c08e535d1f06fe1bc79de2d8d50bf4c036d4e59416992b9ed08395d143aae67b

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2023 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PDFeditor_pe100-cpc-895.exe
Size

1.9MB
MD5

459612ae4f7594bc66db8030f50fd77d
SHA1

3beff442c1e897f5ff8f8312be7d7a1feb991b6f
SHA256

e3769e0029e021b9fa85d0c5e30f17438e335e862748787125655b20f84fe641
SHA512

60df943e0a79a5ea754c344a1e84522e8c34e87ce097f105958b20767dbef2fa6f6459c28eedb3014cb53ed38c25f2d6fba00223b23fb788bd2309e13f38d9ec
SSDEEP

24576:ScZKJe84Q/r6PseDjqyCJwkFvmqfn3tNJJnFtwoFnFtwoFSH/C7f8n6iG:WJe844WsDLWSOOt/JnFtbnFtXSc8n6iG

Score

5^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PDFeditor_pe100-cpc-895.exepdfeTools.exePDFEditor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	PDFeditor_pe100-cpc-895.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	pdfeTools.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	PDFEditor.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops file in Windows directory 1 IoCs

Processes:

PDFEditor.exe

description ioc process

File opened for modification C:\Windows\ PDFEditor.exe
Executes dropped EXE 4 IoCs

Processes:

pdfeTools.exePDFEditor.exePDFEditor.exefyupdate.exe

pid process

3180 pdfeTools.exe
4900 PDFEditor.exe
1236 PDFEditor.exe
2224 fyupdate.exe

description	ioc	process
File opened for modification	C:\Windows\	PDFEditor.exe

pid	process
3180	pdfeTools.exe
4900	PDFEditor.exe
1236	PDFEditor.exe
2224	fyupdate.exe

Loads dropped DLL 11 IoCs

Processes:

PDFEditor.exeregsvr32.exeregsvr32.exePDFEditor.exeregsvr32.exefyupdate.exe

pid	process
4900	PDFEditor.exe
4900	PDFEditor.exe
4900	PDFEditor.exe
4396	regsvr32.exe
2904	regsvr32.exe
1236	PDFEditor.exe
1236	PDFEditor.exe
3440	regsvr32.exe
1236	PDFEditor.exe
1236	PDFEditor.exe
2224	fyupdate.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BA1A27D7-D3AE-4A03-BEE0-E694A5EF591E}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BA1A27D7-D3AE-4A03-BEE0-E694A5EF591E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\fypdfeditor\\pdfeditormenu64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BA1A27D7-D3AE-4A03-BEE0-E694A5EF591E}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

PDFEditor.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\PDFEditor.exe = "11000"	PDFEditor.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1B4807E-65DB-4FE7-88FE-DB703CF57807}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70026DA6-0CB8-4F47-8789-5DEF9F2BC4A1}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7F6E91C4-12B5-4E2F-9C2B-479EF525A9F7}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{63375FB3-4F89-42F0-8090-209E954EBA1A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C5A57C2-81CA-4F69-BC52-A86F244934AF}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F114962-0BD3-46E4-9128-B8AE21D8BA5D}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29A02EF5-5573-44CA-B272-D8AD94ABFA08}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{999A6C12-A602-4601-9866-0B9AE973B7F2}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C5CE95F-3FC4-4FE8-8159-21D550451AF8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9764FFB4-99C8-4FE5-BF07-225580214F60}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D726366D-34D6-49FC-A341-7B84C54CCA3E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{800CE6D3-E641-43D6-AB1B-D011D75D476C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C0265291-1DFC-4377-B60D-7AE9CA536A73}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3405AD2D-C01C-4EE7-B551-5613AABFEFF2}\ = "IPXV_DocSelection"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{555C4721-774B-4E81-9BA5-62D7ED4E5B87}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{70026DA6-0CB8-4F47-8789-5DEF9F2BC4A1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDFXEdit.PXV_Inst\ = "PDF-XChange Editor ActiveX Instance"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E18E8434-3DF3-4A20-BFDC-F1F5272F162E}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DF68A980-B679-48CF-ADF3-951AD4BD343B}\ = "IPXC_DocSrcInfo"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{27F3CABC-31C1-4B29-A782-B68D4F4EA61A}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E3F042E4-CBFA-4A87-984D-C6CF49118BF5}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{555C4721-774B-4E81-9BA5-62D7ED4E5B87}\ = "IPXV_JSValue"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BB35E2D7-12DB-4DD7-AE5E-43B6E2B9D163}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FB8E43A8-D47B-4C41-B39D-52DD8D17E77C}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{211AAF91-E97A-454C-9669-EDAEC904E16D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6A48F242-109E-4BB0-BE84-A4B5A461CCDF}\ = "IPXV_ContentsView"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8D00937C-06B9-4B5C-9A94-A7E046336B01}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FF53F225-0530-4DCA-A174-240E61969C6D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{531DF7F3-0513-443E-BAD5-A1EF75A87C09}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3BBC168-3896-467E-9C5D-D46845C0E25E}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DF68A980-B679-48CF-ADF3-951AD4BD343B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E80DDA0B-E21C-4579-A7C3-E47F1980DC64}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7ED881CB-9DA1-4D56-94E6-5DDE88D5E844}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{95ABC066-9919-4571-8387-7A7CFB5FAEEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7BB3E2D5-EC9F-468F-834C-4CEC84FB2325}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3C341E89-9DC0-4DDA-94D1-BE06A410FC14}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2F114962-0BD3-46E4-9128-B8AE21D8BA5D}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F16D4312-0B2D-4C64-9FC7-DBC648B9B3AA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A1149909-4EDC-4421-B9E5-E93C25A000A1}\MiscStatus\1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{237F6B6F-DAB7-4230-B2E9-49D5C6AB9243}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{092DCFE6-4B0E-4392-A71A-137E9F5DBF17}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77FC3DBC-DB44-48C6-AC03-51E54646A4D9}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{79586BD0-9628-4216-BEA9-41186DFD9C78}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BB35E2D7-12DB-4DD7-AE5E-43B6E2B9D163}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{78527649-463C-49AA-8EA8-8DC10505FB31}\ = "IPXV_FormFieldsEvent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF87328C-B7C8-4FC8-8DE6-043E83F25A17}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3F5231AB-AF92-4184-A361-5A3307A3464E}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3C2B51C-003A-4D39-A90A-BB4486BF1E2C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E920A0D-3156-4EB6-932F-5AB7287C54E5}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E31522CE-AB58-45E5-95CC-D51B4429C8EB}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69E71C54-93FD-403B-BED2-E9B703EFCCF8}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{058487BC-FAB1-43E1-B9E0-77E7ADB97460}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{973BF60B-4CC6-4be0-B408-3D80E07FC2E6}\ProgID\ = "PDFXEdit.PXV_Inst.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A690B54-0046-47E7-960E-9C2630770D20}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13A68D58-65AC-43B2-A0D6-A3D9DFA47170}\ = "IUIX_ParaFormat"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E3B7703D-456F-4B3B-B3F4-1B207653B25F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C7A3EBDB-C571-4D46-A3C5-50CC391F8C83}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B1CB5B5-8FC9-426B-B0D0-42BCADFE3935}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FF53F225-0530-4DCA-A174-240E61969C6D}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BB35E2D7-12DB-4DD7-AE5E-43B6E2B9D163}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A018E70A-4E56-44ED-8E14-BB82ED650C38}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F16D4312-0B2D-4C64-9FC7-DBC648B9B3AA}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3116D512-3C69-454E-9040-8EE1652886C8}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{499EF19E-675E-436D-84B5-53E25C56CB02}\TypeLib\ = "{0AAFF38C-CB91-4424-A8B9-F8B504ACBE0C}"	regsvr32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

