f5b2e8a37fa1f03e84d29eb8a9eb08558b0f8a57f6200c4e9a4c17174051130ee01cdff299c72280bee78478014d75d4f2316160a0c8f787e5

Download Submit
C:\Program Files\Wondershare\PDFelement9\WSPrtSetup\x64\PS5UI.DLL

Filesize
248KB

MD5
34fe8243c4ce5db32b593857a9ab65bc

SHA1
bedd7610b754f6216131a0f509fc9d8813e439f4

SHA256
28a1cc523e3708c48fca4095d1ede1a81fdf1954b743eca4d6c8172f0116a3d6

SHA512
561503728c5598ce360e85130bef4172fe0e0fc57417e2549d6a15c509244d67cc84ef775450c133170df2e9c258951549fad32c3080a52394078756b60f3376

Download Submit
C:\Program Files\Wondershare\PDFelement9\WSPrtSetup\x64\PSCRIPT.HLP

Filesize
25KB

MD5
02c3f8c32018f3aaf66e7421400f1781

SHA1
a04f2e40287af78867161fa3f1606045088da212

SHA256
6faef4c998e810fff139958f28722c79879ec2fd66c97c7e3e2c5040fd5550d9

SHA512
c30fee64d74a536117de46c81b6e22ec82634d1284783a317bc15e85cfd561fad7d50a63ca863ea6520b5cbaecf9061f7b52d3d99050484ce8a004f81dab7990

Download Submit
C:\Program Files\Wondershare\PDFelement9\WSPrtSetup\x64\PSCRIPT.NTF

Filesize
1.0MB

MD5
e45e03bdfbddcee4b6d62bc922ef24e7

SHA1
1873ec050afe6275e95df8b6a1a43098dccb9f25

SHA256
3eb48a31bb8bfb34534ff6e251e9b97e29e8b8e3a4eaf6c929b026caced3498c

SHA512
0dd54c060ca8b2fb676a14488dfeb30de9b0458a23aeb632c1bc4de54fc6b8066c86450a896726f04ca74bcecec03fac15c69a81ed17215b53501da57607f915

Download Submit
C:\Program Files\Wondershare\PDFelement9\WSPrtSetup\x64\PSCRIPT5.DLL

Filesize
732KB

MD5
fd759f3f3dbda773e410172b8fe9b716

SHA1
be6553806f25e3c3413064e6fc4a82d01bab3ff5

SHA256
b5b15b0f92cd60314d45aa2bc3cf06109a050b3c096168fb35d584281fed3507

SHA512
789e351e84d409c37c77ce51b82fc63ce22023ad0ab326f7455aca2a8834fe7145293f30ee19a616d4fe1917512a9ce1fdb0856004852d67c0d13b5a737627a4

Download Submit
C:\Program Files\Wondershare\PDFelement9\is-329M7.tmp

Filesize
536B

MD5
5295757d4c69e6a41bba69446e7de1f0

SHA1
c8d0cd0908b2e8dadbd4c0f5ffc8296cd363bc04

SHA256
70aec6dca7932e63e7888675bcc3e6a453372720a8ed5e6042398dfd34657bcb

SHA512
0e2539e3f7b84ad6eb5ff50ff7267a7f6020b86cab9109d4923feed49650b5c4acb9016960b12e99bcec7c09f73a0e5d11f90da3d20b6c5744c6963201f3cf29

Download Submit
C:\Program Files\Wondershare\PDFelement9\is-ODA94.tmp

Filesize
662B

MD5
fa2b6f724008b9d9e263a9b4abe797af

SHA1
e9d57125a9e593ce9a37035a3a96055e1ff52f71

SHA256
057a3cb241e343ec28f4c23d742f69e64c378c4e0db10807d8206c9827838e32

SHA512
1ec96e38cdd12298d9a901a89713864d1749434ef492d4f05cd5f38c1b7025f46abee5d8834e62fa4645b2f9f973a97923612fafacccc5b89e2823b6b57541b1

Download Submit
C:\Program Files\Wondershare\PDFelement9\unins000.exe

Filesize
1.4MB

MD5
6f305dae9a639b29138a0c3ab2ded6e2

SHA1
62611c07da4bae4b56b819b56186189788d9fb75

SHA256
dc11e24fa57fbad625b733cac05e0a44d97e4799ccd8979a77bdf7c50d5b8418

SHA512
dff794bee824fab3e69e9ad85a6deaa7290c3486c9c64912cff97e8b02e3082fed7b047dedf4ff5b2f9afb6c239ac267f741762ab3493f18211042195e09e487

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0968A1E3A40D2582E7FD463BAEB59CD

