hxxps://www[.]pdfpowertool[.]com/_/download/ppt/pdfpowertool_setup[.]exe

Analysis

max time kernel
299s
max time network
272s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
17/05/2023, 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.pdfpowertool.com/_/download/ppt/pdfpowertool_setup.exe

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2508	pdfpowertool_setup.exe
2568	pdfpowertool_setup.tmp

Loads dropped DLL 3 IoCs

pid	Process
2508	pdfpowertool_setup.exe
2568	pdfpowertool_setup.tmp
2568	pdfpowertool_setup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\PDF Power Tool\unins000.dat	pdfpowertool_setup.tmp
File created	C:\Program Files\PDF Power Tool\is-IRVIR.tmp	pdfpowertool_setup.tmp
File created	C:\Program Files\PDF Power Tool\is-T9KLV.tmp	pdfpowertool_setup.tmp
File created	C:\Program Files\PDF Power Tool\is-OKLCR.tmp	pdfpowertool_setup.tmp
File opened for modification	C:\Program Files\PDF Power Tool\unins000.dat	pdfpowertool_setup.tmp
File opened for modification	C:\Program Files\PDF Power Tool\pdfpowertool.exe	pdfpowertool_setup.tmp

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1708	chrome.exe
1708	chrome.exe
2568	pdfpowertool_setup.tmp
2568	pdfpowertool_setup.tmp
1708	chrome.exe
1708	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
2568	pdfpowertool_setup.tmp

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 932	1708	chrome.exe	28
PID 1708 wrote to memory of 932	1708	chrome.exe	28
PID 1708 wrote to memory of 932	1708	chrome.exe	28
PID 1708 wrote to memory of 904	1708	chrome.exe	30
PID 1708 wrote to memory of 904	1708	chrome.exe	30
PID 1708 wrote to memory of 904	1708	chrome.exe	30
PID 1708 wrote to memory of 904	1708	chrome.exe	30
PID 1708 wrote to memory of 904	1708	chrome.exe	30
PID 1708 wrote to memory of 904	1708	chrome.exe	30
PID 1708 wrote to memory of 904	1708	chrome.exe	30
PID 1708 wrote to memory of 904	1708	chrome.exe	30
PID 1708 wrote to memory of 904	1708	chrome.exe	30
PID 1708 wrote to memory of 904	1708	chrome.exe	30
PID 1708 wrote to memory of 904	1708	chrome.exe	30
PID 1708 wrote to memory of 904	1708	chrome.exe	30
PID 1708 wrote to memory of 904	1708	chrome.exe	30
PID 1708 wrote to memory of 904	1708	chrome.exe	30
PID 1708 wrote to memory of 904	1708	chrome.exe	30
PID 1708 wrote to memory of 904	1708	chrome.exe	30
PID 1708 wrote to memory of 904	1708	chrome.exe	30
PID 1708 wrote to memory of 904	1708	chrome.exe	30
PID 1708 wrote to memory of 904	1708	chrome.exe	30
PID 1708 wrote to memory of 904	1708	chrome.exe	30
PID 1708 wrote to memory of 904	1708	chrome.exe	30
PID 1708 wrote to memory of 904	1708	chrome.exe	30
PID 1708 wrote to memory of 904	1708	chrome.exe	30
PID 1708 wrote to memory of 904	1708	chrome.exe	30
PID 1708 wrote to memory of 904	1708	chrome.exe	30
PID 1708 wrote to memory of 904	1708	chrome.exe	30
PID 1708 wrote to memory of 904	1708	chrome.exe	30
PID 1708 wrote to memory of 904	1708	chrome.exe	30
PID 1708 wrote to memory of 904	1708	chrome.exe	30
PID 1708 wrote to memory of 904	1708	chrome.exe	30
PID 1708 wrote to memory of 904	1708	chrome.exe	30
PID 1708 wrote to memory of 904	1708	chrome.exe	30
PID 1708 wrote to memory of 904	1708	chrome.exe	30
PID 1708 wrote to memory of 904	1708	chrome.exe	30
PID 1708 wrote to memory of 904	1708	chrome.exe	30
PID 1708 wrote to memory of 904	1708	chrome.exe	30
PID 1708 wrote to memory of 904	1708	chrome.exe	30
PID 1708 wrote to memory of 904	1708	chrome.exe	30
PID 1708 wrote to memory of 904	1708	chrome.exe	30
PID 1708 wrote to memory of 2032	1708	chrome.exe	31
PID 1708 wrote to memory of 2032	1708	chrome.exe	31
PID 1708 wrote to memory of 2032	1708	chrome.exe	31
PID 1708 wrote to memory of 1260	1708	chrome.exe	32
PID 1708 wrote to memory of 1260	1708	chrome.exe	32
PID 1708 wrote to memory of 1260	1708	chrome.exe	32
PID 1708 wrote to memory of 1260	1708	chrome.exe	32
PID 1708 wrote to memory of 1260	1708	chrome.exe	32
PID 1708 wrote to memory of 1260	1708	chrome.exe	32
PID 1708 wrote to memory of 1260	1708	chrome.exe	32
PID 1708 wrote to memory of 1260	1708	chrome.exe	32
PID 1708 wrote to memory of 1260	1708	chrome.exe	32
PID 1708 wrote to memory of 1260	1708	chrome.exe	32
PID 1708 wrote to memory of 1260	1708	chrome.exe	32
PID 1708 wrote to memory of 1260	1708	chrome.exe	32
PID 1708 wrote to memory of 1260	1708	chrome.exe	32
PID 1708 wrote to memory of 1260	1708	chrome.exe	32
PID 1708 wrote to memory of 1260	1708	chrome.exe	32
PID 1708 wrote to memory of 1260	1708	chrome.exe	32
PID 1708 wrote to memory of 1260	1708	chrome.exe	32
PID 1708 wrote to memory of 1260	1708	chrome.exe	32
PID 1708 wrote to memory of 1260	1708	chrome.exe	32