PDFEditor.exe

pid process

1236 PDFEditor.exe

pid	process
1236	PDFEditor.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

PDFeditor_pe100-cpc-895.exefyupdate.exePDFEditor.exe

pid	process
868	PDFeditor_pe100-cpc-895.exe
868	PDFeditor_pe100-cpc-895.exe
868	PDFeditor_pe100-cpc-895.exe
868	PDFeditor_pe100-cpc-895.exe
868	PDFeditor_pe100-cpc-895.exe
868	PDFeditor_pe100-cpc-895.exe
2224	fyupdate.exe
2224	fyupdate.exe
1236	PDFEditor.exe
1236	PDFEditor.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

PDFeditor_pe100-cpc-895.exe

pid process

868 PDFeditor_pe100-cpc-895.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

PDFEditor.exePDFEditor.exe

pid process

4900 PDFEditor.exe
1236 PDFEditor.exe
1236 PDFEditor.exe
1236 PDFEditor.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

PDFeditor_pe100-cpc-895.exepdfeTools.exeregsvr32.exePDFEditor.exe

description	pid	process	target process
PID 868 wrote to memory of 3180	868	PDFeditor_pe100-cpc-895.exe	pdfeTools.exe
PID 868 wrote to memory of 3180	868	PDFeditor_pe100-cpc-895.exe	pdfeTools.exe
PID 868 wrote to memory of 3180	868	PDFeditor_pe100-cpc-895.exe	pdfeTools.exe
PID 868 wrote to memory of 4900	868	PDFeditor_pe100-cpc-895.exe	PDFEditor.exe
PID 868 wrote to memory of 4900	868	PDFeditor_pe100-cpc-895.exe	PDFEditor.exe
PID 868 wrote to memory of 4900	868	PDFeditor_pe100-cpc-895.exe	PDFEditor.exe
PID 3180 wrote to memory of 4396	3180	pdfeTools.exe	regsvr32.exe
PID 3180 wrote to memory of 4396	3180	pdfeTools.exe	regsvr32.exe
PID 3180 wrote to memory of 4396	3180	pdfeTools.exe	regsvr32.exe
PID 4396 wrote to memory of 2904	4396	regsvr32.exe	regsvr32.exe
PID 4396 wrote to memory of 2904	4396	regsvr32.exe	regsvr32.exe
PID 1236 wrote to memory of 3440	1236	PDFEditor.exe	regsvr32.exe
PID 1236 wrote to memory of 3440	1236	PDFEditor.exe	regsvr32.exe
PID 1236 wrote to memory of 3440	1236	PDFEditor.exe	regsvr32.exe
PID 1236 wrote to memory of 2224	1236	PDFEditor.exe	fyupdate.exe
PID 1236 wrote to memory of 2224	1236	PDFEditor.exe	fyupdate.exe
PID 1236 wrote to memory of 2224	1236	PDFEditor.exe	fyupdate.exe

C:\Users\Admin\AppData\Local\Temp\PDFeditor_pe100-cpc-895.exe
"C:\Users\Admin\AppData\Local\Temp\PDFeditor_pe100-cpc-895.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:868

C:\Users\Admin\AppData\Roaming\fypdfeditor\pdfeTools.exe
"C:\Users\Admin\AppData\Roaming\fypdfeditor\pdfeTools.exe" regdll=C:\Users\Admin\AppData\Roaming\fypdfeditor\pdfeditormenu64.dll
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Roaming\fypdfeditor\pdfeditormenu64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4396

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Roaming\fypdfeditor\pdfeditormenu64.dll"
4⤵
- Loads dropped DLL
- Registers COM server for autorun
PID:2904

C:\Users\Admin\AppData\Roaming\fypdfeditor\PDFEditor.exe
"C:\Users\Admin\AppData\Roaming\fypdfeditor\PDFEditor.exe" RegisterFileRelation
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4900

C:\Users\Admin\AppData\Roaming\fypdfeditor\PDFEditor.exe
C:\Users\Admin\AppData\Roaming\fypdfeditor\PDFEditor.exe
2⤵
- Checks computer location settings
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Roaming\fypdfeditor\PDFXEditCore.x86.dll
3⤵
- Loads dropped DLL
- Modifies registry class
PID:3440