Filesize
1KB

MD5
285ec909c4ab0d2d57f5086b225799aa

SHA1
d89e3bd43d5d909b47a18977aa9d5ce36cee184c

SHA256
68b9c761219a5b1f0131784474665db61bbdb109e00f05ca9f74244ee5f5f52b

SHA512
4cf305b95f94c7a9504c53c7f2dc8068e647a326d95976b7f4d80433b2284506fc5e3bb9a80a4e9a9889540bbf92908dd39ee4eb25f2566fe9ab37b4dc9a7c09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c7403435151da827013e96f6e6b3daa

SHA1
fa80e0ecd27d97bd7425c96a53208426b63c1074

SHA256
bcdcb4df3fc315b2513b4e6cba5ca6ecb0aa43bd66b8d0b7e485007dd62c9846

SHA512
3b2d1bf29100e59c422545aacb36f168c70a7bd8910c2297ba659f476da70582a51a55b867ce03e33176c28f5186f2a5645243a9f58d34d50513c266abd822dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a99781f3aea609b324b38f774fcb013a

SHA1
d7a6e524d68711f1e7083d494129aacfadc472c0

SHA256
a48dae6d416bf0f6c50c0e53c4e25aceb5a7485a865f943d93313f9ca771d5fb

SHA512
40163c9cf75fc3e4edd2acf6605f611e4da4352c0e47d940cd59263691e90d6c4eb6ca70aec74837523040c0d1fc925dafb1e7a1d00cc314df6cc64d4e48fc5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
22fde8b543038f7bea16303d6743fe07

SHA1
8e66f7eaa16b14c147399624aeb2ff10fe07c57e

SHA256
b534b041629a4e9250824a8ddda78d05ac1ce44a61ab3042a6ba2a30fa2b439b

SHA512
b3d9fed510b7cf71fd566c8cc58d5f0fa725826b17ad4a340b7c20ec8113402b4bcf28744794627cb63b833e3eb509de9592e087d433ac81b6e725560a4baa5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a2a883c4963d0149a8a573c44946753

SHA1
5d0fe2c40bef2e5ebe0f96696d393f1a18c47133

SHA256
d9ed6f24b9a5071b248ef0ee7f8cf641b543a602d33c7afef2bfa212d12bfee4

SHA512
8cce3a4771113869cb224b10b7b18e9df8db72206191764e63a7cd8e9d1fbed3d816b763e1094e4fd51318119dd6d6d8b50ac04ab8cf42b268b28d05cbabe3f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6082ebd674d25ae412c6519681f5875c

SHA1
e1ba320c27abfec850452fbeb033e6248869b38a

SHA256
5611074174bc1b16a5d5ec7432fcc7bff383e95411c5839f0356dd38882903c8

SHA512
a28663affcc02550587694eaba2d6f441525177a547ceb185a533d176f184c6817852128904f24d4e1b6db56d03664a4615ecb743846f61cb2d3cc0cf3aabf79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
787e560f5a24fb79140d1073d435a29b

SHA1
b2c8ab42252250b5bfe00474e639c49a37f4e44e

SHA256
b92d2fb188628508a5213c20c641c72f15e1cef7d54a463da0d957e24c8f2aa6

SHA512
cea3062bf10b97d8106616bbbc1dabc0b6f74dda334596d6e943c165856ad375ba42124d95f4b25f673c9ca056ed828ce8a6ef948ca70530fbbde6acb92cc25f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2ca001e95ccc9c9256abab23d7ca10f

SHA1
cf1e6596f843df43faaa1f791d1d81f2247b68af

SHA256
c4d07daef13abd2b687f522df75884f622eb7c1761a2187d767c5d5d360e2e2b

SHA512
ce42067e5a96a993572e64f332b78ef4a94850be11e5dbac9b19b7712ec465ce62cc3838d8ffd6459008f2e9f614a62b3cd18b36fa9340687a4880f35d54d34d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
169b88861b3da87db6def526cca1f0ea

SHA1
57de0d68d54d6a6b2446f0d1f47e91427f1b1540

SHA256
b8df65fe11fccefbb9cbc2964c017f9dccbab1e1143b63f5231158e9e9eb62b2

SHA512
7c4a1800bee0834d69457cc8e7835aa95f3538ec99ce62d557bc8845f1b08c26c6140fd3b43ff250387ff5fa71f243fa31ecffd65befa8cf61556ec08a6206df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f7c0b8cabe4917469f9f3a3b27d251d6

SHA1
263d7fb31a53610087cf04e0d03c0afee3b7f55f

SHA256
80eeb85623572baef18b5a52185480f27e236675059ad66f1dc436b43aa03d37

SHA512
ad52d59977194b8197a94bbe5e20253029f53d5e8764fb51860107070593983bc233c56196e899e8520f643bc209410fe4c5d7cb1b339a3b1ca37404b1053dbc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
467325556192cf9fc9d598f721271d0d