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://www.pdfpowertool.com/_/download/ppt/pdfpowertool_setup.exe
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6839758,0x7fef6839768,0x7fef6839778
  2⤵
  PID:932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1212 --field-trial-handle=1344,i,15161285710137646405,12076652190213967798,131072 /prefetch:2
  2⤵
  PID:904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1344,i,15161285710137646405,12076652190213967798,131072 /prefetch:8
  2⤵
  PID:2032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1648 --field-trial-handle=1344,i,15161285710137646405,12076652190213967798,131072 /prefetch:8
  2⤵
  PID:1260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2288 --field-trial-handle=1344,i,15161285710137646405,12076652190213967798,131072 /prefetch:1
  2⤵
  PID:1592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2292 --field-trial-handle=1344,i,15161285710137646405,12076652190213967798,131072 /prefetch:1
  2⤵
  PID:1648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3736 --field-trial-handle=1344,i,15161285710137646405,12076652190213967798,131072 /prefetch:8
  2⤵
  PID:2024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3712 --field-trial-handle=1344,i,15161285710137646405,12076652190213967798,131072 /prefetch:8
  2⤵
  PID:1364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1388 --field-trial-handle=1344,i,15161285710137646405,12076652190213967798,131072 /prefetch:2
  2⤵
  PID:2192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1356 --field-trial-handle=1344,i,15161285710137646405,12076652190213967798,131072 /prefetch:8
  2⤵
  PID:2308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4136 --field-trial-handle=1344,i,15161285710137646405,12076652190213967798,131072 /prefetch:8
  2⤵
  PID:2384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3324 --field-trial-handle=1344,i,15161285710137646405,12076652190213967798,131072 /prefetch:8
  2⤵
  PID:2392
- C:\Users\Admin\Downloads\pdfpowertool_setup.exe
  "C:\Users\Admin\Downloads\pdfpowertool_setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2508
- - C:\Users\Admin\AppData\Local\Temp\is-L0APK.tmp\pdfpowertool_setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-L0APK.tmp\pdfpowertool_setup.tmp" /SL5="$50174,1895690,119296,C:\Users\Admin\Downloads\pdfpowertool_setup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4328 --field-trial-handle=1344,i,15161285710137646405,12076652190213967798,131072 /prefetch:8
  2⤵
  PID:2936

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
e9179f1895956a470bf372a554728394

SHA1
86e2ff6198ec43b9f1cf41b14aa6a2754e9e9b41

SHA256
58610d5a12d2bcb685790a53df61f508fd288069520ea9a74e1ef7632c913f7b

SHA512
f071e06f19b3a85b55b20a542c9ff27659bf2a5fdb249810be4b422d43b09adbc651fd19413daaa3a1e0b452c4cdf151aa85acd18ba39ff8e937a14e3e82cd26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\040f2519-0cf5-4208-91fb-09c31f6f12c5.tmp

Filesize
4KB

MD5
3717f28488a1c8f46e3a1f1dea2861de

SHA1
c3e94e3febe592e86f68d77abb345fccdf5d841e

SHA256
1ec988fa506ef595e67e594dfe88faf625c0a19b47c3fba00ae131e2e0f0c846

SHA512
e67a63dfe81f8595c00d795a61f1123fcf25f0306b81906ff85d7b95c0418dfb88d85ba702b2f58026ed6959daa5acc997515b13a496260b49c2ebb7e84853c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT~RF6d6f67.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
a4ccdeaafb05287613e8af688eb3745f