C:\Users\Admin\AppData\Roaming\fypdfeditor\fyupdate.exe
"C:\Users\Admin\AppData\Roaming\fypdfeditor\fyupdate.exe" -o=pdfeditor -e=PDFEditor.exe -c=CFyMainDlg
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\fypdfeditor\DuiLib.dll

Filesize
1.2MB

MD5
f6c40dfe4ebc6744a6fa6b18fad88b18

SHA1
ee5a2401bc29c6b99863988206de35cf710b693e

SHA256
006007b9d13db0af8f067d083cdcc911d0c3b7de3bd6d3481506a142b969facc

SHA512
c8db680903bdd37e45b6893e267b9a17870ecaff26a13251c621ddb808b85ac58536c26db37f5246599113de89ac665d0cb0859e2e624245496d2bb5e24a9a93

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\DuiLib.dll

Filesize
1.2MB

MD5
f6c40dfe4ebc6744a6fa6b18fad88b18

SHA1
ee5a2401bc29c6b99863988206de35cf710b693e

SHA256
006007b9d13db0af8f067d083cdcc911d0c3b7de3bd6d3481506a142b969facc

SHA512
c8db680903bdd37e45b6893e267b9a17870ecaff26a13251c621ddb808b85ac58536c26db37f5246599113de89ac665d0cb0859e2e624245496d2bb5e24a9a93

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\ErrorLog.log

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.cs-CZ.xcl

Filesize
542KB

MD5
7ad2262665706cb3c942e4a96481e0b8

SHA1
6707ecf91fddd6e02105dfaff21ad17e1f95ba90

SHA256
b3ba3b8f9d08d84d5a4cdd8c81c48e93ea66a2fafb6df39b970c48cf60445081

SHA512
359bf1a19a9da316dbb0232d33409d9085b773df15b8426554044b274bd42c98d659779d22a931f7c5eab129eb083b7821a822b2ade357531c3361069fb3f462

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.da-DK.xcl

Filesize
519KB

MD5
583eb3292ac0d42f745dd3117d1c663f

SHA1
a831bc116491249b1923f4fcec56cdc57e9e0867

SHA256
f84091bb1518343cb960dd9e5e07112c6e5fe223191c9d2569718c806e9336ed

SHA512
2fe02a8d35cabf0d1f65eedfb334dea7e9abb0815462ee9168a5451dc2445918b9cc90c2c1f98828c5f91157b0e1ec027b368f5b86bd0bb2325fce73c25faf38

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.de-DE.xcl

Filesize
568KB

MD5
ca1ad439e25e5ffb428cc434a2d1f0a5

SHA1
0014307ece52976f579bb2bb3882257aef7e2542

SHA256
f134542f0a32ee8fa91e23cb45546de850bde961c84229df188e10e9ad66483a

SHA512
728e2876fc6190ddbced9b279c48989f9602d0c4a9f5dcb9ea92eed68742014fd54c7b7ee72e23d5e0115f20279d0c974b9e39eda0db9918e61fd83b0a3700b5

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.el-GR.xcl

Filesize
528KB

MD5
000659ee3da793c0399f170657fb8423

SHA1
b36576aed27298dfe312489f5424d1547ace208a

SHA256
7cb493a3abb643c6a94e4fd2c6496b2bc021ff0bd54851b6bf45771368c1bd29

SHA512
aa145cd32cff0d91ffc3ffe94514648f0d0fe5146214f6999553b4825c9c54e08eaabfd63d29f6ef84d970a7cd71b8972f488776fa1892810b194c618af69091

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.es-ES.xcl

Filesize
558KB

MD5
739a4be3327e0b19a9d3507a228247be

SHA1
b327d80ba769e6a6cf2c34d0da45fec4e4b53104

SHA256
6c9074121255419f53c409e77630db1154ea274b0f86115790959ab82acd587c

SHA512
435c26377bff05f12f17f59b79ce7b961883c986d1e8765bd1aadf7c81c6ee81927e6fb8724393c1b5ad67fa0201231b4034be0816b3e8bf27aee03e045afbe4

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.fi-FI.xcl

Filesize
525KB

MD5
4e72fba3ddb0dd86fdc1177097dcc312

SHA1
828c4c51d27a93fb5444772bf008878528984f82

SHA256
f0e58a59bac97300e781a498366529b499d76e52405a7bde21ec278f9699fa31

SHA512
aab8a38f8915c3867c5c3e9406f955435b4d99ff123027b4a1467a0f4a4d06077072d3283e414543f093766fca4b1d8ef30fe7ff2386c6cdd551a046c4d799f2

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.fr-CH.xcl

Filesize
354KB

MD5
f65d8378a0af97b067928e813dbc7689

SHA1
13de4c0ad2be33dbc78080181037b3214f5b21f9

SHA256
db960a1be3bd55f2fafbd820395495e8fe939ef966bf8a18b341cc2e5541a01a

SHA512
7a4d7569c6820f1c7684337c0a0493d7d53b47ee274b09e421b6bbf16832bb5671c3cdb9682406820cb78081a1806610b0976f2fdfa9b0fe43387c7c251f5d67

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.fr-FR.xcl

Filesize
564KB

MD5
2fae3d3390ada31e77df3388d40f3944

SHA1
078aebba62984f5b8662dc91a5ed055eadb2ec0a

SHA256
20e97164abb21898c8b4062fe0d8bc531d42992218a9dd419d77ff29f1c2c936

SHA512
045223c5e83cc726c2fc3df7ce885e2dd33fe0c31398867057ec0fd38b43f30b86253fb65aaa2a223adbf1c3f76aae1c74b2635d231ab671a01b32cc42d2824d

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.fy-NL.xcl

Filesize
555KB

MD5
cc7f5d17e1e3b73808d3be34fa728928

SHA1
d7fc1e6eedd272a1b7b2336b470a464a96d4b7f7

SHA256
24581c9a55c5cffeeb8335bb3c6818fca7deaf3ec00e00482678498ef1dab3a3

SHA512
dbe69b8399bfa29ec0698ca72c0927e98bb18d2829df71becf75b077655199edfaa271d232e7ac1de2bf9053a54b14e6a5f5a3017d3ada10dfe77e95e61dc012