SHA1
a6962e87e4b270c29465c41c81ae121e2085efec

SHA256
3fc14c5cefcb7cd781af87d775026c93a2a3de42d10f52d7f19c9449e2c35e33

SHA512
bb5ff98fd87bd49a2d5ec9f5dd656075e1bb547b3aca77def73952bdb36a28939b95ab2de86560ad65e38611d8d75fe9a76bdc4f1d3a7774597daf544ec6e9b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0968A1E3A40D2582E7FD463BAEB59CD

Filesize
250B

MD5
a36efeebe380353c8bc0e73591baa0fa

SHA1
c39998ad19fadaba6583edce24a310e4115c2b51

SHA256
89b1c9f00f6345483ba9359e652ef51ab369d5aaea3ed19c824f7c9b036dce8f

SHA512
f14c5f455cd8b438d9c577ede3c2cb58966773e72112d532992436804023ca370c363b093a7567aaedd53f1a910c3ead71fa696989be8612b6960bbe6b291251

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\9e631db6-223b-4196-9d61-c3c18dbefb60.tmp

Filesize
4KB

MD5
e5973a9c77d85748875e5b04b275af4d

SHA1
e331d23accc11d32892e15f0f8a1597f1aca199a

SHA256
629b31692c87e3d127c48052965df2089b85be76cebbb2377f55734006f635f9

SHA512
b66641452bf242880500cdb74f3ccdf1ea7e5573f488888f02462f469d7cb4acbfa726973151238b2b01947526d44f33dd52000736fdba026ab6b17230a302e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
0f62683740ca001c7279c7f0df69a135

SHA1
583bab657bb239b823666365500eff2b0e1533ba

SHA256
9410093e39cafb5ea5fbe581fb2373c52f67e83795ee77644c5586dc39bd6a6d

SHA512
66ab2a67aeb548b50debbc7de358a06cb6b9d0df56fca1fdbc7c976daafdaedfd3775f2ec2bce62291c978270c85f0c7181ca6b5220ce327e19abfdd25c57439

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
b0c55e10dd6f6ee71a8fc6c0edb63b16

SHA1
48d0d619900f9cea73379b1c24f27d2378b7c71e

SHA256
e9c2831c9208f2062ec2f23df8f1f2974c324718ec76f7714c389fcc993155ae

SHA512
e6dd0a8c9f51cf5a2456a6882f62f774e02d55e6371e01991ece317806dec6801f20782368598c0778b7f18c8ead6d534ae4896eb65b45197019b3af91a9682a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT~RF6da297.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7CC6.tmp

Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FSCNK.tmp\PEPreviewDeployment.exe

Filesize
47KB

MD5
a69259e6fa01c73389b000173b36da5b

SHA1
7913598a942fd76adeaefae71b56fdb241d81298

SHA256
9c336b024e30f9da204697dcab4635c3c448dfa03b56b69528f9e287684ebdf8

SHA512
7421a2a10299518b8bbb12caed3fe37184cd72436f1782c1d1b0a613d495675fb16039a53dce038cd22f545180ea90ef6a668acfdf512d91a7da3a983f07bef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FSCNK.tmp\PEPreviewDeployment.exe

Filesize
47KB

MD5
a69259e6fa01c73389b000173b36da5b

SHA1
7913598a942fd76adeaefae71b56fdb241d81298

SHA256
9c336b024e30f9da204697dcab4635c3c448dfa03b56b69528f9e287684ebdf8

SHA512
7421a2a10299518b8bbb12caed3fe37184cd72436f1782c1d1b0a613d495675fb16039a53dce038cd22f545180ea90ef6a668acfdf512d91a7da3a983f07bef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FSCNK.tmp\PEPreviewDeployment.exe.config

Filesize
539B

MD5
a70491f336626d0e533cb69ec59c9b63

SHA1
9b5a25038699abc1bf207755e38876e256f55821

SHA256
7323370e83d9d90e08467153d61c0c023891769051bd6656c15bd8b815ff6a8e

SHA512
6d31507ad0ab1135742054c631c408ec06d8623451eac70ab5ca6553de472e8a0061ad7c7472fd8d0cdde74e5ef382d6c6e89fd2c425805fd498ff1d4007284d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FSCNK.tmp\WSUtilities.dll

Filesize
197KB

MD5
12f724b38945658ec4c64b190cb38804

SHA1
425a26153c115ed126bb15ac651244152896a760

SHA256
9f6658ae721fcc242c31d18d18cc185814524405361545c6251b6003d777ad0f

SHA512
9b5e9624410d0c6611f461b9d604e793189f9922ad5f42dba51876de625550a32ec87e49539b734f520053449e96bc16149e6188b701aeb02145053698b7b4af