SHA1
4b30cb2586b2b840e8c43658fe4f133a2e324326

SHA256
5c216fa8ac00ba13068fb076b7ee1941c6bd024d393e21f4b3869061a463e2fa

SHA512
59f5492beb41ad8b16d46b8963dc6dac72d04205ee0aa3fe3efe8ac40759f62f16c923459ea1225441b140fbc6b895a95ebe54b27323090a02a22dc1f20eba4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
9f6277a95a6d436e96806683f4bf88ab

SHA1
78914dbf793747a8048e75d87cf0ebd1f96e3e7a

SHA256
e084f01912a47653b8f2ce52a791a4ef21f876416f34a02b52a64cdfd303023b

SHA512
8801c36763f9fc422eca04a67561a93aebc108da99c98494b57386d1a1623df04f1db0808b2987b1576594fca0fedf99e26b4fd1e5ef72c92792e7a6558991ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1389.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-L0APK.tmp\pdfpowertool_setup.tmp

Filesize
1.1MB

MD5
e4a2856522e6a817e3f0edd2677fa647

SHA1
7cffea7ad238e4d2a64238139ab64802dbaf1185

SHA256
e11132ca9fb98307830147446f5f731e19e308949e1a473d177d5a9f7ddf9c7e

SHA512
25df15be9123496ed7f798ef892da334cc347016fcede7a6d4d580871926b2396923d71db9fdf8773dbca7a33e03bf33774c4bf2c9837918d1411eead573d964

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-L0APK.tmp\pdfpowertool_setup.tmp

Filesize
1.1MB

MD5
e4a2856522e6a817e3f0edd2677fa647

SHA1
7cffea7ad238e4d2a64238139ab64802dbaf1185

SHA256
e11132ca9fb98307830147446f5f731e19e308949e1a473d177d5a9f7ddf9c7e

SHA512
25df15be9123496ed7f798ef892da334cc347016fcede7a6d4d580871926b2396923d71db9fdf8773dbca7a33e03bf33774c4bf2c9837918d1411eead573d964

Download Submit
C:\Users\Admin\Downloads\pdfpowertool_setup.exe

Filesize
2.2MB

MD5
cac8718490502e7bd8a73650fc38bd05

SHA1
30496b83f4da2e13b3cae2f466552e3d595b128c

SHA256
e4b0c42ba1157e3c0f34cdec004ef1092542e42c34af7fee048ebf79a12098a9

SHA512
f0df823d7a675047366d903f6d3e42c9545e7ef968b8a5a10947c760bf4b264da33a4c84f4b98ccb4fef22e09506730df9292375bcc08e03fab9038d5a773232

Download Submit
C:\Users\Admin\Downloads\pdfpowertool_setup.exe

Filesize
2.2MB

MD5
cac8718490502e7bd8a73650fc38bd05

SHA1
30496b83f4da2e13b3cae2f466552e3d595b128c

SHA256
e4b0c42ba1157e3c0f34cdec004ef1092542e42c34af7fee048ebf79a12098a9

SHA512
f0df823d7a675047366d903f6d3e42c9545e7ef968b8a5a10947c760bf4b264da33a4c84f4b98ccb4fef22e09506730df9292375bcc08e03fab9038d5a773232

Download Submit
C:\Users\Admin\Downloads\pdfpowertool_setup.exe

Filesize
2.2MB

MD5
cac8718490502e7bd8a73650fc38bd05

SHA1
30496b83f4da2e13b3cae2f466552e3d595b128c

SHA256
e4b0c42ba1157e3c0f34cdec004ef1092542e42c34af7fee048ebf79a12098a9

SHA512
f0df823d7a675047366d903f6d3e42c9545e7ef968b8a5a10947c760bf4b264da33a4c84f4b98ccb4fef22e09506730df9292375bcc08e03fab9038d5a773232

Download Submit
\Users\Admin\AppData\Local\Temp\is-70A1S.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-70A1S.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-L0APK.tmp\pdfpowertool_setup.tmp

Filesize
1.1MB

MD5
e4a2856522e6a817e3f0edd2677fa647

SHA1
7cffea7ad238e4d2a64238139ab64802dbaf1185

SHA256
e11132ca9fb98307830147446f5f731e19e308949e1a473d177d5a9f7ddf9c7e

SHA512
25df15be9123496ed7f798ef892da334cc347016fcede7a6d4d580871926b2396923d71db9fdf8773dbca7a33e03bf33774c4bf2c9837918d1411eead573d964

Download Submit
memory/2508-217-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2508-233-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2508-195-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2568-218-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/2568-221-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/2568-209-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2568-232-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download