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.gl-ES.xcl

Filesize
549KB

MD5
5a6550d303da084c6273361369f363fc

SHA1
916782e0d3e71a9dab0583efb79c3e5cd7c38faf

SHA256
434568902c8b9509e094410518f0af2320081d52b79976a6989fb273ed64fc91

SHA512
e7100b2f44ca8d8459077dacc8b4ec317040d771b34dbc3cfbee3fbcde9ef30f29fafa03aff87588d3e94b1980199abcf5feaa9303e36c881583e3aa790ef5af

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.he-IL.xcl

Filesize
328KB

MD5
e404f8d0a8a72f0f931f237be838d10a

SHA1
1a4d55beb4f2a48e6b9eff98bd2ea6cbaa7fd2a3

SHA256
19f64ff0b1df8e72e013c799a235961fe4679df60beebae766747c72938a523f

SHA512
fdbd04473986cf500e1031542d974ca393171871feb32ff0d0ba1b29fa06c8dc92c23db43ea8a8aaed7dd90cf109813ba717618e86ed73219785f90d331d4bd7

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.hu-HU.xcl

Filesize
413KB

MD5
3978a67d2d965acb20fa4349bdd82180

SHA1
d72ea881b5738878c0a5037b5907b2b150ac1b44

SHA256
aae01cd12a1a77f2fa56046901b62fc60d2350665170b40def67006c771a8d00

SHA512
7754e8c9978f002773bf1174db1c01135a68e044b0856720dc5cb08c5792d61efef05e6336a2a71376a3171b15391d3947e196404463bcb36b1775ac025f1fdd

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.it-IT.xcl

Filesize
563KB

MD5
d0744bf024b160abc85f6d214cea80c0

SHA1
2bf0060c567bc06b5bf0706a07f7c23d834242fc

SHA256
80961cee4a96d99e5f6cbbdc5982d494da1c6ebbc8145b634927d362a573eca8

SHA512
58097c2369c0884dea3554cdb0c9a7b197d0671c84331c76aa963dcaf99e711ea2e83b7984ca080d5079e9fb205be28878749811cce519e43c959bf3688bd4b7

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.ja-JP.xcl

Filesize
596KB

MD5
09cbcdf62c94ab49c58fe1ae15f1dddd

SHA1
1e31835edaf8a965550a5aa561afaad94ad1a38c

SHA256
b904eff69afb7b9d9500d45f00fc59a022e933acc6e6c1f4f1964028b67e7c68

SHA512
1df8187e3c9b37913d257800c06a99427f07fd540ab55a20c33946c431b197dfc4f7f5b4755604fe954418f83b87c2bc51f3887489a20ca3c7be9be776f354ed

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.ko-KR.xcl

Filesize
325KB

MD5
26fdd257d2a38f24276af49b565d0ef3

SHA1
299a1c653e41f18e7a1391cfe98ce3a716f970df

SHA256
2340281a0374e405bba3a0d3fbec4b4d7cafafc4bdf37b25eaa2c73a36330ead

SHA512
7aa5dd8127713792c5789cc62e370e29e458575383846704c8c0fb60ca9884fc4015bb6f6edb814700e4bc22cbd3ed0e3b59d39eaedfa153e636ba7aa823f23a

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.nl-NL.xcl

Filesize
514KB

MD5
01acfdd4c5f611a3ef77a3630171f665

SHA1
53e741bc4fe10ed43ae3e04c8fe47ae477ac75b0

SHA256
d64d31e7fbb36e6b811032d11525e38ec8c41d6931680d24f98acecfcb09a9a9

SHA512
1f00ccf69a49e691b018987ddf118927af895e825f2b1979f56b9f0103cff5be0c933c99501422b94ae5eef25cefad8acb76d266de3772e494c70484d0836ab9

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.pl-PL.xcl

Filesize
490KB

MD5
6eb08f46c37634f143be3cc0bed9c2d2

SHA1
3c7bb1b67c873ab301728314a7cee1e8318baa3f

SHA256
a262ed5ca1bc6e7960d544a66be5a579b75bdc1fd9ce01467c3c089e503d5e58

SHA512
14389a817150466fdf4ed6c8f5917016e4749e65f9c7e916237312ef8a6a78f499a9ab76dc6d31978267ed371b5dcb69266f3a831208f7e04126c703e0ebc31c

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.pt-BR.xcl

Filesize
560KB

MD5
b0e773407592a9e006a0cf6a3ccf8714

SHA1
989ba3c5fcc5c8e309cff217dc665ca0381a80a7

SHA256
5f0fc3b7ba11efc99a61cc1bfb455bb2faea227a0e10202894ccbfe549c65302

SHA512
dd8a3a84ec23894eeedbb4254e783a7a42b722801a0f0e8f557a961c67f02d0486104a696288da3e1fdea8f3cf48cff59142ccc0ee179a97deabc53819fa1552

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.pt-PT.xcl

Filesize
370KB

MD5
13bd9ac22a78b741566f8ee3f135630a

SHA1
d172bba852e88ec9d2303207b4d79fb30350bb0a

SHA256
b10c3940510b0c5e1aff0a5a862fbdcc5fc999f2a80f5268520c4d31f9a38442

SHA512
9e2c2299f947f7cdadfd4ba209e474a27d47eb2d0e4c70996b00fb4ea16aa010f9efdf5164bec728103a5afe8e7776ef8c51a967eaac5850b30304510c107e81

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.ro-RO.xcl

Filesize
368KB

MD5
73cb320d257246cec6dc035004a1f59d

SHA1
f6fc11c301ff2cc29c25272e06899511555e1744

SHA256
5cfec41cf2b4691a95e1608ae24e22cde7482cac44c583328d9aa2f58c5c252b

SHA512
99c0ae296cab39c2099b01f7ded417e1d87ece1b09ce28dc60237be530a4fa3aca6a264aab3478088652881e7f58e162a2faba679e08609cd609cbd50b204c1f