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FSCNK.tmp\_isetup\_setup64.tmp

Filesize
6KB

MD5
e4211d6d009757c078a9fac7ff4f03d4

SHA1
019cd56ba687d39d12d4b13991c9a42ea6ba03da

SHA256
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

SHA512
17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J0SV5.tmp\pdfelement-pro_full5239.tmp

Filesize
1.4MB

MD5
6f305dae9a639b29138a0c3ab2ded6e2

SHA1
62611c07da4bae4b56b819b56186189788d9fb75

SHA256
dc11e24fa57fbad625b733cac05e0a44d97e4799ccd8979a77bdf7c50d5b8418

SHA512
dff794bee824fab3e69e9ad85a6deaa7290c3486c9c64912cff97e8b02e3082fed7b047dedf4ff5b2f9afb6c239ac267f741762ab3493f18211042195e09e487

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J0SV5.tmp\pdfelement-pro_full5239.tmp

Filesize
1.4MB

MD5
6f305dae9a639b29138a0c3ab2ded6e2

SHA1
62611c07da4bae4b56b819b56186189788d9fb75

SHA256
dc11e24fa57fbad625b733cac05e0a44d97e4799ccd8979a77bdf7c50d5b8418

SHA512
dff794bee824fab3e69e9ad85a6deaa7290c3486c9c64912cff97e8b02e3082fed7b047dedf4ff5b2f9afb6c239ac267f741762ab3493f18211042195e09e487

Download Submit
C:\Users\Admin\AppData\Roaming\Wondershare\PDFelement9\Log\PEPreviewDeployment0.log

Filesize
491B

MD5
68b9279383fed924e34205857b2dd4ad

SHA1
c09f7a5f45e824b012e42ccffb502457e759d8cd

SHA256
6a8f44d3373631792fac3eb00fe062fc9d1e64b8fdfb6458c8dfed6176969280

SHA512
9ce3ded3af104b7ec27cc86c6912deaad168b082095e5bae18c908b08a3e30f46a7cfd74d9c525ec9ff899d498d4df2dc2109d5f23a06b8c59af100dca31368b

Download Submit
C:\Users\Admin\AppData\Roaming\Wondershare\PDFelement9\Log\PEToolDeployment.Install0.log

Filesize
1KB

MD5
918d930e53519f1bb4797f5a2ae1213e

SHA1
d94f12c54ee4bfeb402e0471659022a595454dac

SHA256
3b806a0bc148c86cbc36d80b89a5f28a994099b65779461e0ef5c28dafc1b8ac

SHA512
98bb54fbe271653c6b925a9c0b3a56d5f322b967d5f1a863bc678816337a5365a178342187064f4f5233d4b2713f97f73961c455d0396e732ac791cf75548b40

Download Submit
C:\Windows\System32\spool\drivers\x64\PDFCREAT.PPD

Filesize
31KB

MD5
7b3694cff54a0f58525abd9cc3e62475

SHA1
d7fffbb17f7e02ae03b1dca1a808c53dbff67436

SHA256
479ded50a99ee0ea2d671cbeb68cabfda049b18ba6729eb81422fcd08d690afd

SHA512
a440dbabf93bb0f5b2e8a37fa1f03e84d29eb8a9eb08558b0f8a57f6200c4e9a4c17174051130ee01cdff299c72280bee78478014d75d4f2316160a0c8f787e5

Download Submit
C:\Windows\System32\spool\drivers\x64\PSCRIPT.HLP

Filesize
25KB

MD5
02c3f8c32018f3aaf66e7421400f1781

SHA1
a04f2e40287af78867161fa3f1606045088da212

SHA256
6faef4c998e810fff139958f28722c79879ec2fd66c97c7e3e2c5040fd5550d9

SHA512
c30fee64d74a536117de46c81b6e22ec82634d1284783a317bc15e85cfd561fad7d50a63ca863ea6520b5cbaecf9061f7b52d3d99050484ce8a004f81dab7990

Download Submit
\Program Files\Common Files\Wondershare\PDFelement9\Preview\1.0.0.68\PDFThumbnailHandler.dll

Filesize
320KB

MD5
de7fa9ad647e8a64384ea3b1a2225713

SHA1
6b2008853cf62da8b4518177adeda8e60ff61899

SHA256
c139cc771902134d332d75a380b31cf78f73339fc7173e951c9193f3a46279c2

SHA512
7626ddbf36382f53b1ec9ff57fb03f1f247dab909ccfac6e7b1fac73a1a277ada0005a51580f186f06147905568b12a44b46d9fbb9e088cc07c0b109a7ff601a

Download Submit
\Program Files\Common Files\Wondershare\PDFelement9\Preview\1.0.0.68\libPdfCore.dll

Filesize
27.0MB

MD5
a13396f3ea8956f3cdf356d41bd27987

SHA1
7da23768b745278ce803748b0443d78bcd5403cb

SHA256
5abcd7a7db07dc979c22c2a928c28398bccfd4100ee5a8809a4dd9f08b237345

SHA512
9f8b4e707915ea3e4c89e3eaa1c5b679d6c90b492ef092aeda74a1340a1d89a554ad15d2f475c5a80dc104c70a18687bfbfe65ef14d6e25652badedda31e3fa0

Download Submit
\Program Files\Wondershare\PDFelement9\FileAssociation.exe

Filesize
85KB

MD5
2fd6bfa745b44921e18cb079000e9f78

SHA1
df4f12b2b80907c8d302514dcc0f849b41560e17

SHA256
40b9cd21cf17f4cd3a3cf583c63db057b643489a20e655a90974933e30f437bb

SHA512
1f8776d7152af93b8f0235f5f89cb308c7f6bb322ad7b64b52b7a99be06e5db50d93ad847fb0b68d4ffe54e32225a942e1715439e482973fe20d89b5d9286d67

Download Submit
\Program Files\Wondershare\PDFelement9\PDFelement.exe

Filesize
17.5MB

MD5
fbc9ce80f869ba5f1e138e6812675dba

SHA1
fc6767cede551153e87e032841ad2823beff54a6

SHA256
04475c1d46753e73e4251001c1dc8e7a6e0e965e60249a72d60249abc3b4ddf3

SHA512
f85a35dfcb8556a1ca43d735a6e9f0529df03f7eb6b560d8331bd461bf074b6c80c49336ec75b102aae7d9a49230a78ba77048e138b761cdda32afe4e8758220

Download Submit
\Program Files\Wondershare\PDFelement9\PDFelement.exe

Filesize
17.5MB

MD5
fbc9ce80f869ba5f1e138e6812675dba

SHA1
fc6767cede551153e87e032841ad2823beff54a6

SHA256
04475c1d46753e73e4251001c1dc8e7a6e0e965e60249a72d60249abc3b4ddf3

SHA512
f85a35dfcb8556a1ca43d735a6e9f0529df03f7eb6b560d8331bd461bf074b6c80c49336ec75b102aae7d9a49230a78ba77048e138b761cdda32afe4e8758220

Download Submit
\Program Files\Wondershare\PDFelement9\PDFelement.exe

Filesize
17.5MB

MD5
fbc9ce80f869ba5f1e138e6812675dba

SHA1
fc6767cede551153e87e032841ad2823beff54a6

SHA256
04475c1d46753e73e4251001c1dc8e7a6e0e965e60249a72d60249abc3b4ddf3

SHA512
f85a35dfcb8556a1ca43d735a6e9f0529df03f7eb6b560d8331bd461bf074b6c80c49336ec75b102aae7d9a49230a78ba77048e138b761cdda32afe4e8758220

Download Submit
\Program Files\Wondershare\PDFelement9\PDFelement.exe

Filesize
17.5MB

MD5
fbc9ce80f869ba5f1e138e6812675dba

SHA1
fc6767cede551153e87e032841ad2823beff54a6

SHA256
04475c1d46753e73e4251001c1dc8e7a6e0e965e60249a72d60249abc3b4ddf3

SHA512
f85a35dfcb8556a1ca43d735a6e9f0529df03f7eb6b560d8331bd461bf074b6c80c49336ec75b102aae7d9a49230a78ba77048e138b761cdda32afe4e8758220

Download Submit
\Program Files\Wondershare\PDFelement9\PEAddInDeployment.exe

Filesize
170KB

MD5
50b6b66103a6d8928c296f5f2ee41e79

SHA1
94de7a432a56c456c43d8154b01e5b2311543fe9

SHA256
e096b73352ff5b4c0b960008675bcc85e466d6209e514fdbad40cbd18b321707

SHA512
6c227c06ab62c86af1f4edd3f270c1a458e2745cb763a3a4de72ed5323bed4e5c87aba76d91df619d645a4b003edda51f230b2399e17b5efe558c973d989686f

Download Submit
\Program Files\Wondershare\PDFelement9\PEShellContextMenu4.exe

Filesize
755KB

MD5
7fdd691c77cfb16db78e6a09d27ef8b6

SHA1
edc37318243710a322f160466d5445bcec861f70

SHA256
60431b04286fda53bac93fe1fecfc54ebf9c1eb00552cbc01786c0198c0d92f5

SHA512
63e60bb491b13d1d8ed438ed710335d79e7694d5e901fb8ffc22f2d0ca5274c0c2df4ee0de705b7fddbf00b1662636e5d8e0b351216e15746f5a30dabcca210f