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.ru-RU.xcl

Filesize
707KB

MD5
88a152e0877f333cc2863549323a5546

SHA1
0f8f70cfcc3ab194deef2fc390da9ab20d0751bb

SHA256
3374e482352439f852172360334cfe71f77bc0c1bcefeaa67718de39e002d6de

SHA512
54b90291bc98d62f67d40f4b2e81fb1b8b0878dd4bd1d208858f31ed61559b630cebf90c62c8f77e3fb3cc76eefab6386f4427a59bf3158c7a2033ef3270e214

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.sk-SK.xcl

Filesize
398KB

MD5
e865eed8477026f6e0fe5349cfca88dc

SHA1
f995e02759455a2a78872847a93430b08fcfd36e

SHA256
7a64e7445bca3c648790928aa6c03dddffa74a60e38d82f8f92249fde4268ec1

SHA512
75a6606173c162ed0f0aee245b4564ba513d46e610a6965d489b1fd9e110ce4c720246762b54d830d7ead12a4b1c36675a39bf41f7627ff55921f1c743098f74

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.sl-SI.xcl

Filesize
474KB

MD5
5eee8736c32559a98274d689f30d9c0a

SHA1
be22050d6bc217b9080db027efd8325146b6f52b

SHA256
82f21256af2ab1e252ca10ed496f3f4db0e04f3201e7c6a57a564013ffc7ac32

SHA512
c13ead94bd9983a4b099fe3b344d9b9e2fbf54fdefe3280f395a4b591faf02568bd812588b9b551391c41318d85297110e8e7a69b03f27db19fefac2e0c50dd5

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.sr-Latn-RS.xcl

Filesize
531KB

MD5
ba6a7e87cda2dba7b13bc39d28016536

SHA1
448411f4c2f3390f9e827ae627f464c1b1328c0e

SHA256
52ea1c0fc8a5bee3c65ac85b59f52a15a2f526f53239c26728a12478db761735

SHA512
99a8341777c83ee6403fa30a4d383d41c5b9d7a56007227285fe0e94d029b451575189eb87b3f06a8bff59a1943ce5f3bcc3b69a499c968727c8f1e91b9dd47a

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.sv-SE.xcl

Filesize
530KB

MD5
64eab720293432b7c9d1b930c08f9dfb

SHA1
faa8ce0855f829a2826c28bd0b87d9e0339bac95

SHA256
e701c9c13f7a67101743372f6303fcd955258d12002efb2bdff823b076b18592

SHA512
c05896706c8ea25bdc34b4b0c59f07729e10889666b1c745ffd0a45f002978cb0f3bbb7d2ca5e9b33c32fd725c5ecb7d1eff28ddb331f6522388356856e4660f

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.tr-TR.xcl

Filesize
544KB

MD5
6d6cba4183a3c3fbad0578011b2de388

SHA1
118badf030e3e867138259045a504b8e3441277e

SHA256
d96835e3b618b0296e9e5fe65280dab68534655ed8bc56c394e05a9b116aebe3

SHA512
b3bf4c55e1e7dc4c018109e8974866ef839e581d88b0cd24002ab0e035d06f88ed9f69e34b9f95684f00c619c81c34413ef720158a97774690fcad8a8938d562

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.uk-UA.xcl

Filesize
697KB

MD5
329b5e93bdf45d8e27a0f7b3cbcba2f8

SHA1
596e69f6cb7dbcfdfa440566dd124be9317a6bda

SHA256
255b28066c3c5c8ab003866b02897085cc3430b29f4b2c01cbbd47340884551e

SHA512
53a284b08cfbc0a436f05864177eb2b99fbc42317bbf20696a7e5797817355aff06cf93913409c26fb02882ba5e93525c6c8e23bdee10377f8305f26343392c2

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.zh-CN.xcl

Filesize
483KB

MD5
0cf7cdb07ad7d1045438e0ab6e1847a8

SHA1
5421d35733973ea58428ac20887200517160d849

SHA256
6acd53ea0bcc4964ad70068efed922dc048f1fce206d6a31c143885178093ca6

SHA512
a39c8458859f380ad82231e34fa93a04f5d640ccf69e3febb9cb40e6c341edc28d31de4e30e9116026a27f27cf1a9ff657ffbf71f2938fd943daa22a39d6500d

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Languages\Strings.zh-TW.xcl

Filesize
512KB

MD5
c656f83d1f087b6353de074c8cb67311

SHA1
144fe26005e38d816593074797011d8a75a649bd

SHA256
09f6ac47e033b2687cd753a9e3f8f7e3269e9cae6f5fc23c16e49b4d71a21997

SHA512
1f7083b65a4ffacc959363ad98a51ee311eea7c92ff325b2bd22c7ce623f0c20a425fa4e9b94aa4eedb581a7743935d635548b1d61168b4cafbfe45161638c35

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\PDFEditor.exe

Filesize
8.0MB

MD5
141bdac1e112714fcbb568ebe78819e7

SHA1
8d9b6ff13b497e1581b23f8ff44d91526c3a1972

SHA256
15ed72ca22a6d79a10ba813ac76b7ec82b1f007cfd87fa5eafcd869be4ae42c1

SHA512
1d70f940154b370974e1b8cf31ad1108cb86799f39d075d221fc2ff6c82d29c59169de511fdeea68b78ba160ffe8830633234c0714c4756f583d90e695ad833c

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\PDFEditor.exe

Filesize
8.0MB

MD5
141bdac1e112714fcbb568ebe78819e7

SHA1
8d9b6ff13b497e1581b23f8ff44d91526c3a1972

SHA256
15ed72ca22a6d79a10ba813ac76b7ec82b1f007cfd87fa5eafcd869be4ae42c1

SHA512
1d70f940154b370974e1b8cf31ad1108cb86799f39d075d221fc2ff6c82d29c59169de511fdeea68b78ba160ffe8830633234c0714c4756f583d90e695ad833c