Download Submit
\Program Files\Wondershare\PDFelement9\PEToolDeployment.exe

Filesize
110KB

MD5
4c94cc69de514d4ecf297cce889ace04

SHA1
c48e0011106d9c87a9ba6623f463d443a3d94281

SHA256
8ddfb59f3abc8eaf91adb56fa43597d1012526e614d82c128eca7af2aad21368

SHA512
d8af6832dad1c77126378ebde50e90392ab1f3803a6d8c7927b995d67ee48d4b9774e0a7ec6c0409169a7dd83bbeecbe99a43d166cbf6d1e90a2a7abfcbcaa46

Download Submit
\Program Files\Wondershare\PDFelement9\Uninstall.exe

Filesize
2.1MB

MD5
d959c5a21801202a256e9dd4742adc4b

SHA1
897290371c77cb6846607f737ef0fcbc97f71b08

SHA256
a922edc0b43010447cad0df4ec0d3087c48282909bab9f195adcadb3666b7a79

SHA512
e085d2b1f5adaeda2b770d11baf7968e824753fffbdbb771a11121b576261ff92a8944cb8f923670aba087b30a16a6bbcbce5db46e7de49859e6339fcd821fa6

Download Submit
\Program Files\Wondershare\PDFelement9\WSPrtSetup\WSPrtSetup.exe

Filesize
146KB

MD5
2f95c0f7b5429cad4fef24c37b005014

SHA1
bfcbf13f4639f3784d630153449fa3ce2048d1d8

SHA256
ff754b2719b5e08db2bc34aad3e7d1b14f6651e7c4944707eb38de95e461b69a

SHA512
8868bcad45924eecc443bb3c2ffdd0ad48487de8687edb2c8ccc2b01b64860b8993d7afc70d12cca64ebc563889d6687d242a0f83983f1e621457454049d8421

Download Submit
\Users\Admin\AppData\Local\Temp\is-FSCNK.tmp\PEInstallHelper.dll

Filesize
130KB

MD5
a1ac16e38b5cd8958fae7fc4bba7b2e5

SHA1
9c96be904161a3c55ee5f9667f9ee7e3d7a851d2

SHA256
bc8023df22e12208490a125887f9194affd6b6802e7ba995ab53ee2229ae2371

SHA512
99abcddcff999d75726e52e9707ab7971832087ebd81e1baf3c0b5740b930d6c536357153d73623dedc934b13d87b37c34a624c2ff05893e51ac13a69ff8fc11

Download Submit
\Users\Admin\AppData\Local\Temp\is-FSCNK.tmp\PEPreviewDeployment.exe

Filesize
47KB

MD5
a69259e6fa01c73389b000173b36da5b

SHA1
7913598a942fd76adeaefae71b56fdb241d81298

SHA256
9c336b024e30f9da204697dcab4635c3c448dfa03b56b69528f9e287684ebdf8

SHA512
7421a2a10299518b8bbb12caed3fe37184cd72436f1782c1d1b0a613d495675fb16039a53dce038cd22f545180ea90ef6a668acfdf512d91a7da3a983f07bef9

Download Submit
\Users\Admin\AppData\Local\Temp\is-FSCNK.tmp\WSUtilities.dll

Filesize
197KB

MD5
12f724b38945658ec4c64b190cb38804

SHA1
425a26153c115ed126bb15ac651244152896a760

SHA256
9f6658ae721fcc242c31d18d18cc185814524405361545c6251b6003d777ad0f

SHA512
9b5e9624410d0c6611f461b9d604e793189f9922ad5f42dba51876de625550a32ec87e49539b734f520053449e96bc16149e6188b701aeb02145053698b7b4af

Download Submit
\Users\Admin\AppData\Local\Temp\is-FSCNK.tmp\_isetup\_setup64.tmp

Filesize
6KB

MD5
e4211d6d009757c078a9fac7ff4f03d4

SHA1
019cd56ba687d39d12d4b13991c9a42ea6ba03da

SHA256
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

SHA512
17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

Download Submit
\Users\Admin\AppData\Local\Temp\is-FSCNK.tmp\data_api.dll

Filesize
886KB

MD5
24e34654aa24831dd09794f6bca274e3

SHA1
3db4765c318a831f495c00449155291d5a1ee645

SHA256
6a523a532b930dcbfde8a68582f4a1e1163c2ca1af15439acf84699e2bd93bd6

SHA512
6dd0887954bb64677daa14ae087b7198d3d7ac467336765ca194233401c19559aca9190e859e6c95541f1ad97a5df1e3e546b78b31552d8fcf30d9ca9aca398c

Download Submit
\Users\Admin\AppData\Local\Temp\is-J0SV5.tmp\pdfelement-pro_full5239.tmp

Filesize
1.4MB

MD5
6f305dae9a639b29138a0c3ab2ded6e2

SHA1
62611c07da4bae4b56b819b56186189788d9fb75

SHA256
dc11e24fa57fbad625b733cac05e0a44d97e4799ccd8979a77bdf7c50d5b8418

SHA512
dff794bee824fab3e69e9ad85a6deaa7290c3486c9c64912cff97e8b02e3082fed7b047dedf4ff5b2f9afb6c239ac267f741762ab3493f18211042195e09e487

Download Submit
\Windows\System32\PEPrinterMonitor.dll

Filesize
278KB

MD5
9dcb0351332621c00c7dfafcde6df3ad

SHA1
cf53a36158bca80ec89a8e276f661c6a63831d05

SHA256
011f682171bf61ee6000b1f921fa98647701bb11b11c86188c4395f1b955bd12

SHA512
0993493d221098ecbe2327eee7a43b1a122f094b467ef0b00476cb49e93c15b4ba7b982ae269203f64c3ca8245951d0b371e03bcaf25762f4bfeda78b602253b

Download Submit
\Windows\System32\spool\drivers\x64\PS5UI.DLL

Filesize
248KB

MD5
34fe8243c4ce5db32b593857a9ab65bc

SHA1
bedd7610b754f6216131a0f509fc9d8813e439f4

SHA256
28a1cc523e3708c48fca4095d1ede1a81fdf1954b743eca4d6c8172f0116a3d6

SHA512
561503728c5598ce360e85130bef4172fe0e0fc57417e2549d6a15c509244d67cc84ef775450c133170df2e9c258951549fad32c3080a52394078756b60f3376

Download Submit
\Windows\System32\spool\drivers\x64\PS5UI.DLL

Filesize
248KB

MD5
34fe8243c4ce5db32b593857a9ab65bc

SHA1
bedd7610b754f6216131a0f509fc9d8813e439f4

SHA256
28a1cc523e3708c48fca4095d1ede1a81fdf1954b743eca4d6c8172f0116a3d6

SHA512
561503728c5598ce360e85130bef4172fe0e0fc57417e2549d6a15c509244d67cc84ef775450c133170df2e9c258951549fad32c3080a52394078756b60f3376

Download Submit
\Windows\System32\spool\drivers\x64\PSCRIPT5.DLL

Filesize
732KB

MD5
fd759f3f3dbda773e410172b8fe9b716

SHA1
be6553806f25e3c3413064e6fc4a82d01bab3ff5

SHA256
b5b15b0f92cd60314d45aa2bc3cf06109a050b3c096168fb35d584281fed3507

SHA512
789e351e84d409c37c77ce51b82fc63ce22023ad0ab326f7455aca2a8834fe7145293f30ee19a616d4fe1917512a9ce1fdb0856004852d67c0d13b5a737627a4

Download Submit
\Windows\System32\spool\drivers\x64\PSCRIPT5.DLL

Filesize
732KB

MD5
fd759f3f3dbda773e410172b8fe9b716

SHA1
be6553806f25e3c3413064e6fc4a82d01bab3ff5

SHA256
b5b15b0f92cd60314d45aa2bc3cf06109a050b3c096168fb35d584281fed3507

SHA512
789e351e84d409c37c77ce51b82fc63ce22023ad0ab326f7455aca2a8834fe7145293f30ee19a616d4fe1917512a9ce1fdb0856004852d67c0d13b5a737627a4

Download Submit
\Windows\System32\spool\drivers\x64\PSCRIPT5.DLL

Filesize
732KB

MD5
fd759f3f3dbda773e410172b8fe9b716

SHA1
be6553806f25e3c3413064e6fc4a82d01bab3ff5

SHA256
b5b15b0f92cd60314d45aa2bc3cf06109a050b3c096168fb35d584281fed3507

SHA512
789e351e84d409c37c77ce51b82fc63ce22023ad0ab326f7455aca2a8834fe7145293f30ee19a616d4fe1917512a9ce1fdb0856004852d67c0d13b5a737627a4

Download Submit
\Windows\System32\spool\drivers\x64\PSCRIPT5.DLL

Filesize
732KB

MD5
fd759f3f3dbda773e410172b8fe9b716

SHA1
be6553806f25e3c3413064e6fc4a82d01bab3ff5

SHA256
b5b15b0f92cd60314d45aa2bc3cf06109a050b3c096168fb35d584281fed3507

SHA512
789e351e84d409c37c77ce51b82fc63ce22023ad0ab326f7455aca2a8834fe7145293f30ee19a616d4fe1917512a9ce1fdb0856004852d67c0d13b5a737627a4

Download Submit
memory/268-78-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/268-54-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/304-1277-0x0000000000EA0000-0x000000000165C000-memory.dmp