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\PDFEditor.exe

Filesize
8.0MB

MD5
141bdac1e112714fcbb568ebe78819e7

SHA1
8d9b6ff13b497e1581b23f8ff44d91526c3a1972

SHA256
15ed72ca22a6d79a10ba813ac76b7ec82b1f007cfd87fa5eafcd869be4ae42c1

SHA512
1d70f940154b370974e1b8cf31ad1108cb86799f39d075d221fc2ff6c82d29c59169de511fdeea68b78ba160ffe8830633234c0714c4756f583d90e695ad833c

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\PDFEditor.exe

Filesize
8.0MB

MD5
141bdac1e112714fcbb568ebe78819e7

SHA1
8d9b6ff13b497e1581b23f8ff44d91526c3a1972

SHA256
15ed72ca22a6d79a10ba813ac76b7ec82b1f007cfd87fa5eafcd869be4ae42c1

SHA512
1d70f940154b370974e1b8cf31ad1108cb86799f39d075d221fc2ff6c82d29c59169de511fdeea68b78ba160ffe8830633234c0714c4756f583d90e695ad833c

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\PDFXEditCore.x86.dll

Filesize
35.2MB

MD5
7405bfafceb97d1b3392d3d22a331392

SHA1
bfac9c26f6c7715e6256e81612921d0903783a27

SHA256
1da6b0fc2f63f381f39a6ba04c72ab1b1abad36effa10c971427b6abfb9e51ce

SHA512
d90468d588932959977265eac229530f2a0866ceb9c0ddf165857af287822e02d67005e2b08eaed5c37a6a14064f2fe375bd5f145b85ab0c85943d0708518083

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\PDFXEditCore.x86.dll

Filesize
35.2MB

MD5
7405bfafceb97d1b3392d3d22a331392

SHA1
bfac9c26f6c7715e6256e81612921d0903783a27

SHA256
1da6b0fc2f63f381f39a6ba04c72ab1b1abad36effa10c971427b6abfb9e51ce

SHA512
d90468d588932959977265eac229530f2a0866ceb9c0ddf165857af287822e02d67005e2b08eaed5c37a6a14064f2fe375bd5f145b85ab0c85943d0708518083

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\PDFXEditCore.x86.dll

Filesize
35.2MB

MD5
7405bfafceb97d1b3392d3d22a331392

SHA1
bfac9c26f6c7715e6256e81612921d0903783a27

SHA256
1da6b0fc2f63f381f39a6ba04c72ab1b1abad36effa10c971427b6abfb9e51ce

SHA512
d90468d588932959977265eac229530f2a0866ceb9c0ddf165857af287822e02d67005e2b08eaed5c37a6a14064f2fe375bd5f145b85ab0c85943d0708518083

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\Resources.dat

Filesize
5.8MB

MD5
7c4076ed15c5e80095fad68019ba0d92

SHA1
d8a49e11cd3e451dde3be736ac097dd418503812

SHA256
63a6ecc761e08a6ac26e5feb2a9e34b72a204003443a6a0cd585c5068f3b8e21

SHA512
4751a88cd3a16633ab5b268b57abfb042f7540f09a01fbb104e31ddff434b6de55435053dde768faf19bf0fef834abca615b884f15573400f62611d70b4e614d

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\UserAndPayClient.dll

Filesize
4.5MB

MD5
0fb74f34373855cc50b4a36933284b39

SHA1
1ef96cd9d8cabbf3c5d651abe4dbaeb6369889d5

SHA256
3f553e42efbce9c4f76dd25783b7a5749714b21fe6f1a7e4c64a0d1fcd8f9312

SHA512
72137e9301c436a2a2f9093010427f72f33ae41ad059f12dc48dc5cb7e83dd9c1bddcdb305f72b17a7f99cd0bc51f8460019f5056d72586ca924d948374ff50c

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\UserAndPayClient.dll

Filesize
4.5MB

MD5
0fb74f34373855cc50b4a36933284b39

SHA1
1ef96cd9d8cabbf3c5d651abe4dbaeb6369889d5

SHA256
3f553e42efbce9c4f76dd25783b7a5749714b21fe6f1a7e4c64a0d1fcd8f9312

SHA512
72137e9301c436a2a2f9093010427f72f33ae41ad059f12dc48dc5cb7e83dd9c1bddcdb305f72b17a7f99cd0bc51f8460019f5056d72586ca924d948374ff50c

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\UserAndPayClient.dll

Filesize
4.5MB

MD5
0fb74f34373855cc50b4a36933284b39

SHA1
1ef96cd9d8cabbf3c5d651abe4dbaeb6369889d5

SHA256
3f553e42efbce9c4f76dd25783b7a5749714b21fe6f1a7e4c64a0d1fcd8f9312

SHA512
72137e9301c436a2a2f9093010427f72f33ae41ad059f12dc48dc5cb7e83dd9c1bddcdb305f72b17a7f99cd0bc51f8460019f5056d72586ca924d948374ff50c

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\VMProtectSDK32.dll

Filesize
98KB

MD5
afbc9d53d31478a193ce74d24d07196d

SHA1
970a6c02bacdb4506bb88258fccf1bdf776d17b2

SHA256
8a154897ec692a3a8571952e8caec49c09bddcc57b1ca9a9b54184fc66ae2982

SHA512
02a52fe395bdfc7399d1b2c811923ece1e3b96dac9e7e0819acc7b7946921d606c1b6f8b38fee8b5a9bb7d84ef6978b6b2b14951d1542cd4e14c8b5b310cf057

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\VMProtectSDK32.dll

Filesize
98KB

MD5
afbc9d53d31478a193ce74d24d07196d

SHA1
970a6c02bacdb4506bb88258fccf1bdf776d17b2

SHA256
8a154897ec692a3a8571952e8caec49c09bddcc57b1ca9a9b54184fc66ae2982

SHA512
02a52fe395bdfc7399d1b2c811923ece1e3b96dac9e7e0819acc7b7946921d606c1b6f8b38fee8b5a9bb7d84ef6978b6b2b14951d1542cd4e14c8b5b310cf057

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\VMProtectSDK32.dll

Filesize
98KB

MD5
afbc9d53d31478a193ce74d24d07196d

SHA1
970a6c02bacdb4506bb88258fccf1bdf776d17b2

SHA256
8a154897ec692a3a8571952e8caec49c09bddcc57b1ca9a9b54184fc66ae2982

SHA512
02a52fe395bdfc7399d1b2c811923ece1e3b96dac9e7e0819acc7b7946921d606c1b6f8b38fee8b5a9bb7d84ef6978b6b2b14951d1542cd4e14c8b5b310cf057

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\WindowsSize.ini

Filesize
66B

MD5
6f86acf8f5bd359a1ea139bf95201bf5

SHA1
b304e199cad3de0d13acd1476a4f1e728f0bee2c

SHA256
95e21d15cd9d7ea3dc0542962f496faa707b40e0221af647cc0e1aee077f9de6

SHA512
42eb2a060c036253a2112390ed23b11278c089d0a96807ffc7a904a6167ab9d2a43a2ed6d37931d59be7fcb0747f6e67eb80e33a7ec534d4f81a30ec3585c86f

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\cookies.dat

Filesize
527B

MD5
548dd4b392407490600f01e217d072de

SHA1
8f43dd23db726fadc133193e52cd1bcc47162e1e

SHA256
54d4ceffd48f768d4fbfc3d0c568051d30bdeb55c73820930c12cf82359837f1

SHA512
19ab5658ea4f97d90dc46dff5e79e6a8fde2d2e4b21db12553a5b5d4a8531dee51b285a8fe35f32d7619106ddae02e80cb97b9827853f69552a5900f5c6df717

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\cookies.dat

Filesize
527B

MD5
ab7d8a288e1bea4a5a23eb1c3f9e0212

SHA1
410c763675c09d0d5e0ef628adb42a03336d65b5

SHA256
05f44fc1d7b939235de5347691127405ccd0d4e20a4314c30a31cb152c73943d

SHA512
f7696feb83f2cbd9c4b226c8a6e24d393f4f65f66d5da680d4802a8006df9ac0009be28e42c8a688018fc3458e82776988132543ec010f3452795ed253df5031

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\cookies.dat

Filesize
583B

MD5
becaa07b0ddfeb5baa6fe3cd0606f25b

SHA1
429074aa3b16d5444cf7489b15013231a1e95eaa

SHA256
2811207c7ee4ea73c6db47afcab38b11797986d8e392c5ecb46d02981d88c414

SHA512
2aaaf91bed9d226973c52e90ea7b76725a45a346cc76b7db4171206796bcbd37f02847ba982ae8612e2a82ff8a8dd5244c834adb5e15a567784f8f3b669cf636

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\cookies.dat

Filesize
663B

MD5
fbefe2f3cec43fd0ee7ff0b79c839815

SHA1
886a05751a9a61dc63ba6bdd5bbe40225af878b5

SHA256
e687f0991f3caff5d562d9fe57d438a6766b014b21eb7ddc30e3396ad3119649

SHA512
63e5ad851a82e61c4da486a956d50bc541180996e6da15623de6d63ca82638ad011647d67708636e5118bb26655aa49571b3714b6ee7baf15cdfda6ed94d2b26

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\cookies.dat

Filesize
750B

MD5
483352c773a837dd4b92b7a6dbb47fa7

SHA1
d72f10ffc9dbd5c5c11062d4e37c15c41f62cb01

SHA256
155050296ad217f5953078c21050826c85665158fbdb7879017aee75671a389f

SHA512
30a39f7085a4b22f71b497db1c33a7b0981fa30ad69e5f1c812ff2b2034b7a0d313268108b0d8e5902ddbe0fda49416e49a19ac2120bc8af536735f6bcab6e72

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\cookies.dat

Filesize
837B

MD5
70060a1cbeca61e6c5548da0a491ae2a

SHA1
76e311ed8742d097f361271bd7db4944f320e429

SHA256
14f8ff1da97b7d2c110eee0b836cbd9037e809fd4e4d86e2602584bf6cf9fcd7

SHA512
f181341c6e5b6afc688100cb2fbafd0dd6690446650259e6afaa1431069758d0cddf24e5d6782b97ae167a72b16311b88e20c41c6a5fdf1e7da406036ec44712

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\fyupdate.exe

Filesize
2.1MB

MD5
c4e2b5eaff8794fc8b3ea8aff41c0364

SHA1
4bccc2f120380e7ed9513c0fbdd1ab452aee72da

SHA256
da23677baa9986ec7388a86bd01b2d7f51752e09c863e9e08fd42aedd715069f

SHA512
2d22967ca635318a71c1a74433e5ce45ba64a38995b2d79dcee78a8113d12c86d6668b0f4f4331cab29b29f018638185db503898d4561438d5fd98103b074428

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\fyupdate.exe

Filesize
2.1MB

MD5
c4e2b5eaff8794fc8b3ea8aff41c0364

SHA1
4bccc2f120380e7ed9513c0fbdd1ab452aee72da

SHA256
da23677baa9986ec7388a86bd01b2d7f51752e09c863e9e08fd42aedd715069f

SHA512
2d22967ca635318a71c1a74433e5ce45ba64a38995b2d79dcee78a8113d12c86d6668b0f4f4331cab29b29f018638185db503898d4561438d5fd98103b074428

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\main.ini

Filesize
271B

MD5
6c80f814e6c7d7ec1cc1e29c6607696d

SHA1
a041a2abec06d734d0de9ba20985b7f507bc7fcc

SHA256
7c371f03fc99bba5cfa733d6d2db1434edbcb1e69acf9f8ed1f5dc065bca5863

SHA512
3609c481103bc9b87090e957b827b95f4c7b70d4529c43fcdfd274dd99eca2dc8cb5b11a402933a8b7eb7ce40e5a05c50124e646eae05f15ff7f70bca760fd14