Filesize
7.7MB

Download
memory/304-1281-0x000000001B720000-0x000000001B9D0000-memory.dmp

Filesize
2.7MB

Download
memory/304-1284-0x00000000002C0000-0x0000000000340000-memory.dmp

Filesize
512KB

Download
memory/304-1285-0x00000000002C0000-0x0000000000340000-memory.dmp

Filesize
512KB

Download
memory/304-1288-0x000000001CAA0000-0x000000001CBCA000-memory.dmp

Filesize
1.2MB

Download
memory/304-1512-0x00000000002C0000-0x0000000000340000-memory.dmp

Filesize
512KB

Download
memory/304-1301-0x0000000000E00000-0x0000000000E74000-memory.dmp

Filesize
464KB

Download
memory/304-1511-0x00000000002C0000-0x0000000000340000-memory.dmp

Filesize
512KB

Download
memory/316-1207-0x0000000000150000-0x000000000020E000-memory.dmp

Filesize
760KB

Download
memory/784-1173-0x0000000000390000-0x00000000003BC000-memory.dmp

Filesize
176KB

Download
memory/968-92-0x0000000000280000-0x000000000028C000-memory.dmp

Filesize
48KB

Download
memory/968-93-0x000000001B0F0000-0x000000001B170000-memory.dmp

Filesize
512KB

Download
memory/1132-1260-0x00000000002F0000-0x000000000030C000-memory.dmp

Filesize
112KB

Download
memory/1356-1273-0x0000000000400000-0x0000000000563000-memory.dmp

Filesize
1.4MB

Download
memory/1356-292-0x0000000000400000-0x0000000000563000-memory.dmp

Filesize
1.4MB

Download
memory/1356-1175-0x0000000000400000-0x0000000000563000-memory.dmp

Filesize
1.4MB

Download
memory/1356-84-0x0000000000400000-0x0000000000563000-memory.dmp

Filesize
1.4MB

Download
memory/1356-80-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1356-79-0x0000000000400000-0x0000000000563000-memory.dmp

Filesize
1.4MB

Download
memory/1356-67-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1356-521-0x0000000000400000-0x0000000000563000-memory.dmp

Filesize
1.4MB

Download
memory/1356-1365-0x0000000000400000-0x0000000000563000-memory.dmp

Filesize
1.4MB

Download
memory/1368-1220-0x0000000000FD0000-0x0000000000FE6000-memory.dmp

Filesize
88KB

Download
memory/1496-1212-0x0000000000CB0000-0x0000000000D6E000-memory.dmp

Filesize
760KB

Download
memory/1532-1266-0x00000000009B0000-0x00000000009CC000-memory.dmp

Filesize
112KB

Download
memory/1668-1289-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/1668-1308-0x000000007EF40000-0x000000007EF50000-memory.dmp

Filesize
64KB

Download
memory/1668-1307-0x0000000000B00000-0x0000000000B40000-memory.dmp

Filesize
256KB

Download
memory/1668-1305-0x0000000004DC0000-0x000000000508A000-memory.dmp

Filesize
2.8MB

Download
memory/1668-1314-0x00000000051C0000-0x0000000005470000-memory.dmp

Filesize
2.7MB

Download
memory/1668-1306-0x0000000004DC0000-0x000000000508A000-memory.dmp

Filesize
2.8MB

Download
memory/1668-1331-0x0000000000B05000-0x0000000000B23000-memory.dmp

Filesize
120KB

Download
memory/1668-1309-0x0000000005090000-0x00000000051BA000-memory.dmp

Filesize
1.2MB

Download
memory/1808-1283-0x0000000000ED0000-0x0000000000F50000-memory.dmp

Filesize
512KB

Download
memory/1808-1276-0x0000000001010000-0x000000000101C000-memory.dmp

Filesize
48KB

Download
memory/1856-1274-0x000000001B2B0000-0x000000001B330000-memory.dmp

Filesize
512KB

Download
memory/1888-1278-0x0000000000FF0000-0x000000000100C000-memory.dmp

Filesize
112KB

Download
memory/2540-1350-0x00000000024E6000-0x000000000251D000-memory.dmp

Filesize
220KB

Download
memory/2540-1344-0x000000001C130000-0x000000001C3E0000-memory.dmp

Filesize
2.7MB

Download
memory/2540-1343-0x000000001C000000-0x000000001C12A000-memory.dmp

Filesize
1.2MB

Download
memory/2540-1342-0x000000001BD30000-0x000000001BFFA000-memory.dmp

Filesize
2.8MB

Download
memory/2540-1341-0x000000001BD30000-0x000000001BFFA000-memory.dmp

Filesize
2.8MB

Download
memory/2540-1340-0x000000013FCE0000-0x000000013FCF0000-memory.dmp

Filesize
64KB

Download
memory/2728-1355-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2728-1356-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download