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\main.ini

Filesize
271B

MD5
6c80f814e6c7d7ec1cc1e29c6607696d

SHA1
a041a2abec06d734d0de9ba20985b7f507bc7fcc

SHA256
7c371f03fc99bba5cfa733d6d2db1434edbcb1e69acf9f8ed1f5dc065bca5863

SHA512
3609c481103bc9b87090e957b827b95f4c7b70d4529c43fcdfd274dd99eca2dc8cb5b11a402933a8b7eb7ce40e5a05c50124e646eae05f15ff7f70bca760fd14

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\node.dll

Filesize
16.0MB

MD5
477f86e7501168050e657b76078662e3

SHA1
d756bc4f9af91d29d7cf541974a6f55e1a0ecd63

SHA256
86757d7c22ee09e27d673c51007f4b28cbbc8f09fe78d92feb1617b399d152ca

SHA512
1aa889c09d63e011edb351059a294f1318473237efb44ecde05674a7ac70311a7628d08e38e18b9f12c2df9e06f06d31be0b44e42078c977f8ac4063398172cd

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\node.dll

Filesize
16.0MB

MD5
477f86e7501168050e657b76078662e3

SHA1
d756bc4f9af91d29d7cf541974a6f55e1a0ecd63

SHA256
86757d7c22ee09e27d673c51007f4b28cbbc8f09fe78d92feb1617b399d152ca

SHA512
1aa889c09d63e011edb351059a294f1318473237efb44ecde05674a7ac70311a7628d08e38e18b9f12c2df9e06f06d31be0b44e42078c977f8ac4063398172cd

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\pdfeTools.exe

Filesize
174KB

MD5
250175abee5aa98c9805a4ba1fc5c0f5

SHA1
803254dc885e94a77096cc53c2888ab425db9f30

SHA256
4cad083c8bcafb53a9834d98c938c4a17904c06aff6c6a23e3568dffce0e923d

SHA512
e1b3f5d5d3fd7ef427b8ebb0821c0230015289cc0beed290302f5891b0bafca2fe276d3e5fc9b5eed986d1945de08a344ccc21172017431efeb81ea2b3daa4e2

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\pdfeTools.exe

Filesize
174KB

MD5
250175abee5aa98c9805a4ba1fc5c0f5

SHA1
803254dc885e94a77096cc53c2888ab425db9f30

SHA256
4cad083c8bcafb53a9834d98c938c4a17904c06aff6c6a23e3568dffce0e923d

SHA512
e1b3f5d5d3fd7ef427b8ebb0821c0230015289cc0beed290302f5891b0bafca2fe276d3e5fc9b5eed986d1945de08a344ccc21172017431efeb81ea2b3daa4e2

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\pdfeTools.exe

Filesize
174KB

MD5
250175abee5aa98c9805a4ba1fc5c0f5

SHA1
803254dc885e94a77096cc53c2888ab425db9f30

SHA256
4cad083c8bcafb53a9834d98c938c4a17904c06aff6c6a23e3568dffce0e923d

SHA512
e1b3f5d5d3fd7ef427b8ebb0821c0230015289cc0beed290302f5891b0bafca2fe276d3e5fc9b5eed986d1945de08a344ccc21172017431efeb81ea2b3daa4e2

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\pdfeditormenu64.dll

Filesize
334KB

MD5
904af7508f0d328e7c7143e4851e238e

SHA1
85a791f1c52884ea16297ea66681d7a5eeb54708

SHA256
28aba656592b3f2c7617fe8a0fde8c19d11340b99bad0f324bc6a733deacad5e

SHA512
e2a603f1489c6db3456c833d11acab8adcfe7e98a7aa19d6df3e356c96073ed58c188b12cacdabd37700927c63c0c737303b2933ea26ef87919ea360b85ecf48

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\pdfeditormenu64.dll

Filesize
334KB

MD5
904af7508f0d328e7c7143e4851e238e

SHA1
85a791f1c52884ea16297ea66681d7a5eeb54708

SHA256
28aba656592b3f2c7617fe8a0fde8c19d11340b99bad0f324bc6a733deacad5e

SHA512
e2a603f1489c6db3456c833d11acab8adcfe7e98a7aa19d6df3e356c96073ed58c188b12cacdabd37700927c63c0c737303b2933ea26ef87919ea360b85ecf48

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\pdfeditormenu64.dll

Filesize
334KB

MD5
904af7508f0d328e7c7143e4851e238e

SHA1
85a791f1c52884ea16297ea66681d7a5eeb54708

SHA256
28aba656592b3f2c7617fe8a0fde8c19d11340b99bad0f324bc6a733deacad5e

SHA512
e2a603f1489c6db3456c833d11acab8adcfe7e98a7aa19d6df3e356c96073ed58c188b12cacdabd37700927c63c0c737303b2933ea26ef87919ea360b85ecf48

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\pdftools.dll

Filesize
108KB

MD5
92fe04ae41e97f3c66577838ee84cce4

SHA1
1f0a5fd454eeead93d3bc5edb01c06402d634a89

SHA256
481ae7a4b6da5830f7909242d137f1040d6afe4fa8a7bedfdb0000fb810430d9

SHA512
a7c051073744d9e598fc3d6184a232ab0e358ef78d27b8da9bc29862875379d5c0412784d385240937e6cdc36b912ba18b00701ed89151687fbe187a2108b762

Download Submit
C:\Users\Admin\AppData\Roaming\fypdfeditor\pdftools.dll

Filesize
108KB

MD5
92fe04ae41e97f3c66577838ee84cce4

SHA1
1f0a5fd454eeead93d3bc5edb01c06402d634a89

SHA256
481ae7a4b6da5830f7909242d137f1040d6afe4fa8a7bedfdb0000fb810430d9

SHA512
a7c051073744d9e598fc3d6184a232ab0e358ef78d27b8da9bc29862875379d5c0412784d385240937e6cdc36b912ba18b00701ed89151687fbe187a2108b762

Download Submit
memory/1236-240-0x000000002FA00000-0x000000002FA01000-memory.dmp

Filesize
4KB

Download
memory/1236-241-0x0000000011200000-0x0000000011201000-memory.dmp

Filesize
4KB

Download
memory/1236-420-0x000000002B900000-0x000000002B901000-memory.dmp

Filesize
4KB

Download